China: China's CAC Changes Course On Cross-Border Transfers With Draft Regulations

On September 28, 2023, the Cyberspace Administration of China (CAC) published Regulations to Standardize and Promote Cross-Border Data Flows (Draft for Comments) (the Draft Regulations). In current form, the Draft Regulations appear to clarify and walk back the requirements from prior regulations, including the Data Transfer Security Assessment Measures (Security Assessment Measures) and the Standard Contract Measures for the Transfer of Personal Information (the SCC Measures). Companies that have started the Security Assessment, Standard Contract, or personal information protection certification processes may need to reassess the necessity based on the Draft Regulations and their data-collection and ‑transfer practices.

For background, the Personal Information Protection Law provides for several restrictions on the cross-border transfer of personal information, and the Security Assessment Measures and SCC Measures provided further guidance but were somewhat overinclusive. The Draft Regulations clarify the scope of the Security Assessment Measures and the SCC Measures by enumerating a number of exclusions from the necessity of a Security Assessment or Standard Contract. For example, under the Draft Regulations there would be no need for a Security Assessment, Standard Contract, or personal information protection certification for the cross-border transfer of data in certain circumstances, including where:

• data is generated in activities such as international trade, academic cooperation, transactional manufacturing, and marketing if such data does not contain personal information or important data;
• personal information not collected within China is provided overseas;
• it is necessary to provide personal information overseas for entering into or the performance of a contract, such as cross-border shopping, cross-border remittances, travel arrangements, etc.;
• personal information must be provided overseas for human resources management in accordance with labor rules and regulations and the labor contract; or
• personal information must be provided overseas to protect the life, health, or safety of individuals in an emergency.

Furthermore, other exclusions are also provided for in the Draft Regulations. Of particular interest, the Draft Regulations seek to clarify questions regarding measures that need to be taken based on the volume of personal information transferred. As written, where the personal information of fewer than 10,000 data subjects is transferred in a year, there would be no need for a Security Assessment, Standard Contract, or personal information protection certification. However, if the basis of the transfer would be consent, then such consent must be obtained.

In current form, the Draft Regulations would limit the administrative burden that the CAC was potentially facing under the Security Assessment Measures and SCC Measures, particularly where the SCC Measures included a pseudo-approval process for the Standard Contracts. The Draft Regulations help to clarify where companies need to take measures and should limit the number of Standard Contracts that will need to be recorded with the CAC.

The CAC will accept comments until October 15, 2023, on the Draft Regulations. Given that Standard Contracts should be implemented at the end of November under the SCC Measures, we expect that the Draft Regulations will be finalized quickly. Companies considering a Security Assessment, Standard Contract, or personal information protection certification may want to conduct an analysis to determine whether those actions will remain necessary.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.