March 22, 2024, Cyberspace Administration of China (“CAC“) has issued its long-awaited final rule on facilitating and regulating cross-border data flows ( “Regulations regarding cross-border data distribution”CAC has published a Q&A with new regulations that address and clarify specific questions.
The Regulations on Cross-Border Data Flows build on the Draft Regulations on the Regulation and Facilitation of Cross-Border Data Flows (Draft for Comments) published by the CAC on September 28, 2023. “September 2023 Draft”). With the aim of reducing compliance burdens and facilitating cross-border data flows, regulations on cross-border data flows include exemptions from the submission of standard contracts and increased thresholds for cross-border data transfers. We are introducing significant changes to the current rules regarding submissions and security assessments. For outbound cross-border data transfers ( “Standard contract”), apply for privacy certification and conduct a mandatory data security assessment.
This client alert describes the key changes introduced by the Cross-Border Data Flows Regulation and the potential impact on companies’ cross-border data transfer and compliance practices.
Key changes introduced by regulations on cross-border data flows
The Cross-Border Data Flow Regulations introduces the following important changes to ease compliance requirements for outbound cross-border data transfers:
Exempting outbound transfers for certain types of data
According to the Regulations on Cross-Border Data Flows, the transmission of data in six situations does not need to pass a standard contract, privacy certificate or data security assessment:
- Less than 100,000 individuals: Critical information infrastructure operator (“CIIO”) are exempted.1 Compared to the September 2023 draft, the threshold for triggering standard contracts/privacy certifications will be increased from exporting personal information of 10,000 people to personal information of 100,000 people.
- What you need for the contract: Transmission of personal information of individuals necessary for entering into and fulfilling contracts for cross-border shopping, cross-border mailing and delivery, cross-border remittances, cross-border payments, cross-border accounts, etc. Business openings, flight and hotel reservations, visa processing, and testing services are exempt.2
- What you need for personnel management: Transfers of personal data of employees to external parties that are necessary for the implementation of cross-border personnel management in accordance with the labor rules and regulations developed in accordance with the law and the concluded labor contracts are exempted.3 It is important to note that the scope of personal information falling under this category must comply with the “minimum necessary” principle required by the Personal Information Protection Law of the People’s Republic of China.
- Emergency: Transfers of personal data to external parties that are necessary to protect the life, health or property of natural persons in emergency situations are exempted.Four
- Data that does not include personal information or important data: External transfers of data that do not include personal information or sensitive data collected and generated during international trade, cross-border transportation, academic cooperation, cross-border production and manufacturing, and marketing activities are exempt.Five
- Personal information collected and generated outside China: those collected and generated abroad by data processors, sent to domestic locations for processing and then transferred abroad, and individuals whose processing does not involve the introduction of domestic personal information or sensitive data; Information is exempt.6
Exemptions based on the “negative list” established by the Pilot Free Trade Zone
Based on regulations regarding cross-border data flows, experimental free trade zones may require data security assessments, standard contracts, or privacy certificates ( “Negative list”). Outbound transfers of data not included in the negative list are exempt from these requirements.7
No significant relaxations to cross-border transfers of sensitive personal information
In particular, regulatory requirements regarding cross-border transfers of sensitive personal information have not been significantly relaxed. For data processors other than CIIO, standard contracts or privacy certificates are required for the transfer of sensitive personal information, unless the transfer falls within one of the enumerated exceptions above. A data security assessment is required if a data processor other than CIIO transfers sensitive personal information of his 10,000 or more people outside China, or if CIIO transfers any personal information (including sensitive personal information) outside China is.
Overall, the thresholds and conditions for standard contract submission, privacy certification, and data security assessment are summarized in the following table.
Entity type | Data security assessment | Standard contract or privacy certificate |
CIIO |
|
not applicable |
Non-CIIO |
|
|
*Calculation period starts from January 1 of this year, based on the number of individuals involved after deduplication. *The calculation must exclude data exempted under Articles 3, 4, 5 and 6 of the Regulation on Cross-Border Data Flows.11 |
This new regulation extends the validity period of data security assessments from two years to three years from the date of publication of the assessment results. Data processors can apply for an extension of the assessment results for a further three years.12
Regulations on cross-border data flows require that, in cases of inconsistency with the Measures on Security Assessment of Outbound Data Transfers (7 July 2022) and the Standard Contractual Measures on Outbound Transfers of Personal Information (22 February): It has been made clear that these new regulations apply. , 2023) or other relevant provisions.13 CAC’s Q&A on Cross-Border Data Flow Regulations states that data processors who have already applied for a data security assessment or submitted a standard contract, but are not required to undergo these processes pursuant to these new regulations. , makes it clear that you can proceed with one of the following: Process or withdraw applications and filings with her CAC at the state level.14
The regulations on cross-border data flows are aimed at reducing the burden of compliance requirements for cross-border data transfers and are considered part of China’s efforts to stimulate economic growth and attract foreign investment. There is. Based on these new regulations, it is expected that significantly fewer businesses will need to go through either standard contract submissions, privacy certifications, or data security assessments. However, with fewer resources required to process cross-border data transfer applications and approvals, regulators may be able to devote more resources to enforcing regulations. Therefore, it is important for data processors to conduct data mapping to effectively monitor and assess the amount of personal information and sensitive data (if any) transferred outside China to comply with these new regulations. , it is important to implement data tracking mechanisms.
1 Regulation on Cross-Border Data Flows, Article 5(4).
2 Regulation on Cross-Border Data Flows, Article 5(1).
3 Regulation on Cross-Border Data Flows, Article 5(2).
4 Regulation on Cross-Border Data Flows, Article 5(3).
5 Regulation on Cross-Border Data Flows, Article 3.
6 Regulation on Cross-Border Data Flows, Article 4.
7 Regulation on Cross-Border Data Flows, Article 6.
8 Regulation on Cross-Border Data Flows, Article 7(1).
9 Regulation on Cross-Border Data Flows, Article 7(2).
10 Regulation on Cross-Border Data Flows, Article 8.
11 CAC Q&A on Cross-Border Data Flow Regulations, Response to Question 11.
12 Regulation on Cross-Border Data Flows, Article 9.
13 Regulation on Cross-Border Data Flows, Article 13.
14 CAC Q&A on Cross-Border Data Flow Regulations, Response to Question 14.
White & Case consists of White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership organized under English law, and all other affiliated partnerships, companies and organizations. international legal services.
This article is intended for general information purposes only. It is not, and does not purport to be, comprehensive in nature. Its content is general in nature and should not be considered legal advice.
© 2024 White & Case LLP