The Draft of the “Regulations on Regulating and Promoting Cross-border Data Flows” issued by the Cyberspace Administration of China (the “CAC”) on September 28 2023 seems aims to update the existing data export rules and facilitate data circulation of China.
The Draft proposes to simplify the procedures for data exporters who do not handle large amounts of data or sensitive information. They will no longer need to undergo a data export security assessment, sign a standard contract for personal information (the “PI”) export, or obtain a personal information protection certification.
To sum up, these are the key points to note:
- Legal Obligations May NOT Apply In Some Business Situations
The draft rules specify that data exporters do not need to conduct security assessment or sign standard contract in certain specific or necessary cases, such as:
1) Data generated in activities like international trade, academic cooperation, cross-border manufacturing, and marketing;
2) Required for the conclusion and execution of cross-border contracts, such as shopping, remittances, air ticket and hotel bookings, visa processing;
3) Manage human resources according to the labor rules and collective contracts;
4) To protect the life, health and property safety of natural persons in emergencies;
5) Personal information not collected within the country is provided overseas.
- Adjustment of Threshold for Cybersecurity Declaration
The data exporter may enjoy different levels of exemption from the compliance obligations under Article 38 of the PIPL, depending on the number of people whose PI is exported overseas within one year.
If the number is less than 10k, the data exporter is fully exempted. If the number is between 10k and 1 million, the data exporter does not need to undergo a security assessment, but only needs to sign a standard contract and file it with the provincial cyberspace department or through personal information protected certified.
The new requirement changes the way PI is classified and handled. Instead of having different categories for general PI and sensitive PI, the new requirement applies the same standards to all PI. The security assessment and standard contract thresholds are 10k and 1 million respectively. The data volume calculation method will also change from the total number to the projected number for the next year.
- Clearer Definition of Important Data
The concept of important data is not easy to define precisely in the context of compliance. This draft for comments specifies that “data processors are not required to conduct data export security assessment for important data unless they have been notified by relevant departments or regions or publicly released as important data.” This implies that any data that has not been officially identified by the regulators should not be viewed as important data.
Along with some repeated regulations, we may relax our excessive worries about “important data” and concentrate on its application to “state organs”, “critical information infrastructure operators”, “party, government, military and confidential units”, etc.
- Data Whitelist
The central government’s policy to further optimize the foreign investment environment has proposed exploring the formation of a general data list that can flow freely.
This new regulation emphasizes “the free trade pilot zone can formulate a list of data that needs to be included in the scope of data export compliance management in the free trade zone, and submit it to the competent authorities for approval and filing”, which may means more policy lift may happen in free trade pilot zone
This new draft is also a relief for Chinese companies, especially those that operate across borders, as it eases the data export process. It also seems to encourage cross-border data flows, lowers corporate compliance costs, and supports and safeguards international trade. It is crucial for building corporate confidence in this area.
The central government’s data whitelist pilot for the free trade pilot zone is another noteworthy initiative that will enhance the digital economy and facilitate data and business collaboration across regions. We may anticipate more flexible and customized data lists that cater to the diverse economic development needs of different regions in the future.
In light of the new regulations, we put forward the following suggestions to handle your data export out of China:
- In light of the requirements of new regulations, conduct a DPIA of data export;
- Sort out the business scenarios and focus on finding out whether data is exported under the following circumstances in the business: international trade, academic cooperation, multinational manufacturing, marketing, contract performance, and human resources management;
- Foresees data volume statistics the total number of personal information provided overseas in the next year ;
- Updating of compliance tool kits: For those who do not need to declare a security assessment, withdraw the assessment in a timely manner; or sign a standard contract for the export of personal information and file it with the provincial cybersecurity and informatization department instead ;
- Keep an eye on the latest legislative changes, especially any adjustments to the consultation draft, as well as the data list released by the free trade zone in the future.