Cybersecurity Administration of China Issued Data Flow Regulation
On March 22, 2024, the Cybersecurity Administration of China (CAC), issued the long-awaited new Regulations on Promoting and Regulating Cross-Border Data Flows (the New Regulations) for compliance with China’s Personal Information Protection Law (PIPL), the Data Security Law (DSL) and their implementing regulations. The New Regulations take effect immediately and are modeled on the draft Regulations issued by CAC on September 28, 2023 (the Draft Regulations).
In addition, the CAC also issued the Guide to the Application for Security Assessment of Outbound Data Transfers (Second Edition) and the Guide to the Filing of Standard Contract for Outbound Transfer of Personal Information (Second Edition) (collectively, the Guidelines). The Guidelines provide detailed procedures for data handlers, who can also now use the Outbound Data Transfers Application System for outbound personal information transfers. However, the New Regulations take precedence over any provisions that may conflict with PIPL and the Guidelines.
The New Regulations and Guidelines ease numerous compliance requirements and promote cross-border data transfers for data handlers. Notably, there are generally no provisions easing the transfer of sensitive personal information under the New Regulations. In addition, data handlers should be mindful that given the lack of clarity around the definition of “important data,” the New Regulations permit data handlers to consider their data as nonimportant unless expressly identified; or they are notified by regulators; or if the data in question is determined to be important data pursuant to a public announcement by authorities. We expect sectoral and local regulators to provide additional guidance regarding the classification of important data. Furthermore, the New Regulations still require that cross-border transfer of personal information outside of China must still comply with the PIPL requirements related to notice, separate consent, and personal information protection impact assessment.
Some of the key changes provided by the New Regulations are outlined below.
Exemptions
The New Regulations now exempt data handlers from filing a Standard Contract (Standard Contract Filing), Personal Information Protection Certification (Certification), or an application for a security assessment (a Security Assessment) if the below data processing activities apply.
- New Threshold. If cross-border transfer of personal information of fewer than 100,000 individuals occurs since January 1 of the current year. Previously, the Draft Regulations triggered a Standard Contract Filing or Certification for fewer than 10,000 individuals. However, this does not apply to the cross-border transfer of sensitive personal information or critical information infrastructure operators (CIIOs).
- Human Resource Activities. Where it is necessary to transfer personal information overseas for the purpose of carrying out human resources management in accordance with labor rules and regulations, and lawfully executed collective contracts (the Human Resource Information). However, the Human Resource Information must comply with the PIPL principle of “minimum and necessary.”
- Contractual Necessity. The New Regulations exempt the cross-border transfer of personal information that is necessary for the performance of a contract to which the individual is a party. This includes contracts for cross-border shopping, cross-border mailing and delivery, cross-border remittance, cross-border payment, cross-border account opening, flight and hotel reservations, visa processing and examination services.
- Emergencies. The cross-border transfer of personal information is necessary to protect the life, health, and property of a natural person in an emergency.
- Personal Information Outside of China. If personal information is collected and processed overseas and is then transferred to China for processing before being transferred overseas and does not involve the introduction of domestic personal information or important data during the processing.
- Other Data. Any cross-border transfer of personal information from international trade, cross-border transportation, academic cooperation, transnational manufacturing, marketing and other activities that do not involve personal information or important data.
A Standard Contract Filing or Certification
The New Regulations outline that a data handler may use a Standard Contract Filing or Certification for cross-border personal information transfers where:
- It is processing personal information of less than 1,000,000 individuals;
- It transfers personal information of less than 100,000 individuals from January 1 of the current year;
- It transfers sensitive personal information of less than 10,000 individuals from January 1 of the current year; or
- It is not a CIIO.
Security Assessment
The New Regulation requires that if a data handler is processing personal information outside of China, then a Security Assessment is required when:
- A CIIO transfers any personal information or important data outside of China;
- A data handler (excluding a CIIO) transfers important data or personal information of over 1,000,000 individuals; or
- A data handler transfers sensitive personal information of over 10,000 individuals.
Furthermore, the New Regulations increase the period of validity of an approved Security Assessment from two years to three years.
Free-Trade Zones
The New Regulations provide that free-trade zones have the authority to pilot policies to lists of data that require a Security Assessment, Standard Contract Filing or Certification (the Negative List). The Negative List can be exported subject to approval by the provincial CACs and must be filed with the central CAC and the National Data Administration (NDA) (which is a newly created regulatory body under the New Regulations). Data that falls outside of the Negative List is exempted from these requirements.
Companies will need to carefully assess all their data processing activities on a case-by-case basis. In addition, companies will need to update their policies, procedures, and processes to comply with the New Regulations, Guidelines, PIPL and DSL.