On March 22, 2024, the Cyberspace Administration of China ("CAC"), China's data protection regulator, released the finalized Provisions on Regulating and Promoting Cross-Border Data Flows ("Provisions"). To everyone's surprise, the long-awaited Provisions were actually approved by the CAC on November 28th, 2023. The Provisions take effect immediately upon issuance. Coincidentally, the China Development Forum will be held in Beijing on March 24 and 25, 2024 and will be attended by more than 800 CEOs of global industry giants.

Regulatory Mechanism

The Provisions does not change the existing regulatory mechanism of outbound data transfer. That is, data processors outbound transferring data should apply for the CAC's security assessment ("Security Assessment"), or file for record with the provincial office of the CAC the Chinese standard contractual clauses they sign with the foreign data recipients ("CN SCC Filing"), or obtain the personal information protection certification("Certification"). Comparing with the threshold prior to the Provisions, the Provisions sets it higher, which will reduce the administrative procedural burden of the MNC data processors in outbound transferring data and personal information.

Along with the publication of the Provisions, the CAC simultaneously released the updated guidelines for the Security Assessment and the CN SCC Filing pursuant to the Provisions and is offering some apparent convenience to help data processors navigate the regulatory mechanism. For example, the CAC is launching online the Data Outbound Transfer Reporting System at https://sjcj.cac.gov.cn. Data processors applying to Security Assessment and CN SCC Filing can now submit their applications online. Data processors applying for Certification can go to the Personal Information Protection Certification Administration System at https://data.isccc.gov.cn. However, the CAC will maintain the offline submission channels at its provincial offices for submissions by the Critical Information Infrastructure Operators ("CIIOs") or by other applicants for whom the online submission is not appropriate. It remains to be seen which applicants will fall into this category.

In addition, the CAC also announces the inquiry channels for the regulatory mechanism. At the central authority level, for Security Assessment, the consultation hotline is (8610) 5562 7135 and the inquiry email address is sjcj@cac.gov.cn; for CN SCC Filing, the consultation hotline (8610) 5562 7565 and the inquiry email address bzht@cac.gov.cn; for Certification, (8610) 8226 1100 and data@isccc.gov.cn. Provincial channels will remain in place. The same inquiry channels will also take whistleblower reports. Since release of the draft of the Provisions, there were difficulties getting responses from the query channels. It would be nice if they will work to provide responses again.

Clarifications and Exemptions

The Provisions clarify some key issues in the regulatory mechanism and define exemptions from such regulatory mechanism. These key issues and exemptions resolve many complaints about uncertainties in the regulatory mechanism. Although the outcome of the Provisions remains to be seen, the government's intention to make easier the data outbound transfer in the normal international business operations of the MNCs is clear.

The exemptions in the Provisions include:

  • If there is no individual notice or public announcement by the competent regulatory authorities or local governments defining the data outbound transferred by a data processor as important data, the data processor should not be required to conduct the Security Assessment. However, this is subject to the data processor fulfilling its legal obligations to identify and report the important data it processes in accordance with the relevant rules, if any;
  • A data processor needs not to go through the regulatory mechanism for the data collected or generated from its business activities of international trade, international logistics, academic cooperation, transnational manufacturing, and marketing and promotion, if there is no personal information or important data in such data;
  • A data processor needs not to go through the regulatory mechanism when it "re-exports" personal information generated or collected outside China and imported into China for processing, as long as no personal information of data subjects in China and no important data are comingled into such imported data in the processing;
  • A data processor needs not to go through the regulatory mechanism if it is truly necessary to outbound transfer the personal information (a) of the individual parties to the contracts for the purpose of entering into and performing the contracts. Cited examples of such contracts include cross-border eCommerce, cross-border mail and courier delivery, cross-border payment wiring, cross-border accounts opening, air-tickets and hotel booking, visa processing, tests/examination service, or (b) of its employees for cross-border human resource management in accordance with the labor rules and policies formulated under the Chinese law and the collective labor contracts concluded with the employees, or (c) to protect the life, the health and the property safety of the individuals in emergencies; and
  • A data processor that is not a CIIO need not to go through the regulatory mechanism if it outbound transfers personal information of less than 100,000 data subjects (after removing duplicates) in China from January 1st of the year, as long as such outbound transferred personal information does not contain sensitive personal information and important data.

Reduced Scope of the Regulatory Mechanism

The Provisions narrow the scenarios in which the Security Assessment is applicable. A data processor is only required to conduct the Security Assessment if (a) it is a CIIO and it outbound transfers personal information or important data; or (b) although it is not a CIIO, from January 1st of the year and after duplicates are removed, it outbound transfers (i) important data, or (ii) personal information (other than sensitive personal information) of more than one million data subjects in China, or (iii) sensitive personal information of more than 10,000 (inclusive) data subjects in China. The number of data subjects for such a purpose should be exclusive of the number of data subjects in the exempted scenarios.

A data processor should apply for the CN SCC Filing or obtain the Certification if, from January 1st of the year and after removing duplicates, it outbound transfers (a) personal information of data subjects in China more than 100,000 but less than 1,000,000, or (b) sensitive personal information of data subjects in China no more than 10,000. Similarly, the headcount for such a purpose should be exclusive of the headcount in the exempted scenarios.

Security Assessment Extension

According to the Provisions, the valid period or the Security Assessment cycle has been extended from two years to three years. In addition, if a data processor's outbound data transfer does not have a substantial change at the end of the three-year period, the CAC allows the data processor to apply in no later than 60 working days before the expiry of the current valid period for an extension of the valid period of the current Security Assessment approval for another three years. Such an arrangement simplifies the process and significantly reduces the burden on the MNC data processors, at least in black letters.

Pilot Free Trade Zones

The Pilot Free Trade Zones in China may, within the data protection framework of national classification and categorization, formulate their respective lists of data whose outbound transfer is subject to the regulatory mechanism (the "Negative List"). Such Negative Lists should be approved by the provincial office of the cybersecurity and informalization commission (which has the same effect as if the Negative List were approved by the provincial government) and filed with the CAC and the National Data Administration. Data not included in the Negative List of a Pilot Free Trade Zone can be outbound transferred by data processors in that Pilot Free Trade Zone without being subject to the regulatory mechanism.

Impacts on Data Processors Having Gone Through the Regulatory Mechanism

Given the relaxation of the Regulatory Mechanism, the CAC also provides guidance to those "model citizen" data processors who have gone through the regulatory mechanism prior to the Provisions:

  • Data processors that have passed the Security Assessment may continue the outbound transfer of the data according to the approval;
  • Data processors that have failed or partially failed the Security Assessment but are not subject to the Security Assessment under the Provisions may ignore the failure and, according to the Provisions, apply for the CN SCC Filing or obtain the Certification to outbound transfer the personal information;
  • Data processors that have applied for the Security Assessment or the CN SCC Filing but are not subject to those two regulatory mechanisms under the Provisions may continue with the process or withdraw their applications.

Unchanged Data Processors Obligations

Regardless of whether a data processor should go through the regulatory mechanism or not,

(1) When outbound transferring data, in order to ensure the data security, it should always:

  1. comply with the provisions of the applicable laws and regulations;
  2. comply with its obligations to maintain data security;
  3. take technical and other necessary measures; and
  4. report any actual or potential data security incidents to the CAC at or above the provincial level and other regulatory authorities in a timely manner and take timely remedial measures.

(2) When outbound transferring personal information, it should always:

  1. duly inform the data subjects of the fact of outbound transfer;
  2. obtain their separate consents where consent is the lawful ground of such outbound transfer; and
  3. conduct the personal information protection impact assessment, if required by the law.

Potential Focus and Trend

The immediate reaction of all MNC data processors to the Provisions is that they need to revisit their prior efforts on compliance with China's data outbound transfer regulatory mechanism. For MNC data processors who are lucky pioneers in the compliance and have already passed the regulatory mechanism without any reservation by the CAC, they need to rethink about their compliance strategies and efforts in practice according to the new thresholds under the Provisions. For those pioneers which failed or partially failed the regulatory mechanism, they need to immediately assess their failure and determine whether the failed outbound transfers are qualified for a second chance under the Provisions. If so, they can follow the practice in the next sentence. For those who are preparing for the compliance in accordance with the threshold prior to the Provisions, they need to immediately assess whether they need to make changes to the submissions in preparation to align with the Provisions and the new guidelines, or, luckily enough, whether they are exempt from the regulatory mechanism.

The Provisions requires that all provincial offices of the CAC should (a) strengthen their guidance and supervision on data outbound transfer, (b) improve and optimize the Security Assessment policy and process, (c) strengthen the whole fields and the whole process supervision. It is reasonable to expect that the CAC will make more efforts to enforce and punish violations after relaxing the administrative procedures. Relevantly or not, the focus of the 3.15 event (i.e., the consumer protection event) has already shifted to personal information violations. Therefore, MNC data processors in China should take measures to comply with the relaxed procedures and improve their important data and privacy compliance in daily operations.

The Provisions sends a clear message to the industrial regulatory authorities and local governments that they need to take the initiative to identify and determine the important data, or, otherwise, the data processors have no obligation to treat the data they outbound transfer as important data if they do not receive notices or public announcements from the aforesaid authorities. The underlined statement is that it is the responsibility and liability of the industrial regulatory authorities and local governments if important data that should have been subject to the regulatory mechanism is outbound transferred without going through the regulatory mechanism. Therefore, it is expected that the industry regulatory authorities and the local governments may hastily release their respective important data determination policies and catalogues. The potential impact of such a rush to determine important data deserves further attention.

Given that each Pilot Free Trade Zone may have its own Negative List under the Provisions, an MNC data processor may wish to track the formulation of such Negative Lists for a smart and personalized forum-shopping strategy based on its overall data and personal information outbound transfer needs or the specific data and personal information outbound transfer needs of its business unites or divisions.

To view the full article please click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.