China Loosens Data Export Control by Providing Exemptions

On March 22, 2024, the Cyberspace Administration of China ("CAC”) formally issued “Provisions on Facilitating and Regulating Cross-border Data Flow” (“Data Cross-border Flow Provisions”) with immediate effectiveness, aiming to provide to data exports exemptions from security assessment, personal information protection certification, or standard contract filing and therefore, reducing processors’ burden of data protection compliance.

1. Previous Policies Being to Extremes

Based on Article 37 of the Cybersecurity Law, Article 31 of the Data Security Law, and Article 38 of the Personal Information Protection Law, the “Security Assessment Measures for Outbound Data Transfers (2022)”, the “Announcement on the Implementation of Certification for Personal Information Protection (2022)” and the “Measures on the Standard Contract for Outbound Transfer of Personal Information (2023)” provide detailed rules on security assessments, standard contract filing, and personal information protection certification for data/personal information exports. Among them, if a data/personal information processor provides data to overseas, which meets one of the following conditions, a security assessment shall be conducted: (1) if the data/personal information processor provides important data to overseas; (2) an operator of critical information infrastructure and the data processor processing personal information of more than one million individuals provide personal information to overseas; (3) if the data processor has provided to overseas personal information of 100,000 individuals or more or sensitive personal information of 10,000 individuals or more since January 1 of the previous year. “Important data” refers to data that, if tampered with, destroyed, leaked, or illegally obtained or used, may endanger national security, economic operation, social stability, public health, o safety, etc. A personal information processor that meets all the following conditions may provide personal information to overseas through executing standard contracts: (1) it is not a critical information infrastructure operator; (2) it has processed  personal information of less than one million individuals; (3) it has provided to overseas personal information of less than 100,000 individuals since January 1 of the previous year; (4) it has provided to overseas sensitive personal information of less than 10,000 individuals since January 1 of the previous year.

The above provisions broadly cover almost all the cross-border data/personal information transfer activities in daily businesses of enterprises, especially multinational enterprises and those engaged in transnational business, setting forth stringent compliance requirements. In practice, multinational enterprises generally transfer personal information to overseas headquarters for purposes such as employee/candidate management and equity incentives. Various enterprises operating in international markets regularly transfer a large volume of data and information overseas for business, management, marketing, etc. Cross-border e-commerce marketplaces and agent platforms targeting individuals unavoidably transfer personal information overseas for purposes such as cross-border shopping, travel reservations, etc. All these data/personal information transfers are subject to the requirements of security assessments, personal information protection certification, or standard contract filing. The CAC also requires local enterprises to carry out compliance work based on their actual situation. Although most enterprises are still taking a wait-and-see attitude, a considerable number of enterprises have proactively started security assessment/standard contract filing work, leading to a sharp increase in the workload of local CAC offices. However, due to the high requirements of the CAC for security assessments/standard contract filing, the state-level CAC being updating the detailed requirements for application documents, many applications from enterprises are continuously being returned for modification. Enterprises have no choice but to vainly modify and update their application documents according to the requirements, leading to a huge workload and cost. Compared to the number of enterprises that have submitted applications, only a few have ultimately received approvals.

2. A Great Step Forward to Reduce Compliance Burden

After collecting feedback and opinions regarding security assessments, personal information protection certification, and standard contract filing, and especially those considerable concerns voiced in the Ministry of Commerce’s Foreign Enterprise Roundtable Conference, the CAC has issued the Data Cross-border Flow Provisions. The Data Cross-border Flow Provisions will take precedence over the “Security Assessment Measures for Outbound Data Transfers (2022)” and the “Measures on the Standard Contract for Outbound Transfer of Personal Information (2023)” and other regulations. The Data Cross-border Flow Provisions explicitly state that even if certain data/personal information export activities meet the triggering conditions of security assessments or standard contract filing in the “Security Assessment Measures for Outbound Data Transfers (2022)” or the “Measures on the Standard Contract for Outbound Transfer of Personal Information (2023)” (as applicable), they will not be required to do a security assessment or standard contract filing (or personal information protection certification) under circumstances as set out in the Data Cross-border Flow Provisions.

Specifically:

(1) where the data is not informed or publicly announced as important data by relevant departments or local authorities, processors are exempted to apply for a security assessment for such data before the export;

(2) A processor is exempted from security assessment, personal information protection certification, or standard contract filing under any of the following circumstances:

• where it exports data (excluding personal information and important data) collected and generated in the activities such as international trading, cross-border transportation, academic cooperation, transnational production and marketing;

• where it transmits data collected and generated overseas to China for processing and exports such data processed without involving any domestic personal information or important data;

• where it is necessary to provide personal information to overseas entities in order to enter into or perform contracts where individuals are one of the parties, such as cross-border shopping, cross-border mailings and deliveries cross-border remittances, cross-border account openings, flight and hotel reservations, visa applications, and examination services;

• where it is necessary to provide personal information of employees to overseas entities when implementing cross-border human resources management in accordance with labor regulations and collective contracts signed in accordance with the law;

• where personal information must be provided to overseas entities in order to protect the life, health, and property safety of individuals in emergency situations; and

• where it (non-critical information infrastructure operator) has accumulatively provided personal information (excluding any sensitive personal information) to overseas entities of less than 100,000 individuals since January 1 of the current year;

However, if any personal information above falls into the category of important data, export of such personal information will still require security assessment for exporting important data.

The above exemptions will carve out the majority of daily, simple, and repetitive scenarios of data/personal information export by enterprises, including daily employee management and cross-border trade/services provided to individuals, from data/personal information outbound transfer security assessments, personal information protection certifications, or standard contract filings, prompting CAC to focus regulatory efforts on enterprises that export more critical and larger volumes of data/personal information. It would undoubtedly bring down compliance costs and burdens for enterprises, as well as greatly reduce the regulatory pressure and workload on the CAC. However, it is worth noting that some scenarios of personal information export may not be within the scope of exemptions, such as personal information export by overseas universities and intermediary agencies for enrolling students in China, and personal information cross-border transmission related to CRO organizations’ clinical trial data.

In order to further narrow the scope of supervision and consider the possibility of further loosening supervision, the Data Cross-border Flow Provisions authorizes pilot free trade zones to develop their own lists of data (those that are required to undergo security assessments, standard contract filings, or personal information protection certifications) (“negative lists”). Exporting data/personal information outside the negative lists would not require security assessment, personal information protection certification, or standard contract filing. It can be seen that the CAC hopes to explore an efficient and convenient path for regulating data/personal information export by relying on the advantages of the pilot free trade zones under the elaborate regulatory system.

Recently Lingang New Area of the China (Shanghai) Pilot Free Trade Zone promulgated the Administrative Measures for Classification and Grading of Cross-border Data Flows in Lingang New Area of the China (Shanghai) Pilot Free Trade Zone (for Trial Implementation). The Administrative Measures provide that cross-border data is graded into three levels in descending order: core data, important data and general data and core data is prohibited from being exported, important data shall be subject to a catalogue of important data, and general data shall be subject to a general data list. The Administrative Committee will formulate the first batch of catalogues and lists, focusing on the development of automobile, finance, shipping, biomedicine and other key areas as well as the development requirements of relevant industries in the Lingang New Area, and taking typical scenarios with the most urgent cross-border needs as cut-in points.

3. Maintaining Balanced Compliance

In accordance with the Data Cross-border Flow Provisions, those exports of data/personal information that are not eligible for exemptions should meet the compliance requirements as below:

4. Validity Term of Security Assessment Extended

Originally security assessment result would be valid for a term of two years after the date of issuance. Now the Data Cross-border Flow Provisions extends the term to three years, which will undoubtedly further reduce processors’ compliance burden.

It should be noted that even if a security assessment, personal information protection certification, or standard contract filing is not required, if personal information is provided overseas based on the individual’s consent, it is still necessary to obtain the consent of the personal information subject in accordance with the Personal Information Protection Law and relevant laws and regulations.

In addition, data/personal information processors should still pay attention to and comply with other compliance requirements such as personal information protection audits.