On September 28, 2023, the Cyberspace Administration of China (“CAC”) issued draft Provisions on Standardizing and Promoting Cross-Border Data Flows (Draft for Comment) (规范和促进数据跨境流动规定(征求意见稿)) (draft “Provisions”) (Chinese version available here) for a public consultation, which will conclude on October 15, 2023. 

The draft Provisions propose significant changes to the existing cross-border data transfer regime established under China’s Personal Information Protection Law (“PIPL”).  Specifically, the draft Provisions provide certain exemptions to the requirement to adopt a transfer mechanism under Article 38 of the PIPL. In addition, the draft Provisions significantly lower the thresholds that trigger the obligation to undergo a government-administered security assessment or adopt Standard Contracts.  Moreover, in the event of a conflict between the draft Provisions and the PIPL’s implementing regulations (including the Measures on the Standard Contract for the Cross-Border Transfer of Personal Information and the Measures for Security Assessment of Cross-Border Data Transfer), the draft Provisions would prevail.

Below, we provide additional details on key changes proposed in the draft Provisions.

  • Transfer of non-personal and “non-important” data: Data generated by activities such as “international trade, academic cooperation, cross-border manufacturing or marketing” that does not contain personal information or important data, would not trigger obligations to submit an application for the government-administered security assessment, enter into Standard Contracts, or obtain a personal information protection certification. This helps clarify that the transfer of non-personal and “non-important” data generally does not require pre-transfer approval from the CAC.
  • Transfer of important data: Unless a company is informed by the regulator or a public notice that it processes “important data,” it is not necessary for the company to proactively assess its processing or undergo a security assessment due to the transfer of “important data” out of China.
  • Specific transfer scenarios exempted fromtransfer mechanism requirement:
    • Exemption for specific categories of transfer purposes:
      • The cross-border transfer of personal information that is necessary for the purpose of entering into and performing a contract to which the individual is a party, such as cross-border e-commerce, cross-border remittance, air ticket / hotel booking and visa processing;
      • The cross-border transfer of personal information of employees that is necessary to carry out human resources management in accordance with lawfully formulated labor policies or a lawfully concluded collective agreement; and
      • The cross-border transfer of personal information that is necessary to protect the life, health, and physical safety of a natural person in an emergency situation.
    • Exemption based on the volume of records transferred:
      • If it is estimated that the personal information transferred out of China within a year involves fewer than 10,000 individuals, a transfer mechanism is not required.  It is unclear whether the 10,000 threshold would be calculated after excluding HR data or other data that would already be exempted.  
    • Exemption based on “negative lists” established by free trade zones:
      • Borrowing from the concept of “negative lists” for foreign investment, which identifies specific sectors and industries where foreign investment is either restricted or prohibited, the draft Provisions contemplate that local governments in free trade zones (“FTZs”) can propose a negative list for data that would still be subject to the transfer mechanism requirement for the specific FTZ, even if other types of data will generally be exempted.
      • Once such lists are approved by the local CAC and filed with the central CAC, cross-border transfers of data that fall outside of the negative list can freely flow out of that FTZ without a transfer mechanism. In other words, companies established in FTZs could enjoy even less restrictions on data transfers, depending on the specific negative lists proposed by the local FTZ governments.
    • Exemption for data originating outside of China that merely transits through China.
  • Thresholds for security assessment or Standard Contracts:
    • If it is estimated that the personal information transferred out of China within a year involves 10,000 or more (but fewer than 1 million) individuals, the company can choose to adopt the Standard Contract or obtain a certification, but there is no obligation to apply for the government-administered security assessment. In other words, the security assessment is only required for companies that are transferring personal information of over 1 million individuals out of China.

If adopted in the current form, the draft Provisions could significantly reduce the burden that companies have faced in the past few months to comply with the PIPL’s implementing regulations in relation to the security assessment and Standard Contracts. However, CAC emphasized in the proposed rule that (1) specific consent is still required under the PIPL for cross-border transfers, if consent is the legal basis for the data processing; and (2) even in circumstances where pre-transfer approval is not required, the CAC maintains the authority to investigate high-risk transfers, and it may even order companies to stop transfers altogether. So while it is a welcoming step from CAC to reduce burdens forthe majority of multinational companies that transfers data out of China in their daily operation, it is still important to evaluate high-risk transfers and the strategies around such transfers.

(This blog post was written with contributions from Mingxin Liu.) 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a particular emphasis on adapting to regulatory changes and ensuring compliance to support technology sector business strategies.

In recent years, Yan has guided leading multinational companies in sectors such as cloud computing, consumer brands, and financial services through the rapidly evolving cybersecurity and data privacy regulations in major Asian jurisdictions, including China. She has addressed challenges such as compliance with data localization mandates and regulatory audits. Yan’s work includes advising on high-stakes compliance issues like data localization and cross-border data transfers, navigating cybersecurity inspections for multinational companies, and providing data protection insights for strategic transactions. Additionally, Yan has counseled leading Chinese technology companies on global data governance and compliance challenges across major jurisdictions, including the EU and the US, focusing on specific regulations like GDPR and CCPA.

More recently, Yan has supported leading technology companies on geopolitical risk assessments, particularly concerning how geopolitical shifts impact sectors at the cutting edge, such as artificial intelligence and semiconductor technologies.

Yan was named as Global Data Review’s40 under 40” in 2018 and is frequently quoted by leading media outlets including the Wall Street Journal and the Financial Times.

Prior to joining the firm, Yan completed an internship with the Office of International Affairs of the U.S. Federal Trade Commission in Washington, DC. Her experiences in Brussels include representing major Chinese companies in trade, competition and public procurement matters before the European Commission and national authorities in EU Member States.

Photo of Xuezi Dan Xuezi Dan

Xuezi Dan is an associate in the firm’s Beijing office. Her practice focuses on regulatory compliance, with a particular focus on data privacy and cybersecurity. Xuezi helps clients understand and navigate the increasingly complex privacy regulatory issues in China.

She also has experience…

Xuezi Dan is an associate in the firm’s Beijing office. Her practice focuses on regulatory compliance, with a particular focus on data privacy and cybersecurity. Xuezi helps clients understand and navigate the increasingly complex privacy regulatory issues in China.

She also has experience advising clients on general corporate and antitrust matters.

Photo of Nicholas Shepherd Nicholas Shepherd

Nick Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the EU/UK General Data Protection Regulation (GDPR), ePrivacy Directive and its national implementing…

Nick Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the EU/UK General Data Protection Regulation (GDPR), ePrivacy Directive and its national implementing laws, EU/UK direct marketing laws, emerging state privacy laws in the United States, and other privacy and cybersecurity laws worldwide. Nick counsels on topics that include adtech, anonymization, children’s privacy, cross-border data transfers, data breach response, artificial intelligence, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements on transparency, consent, lawful processing, data sharing, and related issues.

A U.S.-trained and qualified lawyer with 7 years of working experience in Europe, Nick now leverages his multi-faceted legal background and international experience from the U.S. to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.