China to Loosen Data Outbound Transfer Control

On September 28, 2023, the Cyberspace Administration of China ("CAC”) released a draft of “Provisions on Regulating and Facilitating Cross-border Data Flow (Draft for Comments)” (“Data Cross-border Flow Provisions”) to further clarify the mandatory compliance requirements as to the activities of data exports.

1. Current Policies Being to Extremes

Based on Article 37 of the Cybersecurity Law, Article 31 of the Data Security Law, and Article 38 of the Personal Information Protection Law, the “Security Assessment Measures for Outbound Data Transfers (2022)”, the “Announcement on the Implementation of Certification for Personal Information Protection (2022)” and the “Measures on the Standard Contract for Outbound Transfer of Personal Information (2023)” provide detailed rules on security assessments, standard contract filing, and personal information protection certification for data/personal information exports. Among them, if a data/personal information processor provides data to overseas, which meets one of the following conditions, a security assessment shall be conducted: (1) if the data/personal information processor provides important data to overseas; (2) an operator of critical information infrastructure and the data processor processing personal information of more than one million individuals provide personal information to overseas; (3) if the data processor has provided to overseas personal information of 100,000 individuals or more or sensitive personal information of 10,000 individuals or more since January 1 of the previous year. “Important data” refers to data that, if tampered with, destroyed, leaked, or illegally obtained or used, may endanger national security, economic operation, social stability, public health, and safety, etc. A personal information processor that meets all the following conditions shall provide personal information to overseas through the execution of standard contracts: (1) it is not a critical information infrastructure operator; (2) it has processed  personal information of less than one million individuals; (3) it has provided to overseas personal information of less than 100,000 individuals since January 1 of the previous year; (4) it has provided to overseas sensitive personal information of less than 10,000 individuals since January 1 of the previous year.

The above provisions broadly cover almost all the cross-border data/personal information transfer activities in daily businesses of enterprises, especially multinational enterprises and those engaged in transnational business, setting forth stringent compliance requirements. In practice, multinational enterprises generally transfer personal information to overseas headquarters for purposes such as employee/candidate management and equity incentives. Various enterprises operating in international markets regularly transfer a large volume of data and information overseas for business, management, marketing, etc. Cross-border e-commerce marketplaces and agent platforms targeting individuals unavoidably transfer personal information overseas for purposes such as cross-border shopping, travel reservations, etc. All these data/personal information transfers are subject to the requirements of security assessments, personal information protection certification, or standard contract filing. The CAC also requires local enterprises to carry out compliance work based on their actual situation. Although most enterprises are still taking a wait-and-see attitude, a considerable number of enterprises have proactively started security assessment/standard contract filing work, leading to a sharp increase in the workload of local CAC offices. However, due to the high requirements of the CAC for security assessments/standard contract filing, the state-level CAC being updating the detailed requirements for application documents, many applications from enterprises are continuously being returned for modification. Enterprises have no choice but to vainly modify and update their application documents according to the requirements, leading to a huge workload and cost. Compared to the number of enterprises that have submitted applications, only a few have ultimately received approvals.

2.  A Favorable Turn Being Arisen

After collecting and hearing feedbacks and opinions regarding security assessments, personal information protection certification, and standard contract filing, and especially those considerable concerns voiced in the Ministry of Commerce’s Foreign Enterprise Roundtable Conference, the CAC has issued the “Data Cross-border Flow Provisions”. If the “Data Cross-border Flow Provisions” are officially implemented, they will take precedence over the “Security Assessment Measures for Outbound Data Transfers (2022)” and the “Measures on the Standard Contract for Outbound Transfer of Personal Information (2023)” and other regulations. The “Data Cross-border Flow Provisions” explicitly state that even if certain data/personal information export activities meet the triggering conditions of security assessments or standard contract filing in the “Security Assessment Measures for Outbound Data Transfers (2022)” or  the “Measures on the Standard Contract for Outbound Transfer of Personal Information (2023)” (as applicable), they will not be required to do a security assessment or standard contract filing (or personal information protection certification)under circumstances as firstly set out in the “Data Cross-border Flow Provisions”.

Among those circumstances that do not require security assessments, personal information protection certification, or standard contract filing, specifically:

(1)  when the data is not informed or publicly announced as important data by relevant departments or local authorities, processors are exempted to apply for a security assessment for such data before the transfer;

(2) when it is necessary to provide personal information to overseas entities in order to enter into or perform contracts where individuals are one of the parties, such as cross-border shopping, cross-border remittances, flight and hotel reservations, visa applications, etc., processors are exempted from a security assessment, personal information protection certification, or standard contract filing;

(3) when implementing human resources management in accordance with labor regulations and collective contracts signed in accordance with the law and it is necessary to provide personal information of employees to overseas entities, a security assessment, personal information protection certification, or standard contract filing is not required;

(4) when personal information must be provided to overseas entities in order to protect the life, health, and property safety of individuals in emergency situations;

(5) when it is estimated to provide personal information to overseas entities of less than 10,000 individuals within a year, a security assessment, personal information protection certification, or standard contract filing is not required;

(6) when it is estimated to provide personal information to overseas entities of more than 10,000 but less than 1 million individuals within a year, and a personal information outbound transfer standard contract has been signed with the overseas recipient and filed with the provincial-level Cyberspace Administration, or personal information protection certification has been obtained, a data security assessment may be exempted.

The above exemptions will carve out the majority of daily, simple, and repetitive scenarios of data/personal information outbound transfer by enterprises, including daily employee management and cross-border trade/services provided to individuals, from data/personal information outbound transfer security assessments, personal information protection certifications, or standard contract filings, prompting CAC to focus regulatory efforts on enterprises that process more critical and larger volumes of data/personal information outbound transfer. It would undoubtedly bring down compliance costs and burdens for enterprises, as well as greatly reduces the regulatory pressure and workload on the CAC. However, it is worth noting that some scenarios of personal information outbound transfer may not be within the scope of exemptions, such as personal information cross-border transmission generated by overseas universities and intermediary agencies for enrolling students in China, and personal information cross-border transmission related to CRO organizations’ clinical trial data.

In order to further narrow the scope of supervision and consider the possibility of further loosening supervision, the “Data Cross-border Flow Provisions” would authorize pilot free trade zones to develop their own lists of data (those that are required to undergo data outbound security assessments, personal information outbound transfer standard contracts, or personal information protection certifications) (“negative lists”). Data/personal information outbound transfer outside the negative list would not require a security assessment, personal information protection certification, or standard contract filing. It can be seen that the CAC hopes to explore an efficient and convenient path for regulating data/personal information outbound transfer by relying on the advantages of the pilot free trade zones under the elaborate regulatory system. However, to achieve an efficient and convenient regulatory system will be a long way to go along with continuous exploration, adjustment, and improvement.

3. Maintaining Balanced Compliance

If the “Data Cross-border Flow Provisions” comes into effect:

circumstances that require data/personal information outbound transfer security assessments will include:

(1) data/personal information processors providing important data (as notified or publicly announced by relevant departments or local authorities) overseas; (2) providing personal information of more than one million individuals overseas in the next year (excluding circumstances of personal information export exempted under the “Data Cross-border Flow Provisions”); (3) providing personal information of more than 10,000 but less than one million individuals overseas in the next year (excluding circumstances of personal information export exempted under the  “Data Cross-border Flow Provisions”), without signing a personal information outbound transfer standard contract with the overseas recipient and filing it with the CAC, and without obtaining personal information protection certification.

Circumstances where standard contract filings should be made include

providing personal information of more than 10,000 but less than one million individuals overseas in the next year (excluding circumstances of personal information export exempted under the “Data Cross-border Flow Provisions”). As for how the “Data Cross-border Flow Provisions” will be compatible with the “Security Assessment Measures for Outbound Data Transfers (2022)” and the “Measures on the Standard Contract for Outbound Transfer of Personal Information (2023)”, it remains to be seen.

It should be noted that even if a data/personal information outbound transfer security assessment, personal information protection certification, or standard contract filing is not required, if personal information is provided overseas based on the individual’s consent, it is still necessary to obtain the consent of the personal information subject in accordance with the Personal Information Protection Law and relevant laws and regulations.

In addition, data/personal information processors should still pay attention to and comply with other compliance requirements such as personal information protection audits.