Provisions on Regulating and Promoting Cross-border Data Flow were officially promulgated, and the exemption scope extended once again
Despite all the rumors, the provisions for a relaxed cross-border data transfer have finally been issued. The Provisions on Regulating and Promoting Cross-border Data Flow (“Provisions”) were promulgated by the Cyberspace Administration of China (“CAC”) on March 22, 2024 and became effective on the same date, six months after the publishing of the draft, the Notice of the Cyberspace Administration of China on Seeking Public Comments on the Provisions on Regulating and Promoting Cross-border Data Flow (“Draft”).
The Provisions not only adopt the international SME-friendly content from the Draft. They even extend the exemption scope to be more favorable compared to the Draft.
We summarized the takeaways of the Provisions as follows.
1. Framework of cross-border data transfer
In terms of transferring data abroad, there are three situations based on the Provisions:
- Transfer personal data abroad (see point No. 2)
- Transfer important data abroad (see point No. 3)
- Transfer other data abroad (see point No. 4)
Also see the illustration in the attachment.
2. Transfer of personal information abroad
According to the Provisions, companies transfer personal information could be divided into the following scenarios:
- Companies transfer general personal information abroad (see point No. 2.1)
- Companies transfer sensitive personal information abroad (see point No. 2.2)
- A Critical Information Infrastructure Operator (“CIIO”) transfers personal information abroad (see point No. 2.3)
- Special exemption situations for transferring personal data abroad (see point No. 2.4)
Also see the illustration in the attachment.
2.1 Transfer of general personal information abroad
In case of transferring general personal data abroad, pursuant to Art. 5, 7 and 8 of the Provisions, the thresholds for each mechanism are as follows:
- Companies do not need to apply for security assessment, conclude a standard contract (“SCC”), or obtain the certification for personal information protection (“Certification") if they provide abroad personal information for less than 100,000 individuals within the year starting from January 1 of the current year. The threshold is increased compared to the Draft as the number is 10,000 in the Draft.
- Companies need to sign the SCC or obtain the Certification if they provide more than 100,000 individuals’ personal data and less than 1 million within the year starting from January 1 of the current year.
- Companies need to pass the security assessment conducted by the CAC if they provide more than 1 million individuals’ personal data abroad within the year starting from January 1 of the current year.
2.2 Transfer of sensitive personal information abroad
Compared to the transfer of general personal data, the threshold for transferring sensitive personal information is stricter in accordance with the Art. 7 and 8 the Provisions:
- There is no threshold exemption in case of transferring sensitive personal data abroad. However, the special situations defined in Art. 3, 4, 5 and 6 the Provisions should be exempted pursuant to Art. 7 and 8 the Provisions, aka, the special exemption situations mentioned under point Nr. 2.4.
- Companies need to sign the SCC or obtain the Certification if they provide less than 10,000 individuals’ sensitive personal data abroad.
- In the case of transferring more than 10,000 individuals’ sensitive personal data abroad, companies need to pass the security assessment conducted by the CAC.
2.3 CIIO transferring personal data abroad
According to Art. 7 the Provisions, CIIO shall pass the security assessment in any case if they provide any personal data abroad.
2.4 Special exemption situations for transferring personal data abroad
As mentioned in our last newsletter dated October 16, 2023, in addition to the threshold exemption mentioned above, there are other special exempted situations in Art. 4, 5 and 6 of the Provisions such as employee data being transferred for human resource management, personal data being provided abroad to conclude or perform a contract with an individual such as cross-border shopping, cross-border remittance, air tickets and hotel booking, or to protect the life, health, and property safety of natural persons in an emergency. For details, please refer to the link https://www.wzr-china.com/en/node/342. There are no major changes in the Provisions compared to the Draft.
3. Important data
In accordance with Art. 2 and 7 of the Provisions, the rules for important data are as follows:
- In case important data is transferred abroad, all companies shall pass the security assessment conducted by the CAC.
- Companies do not need to apply for security assessment unless the data they are processing are informed or declared by relevant departments or regions as important data.
4. Other data
In Art. 3 of the Provisions, where data collected and generated in activities such as international trade, cross-border transport, academic cooperation, transnational manufacturing, and marketing are provided overseas and do not contain personal information or important data, companies do not need to apply for security assessment, conclude a SCC or obtain the Certification as well.
5. Additional remarks
Despite the exemptions mentioned above, companies with cross-border transfer of personal data still shall fulfill certain obligations pertaining to Art. 10 and 11 of the Provisions, for example, obtaining separate consent, making notifications, preparing the personal information protection assessment report aka, the PIA report, taking protection measures to protect the data security, etc.
Nevertheless, we must say that the new Provisions are a big breakthrough that reflects the Chinese government's efforts to boost the confidence of foreign investors and hugely releases the burden of international companies, especially SMEs in China regarding cross-border transfer of data.
We will always keep you updated with the legislative developments in China and please do not hesitate to contact us if you are interested in any of those topics and we are excited to discuss it with you!
Beijing, March 27, 2024
Attachment
Illustration 1:
Illustration 2:
