Practical Insights From China On The Newly Issued Provisions On Cross-Border Data Transfer

Seyfarth Shaw LLP


With more than 900 lawyers across 18 offices, Seyfarth Shaw LLP provides advisory, litigation, and transactional legal services to clients worldwide. Our high-caliber legal representation and advanced delivery capabilities allow us to take on our clients’ unique challenges and opportunities-no matter the scale or complexity. Whether navigating complex litigation, negotiating transformational deals, or advising on cross-border projects, our attorneys achieve exceptional legal outcomes. Our drive for excellence leads us to seek out better ways to work with our clients and each other. We have been first-to-market on many legal service delivery innovations-and we continue to break new ground with our clients every day. This long history of excellence and innovation has created a culture with a sense of purpose and belonging for all. In turn, our culture drives our commitment to the growth of our clients, the diversity of our people, and the resilience of our workforce.
On March 22, 2024, following nearly six months after the publication of the Provisions on Promoting and Regulating Cross-border Data Flows (Draft for Solicitation of Comments)...
China Law Department Performance
To print this article, all you need is to be registered or login on

On March 22, 2024, following nearly six months after the publication of the Provisions on Promoting and Regulating Cross-border Data Flows (Draft for Solicitation of Comments), the Cyberspace Administration of China ("CAC") officially released the Provisions on Promoting and Regulating Cross-border Data Flows ("the Provisions"), which came into immediate effect. In accordance with the Provisions, CAC has also issued the "Guidelines for Data Export Security Assessment Declaration (Second Edition)" and the "Guidelines for Filing Standard Contracts for Personal Information Export (Second Edition)."

In looking to establish more clarity and certainty, the Provisions substantially alleviate the compliance obligations for enterprises regarding cross-border data transfers. This is done by introducing exemptions for cross-border compliance obligations and refining the conditions triggering the more onerous obligations of security assessments, standard contracts, and certifications which would be required absent the exemptions. This creates a more favorable business environment for enterprise development and a more relaxed regulatory environment for cross-border data flows.

The Exemptions for HR Data Transfer Scenarios

One of the exemptions in (Article 5(2)) can now be particularly applied to Chinese companies who export employees' information to parent companies overseas or a third-party platform for human resource management purposes. Note that the exemption only applies when it is genuinely necessary to transmit employees' personal information abroad for a cross-border human resources management purpose. The exemption will be operative when such transfers align with legally established employment regulations and collective contracts, noting that "personal information provided abroad" in this context excludes data categorized as "important data" (e.g., genetic health data, etc.).

How to Qualify for the HR Scenarios Exemption?

While this exemption relieves the data handler from certain compliance measures, such as formal security assessments, standard contracts for personal information export, or passing authentication for the protection of personal information, they do not release the company from all corporate liability in data transfer activities. To be successfully qualified for these exemptions under these newly released provisions, the company still needs to complete compliance measures before data exportation in order to demonstrate the legality, reasonableness, and necessity of outbound transfer of employees' personal information. For example, businesses should have their counsel undertake the following:

  1. Comprehensive Analysis of Outbound Scenarios: Assisting companies in conducting a thorough examination on various scenarios involving the processing, fields, and purposes of employees' personal information outbound activities. This comprehensive analysis ensures a thorough understanding of outbound activities related to employees' personal information, which can be subsequently reflected in the assessment report (as mentioned in point 5 below).
  2. Review of Existing Employment Contracts, Regulations, or Collective Agreements: Assessing the legality and effectiveness of existing labor contracts, regulations, or collective agreements to ensure these documents comply with legal requirements and support the legitimacy of outbound activities related to employees' personal information.
  3. Verification of Outbound Scenarios: Verifying whether all outbound scenarios and fields identified in the first phase can be fully covered by existing labor contracts, regulations, or collective agreements as the legal basis for processing. In case of any non-compliance, it is necessary to supplement/revise the corresponding documents (which we have indicated under point 4 below).
  4. Drafting/Revising "Employee Personal Information Handling Rules": Drafting or revising internal rules governing the handling of employee personal information, including all aspects related to personal information outbound activities. Ensuring that these rules fulfill the obligation to inform employees comprehensively.
  5. Personal Information Protection Impact Assessments: Conducting a "Personal Information Protection Impact Assessment" before initiating outbound activities involving employees' personal information and eventually forming a report summarizing the assessment findings (including those as set out in points 1, 2, 3 and 4 above) and relevant rectification proposals to respective findings.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More