On September 28, 2023, the Cyberspace Administration of China (“CAC”) issued draft Provisions on Standardizing and Promoting Cross-Border Data Flows (Draft for Comment) (规范和促进数据跨境流动规定(征求意见稿)) (draft “Provisions”) (Chinese version available here) for a public consultation, which will conclude on October 15, 2023.
The draft Provisions propose significant changes to the existing cross-border data transfer regime established under China’s Personal Information Protection Law (“PIPL”). Specifically, the draft Provisions provide certain exemptions to the requirement to adopt a transfer mechanism under Article 38 of the PIPL. In addition, the draft Provisions significantly lower the thresholds that trigger the obligation to undergo a government-administered security assessment or adopt Standard Contracts. Moreover, in the event of a conflict between the draft Provisions and the PIPL’s implementing regulations (including the Measures on the Standard Contract for the Cross-Border Transfer of Personal Information and the Measures for Security Assessment of Cross-Border Data Transfer), the draft Provisions would prevail.
Below, we provide additional details on key changes proposed in the draft Provisions.
- Transfer of non-personal and “non-important” data: Data generated by activities such as “international trade, academic cooperation, cross-border manufacturing or marketing” that does not contain personal information or important data, would not trigger obligations to submit an application for the government-administered security assessment, enter into Standard Contracts, or obtain a personal information protection certification. This helps clarify that the transfer of non-personal and “non-important” data generally does not require pre-transfer approval from the CAC.
- Transfer of important data: Unless a company is informed by the regulator or a public notice that it processes “important data,” it is not necessary for the company to proactively assess its processing or undergo a security assessment due to the transfer of “important data” out of China.
- Specific transfer scenarios exempted fromtransfer mechanism requirement:
- Exemption for specific categories of transfer purposes:
- The cross-border transfer of personal information that is necessary for the purpose of entering into and performing a contract to which the individual is a party, such as cross-border e-commerce, cross-border remittance, air ticket / hotel booking and visa processing;
- The cross-border transfer of personal information of employees that is necessary to carry out human resources management in accordance with lawfully formulated labor policies or a lawfully concluded collective agreement; and
- The cross-border transfer of personal information that is necessary to protect the life, health, and physical safety of a natural person in an emergency situation.
- Exemption based on the volume of records transferred:
- If it is estimated that the personal information transferred out of China within a year involves fewer than 10,000 individuals, a transfer mechanism is not required. It is unclear whether the 10,000 threshold would be calculated after excluding HR data or other data that would already be exempted.
- Exemption based on “negative lists” established by free trade zones:
- Borrowing from the concept of “negative lists” for foreign investment, which identifies specific sectors and industries where foreign investment is either restricted or prohibited, the draft Provisions contemplate that local governments in free trade zones (“FTZs”) can propose a negative list for data that would still be subject to the transfer mechanism requirement for the specific FTZ, even if other types of data will generally be exempted.
- Once such lists are approved by the local CAC and filed with the central CAC, cross-border transfers of data that fall outside of the negative list can freely flow out of that FTZ without a transfer mechanism. In other words, companies established in FTZs could enjoy even less restrictions on data transfers, depending on the specific negative lists proposed by the local FTZ governments.
- Exemption for data originating outside of China that merely transits through China.
- Exemption for specific categories of transfer purposes:
- Thresholds for security assessment or Standard Contracts:
- If it is estimated that the personal information transferred out of China within a year involves 10,000 or more (but fewer than 1 million) individuals, the company can choose to adopt the Standard Contract or obtain a certification, but there is no obligation to apply for the government-administered security assessment. In other words, the security assessment is only required for companies that are transferring personal information of over 1 million individuals out of China.
If adopted in the current form, the draft Provisions could significantly reduce the burden that companies have faced in the past few months to comply with the PIPL’s implementing regulations in relation to the security assessment and Standard Contracts. However, CAC emphasized in the proposed rule that (1) specific consent is still required under the PIPL for cross-border transfers, if consent is the legal basis for the data processing; and (2) even in circumstances where pre-transfer approval is not required, the CAC maintains the authority to investigate high-risk transfers, and it may even order companies to stop transfers altogether. So while it is a welcoming step from CAC to reduce burdens forthe majority of multinational companies that transfers data out of China in their daily operation, it is still important to evaluate high-risk transfers and the strategies around such transfers.
(This blog post was written with contributions from Mingxin Liu.)