On September 28, 2023, the Cyberspace Administration of China (“CAC”) issued draft Provisions on Standardizing and Promoting Cross-Border Data Flows (Draft for Comment) (规范和促进数据跨境流动规定(征求意见稿)) (draft “Provisions”) (Chinese version available here) for a public consultation, which will conclude on October 15, 2023. 

The draft Provisions propose significant changes to the existing cross-border data transfer regime established under China’s Personal Information Protection Law (“PIPL”).  Specifically, the draft Provisions provide certain exemptions to the requirement to adopt a transfer mechanism under Article 38 of the PIPL. In addition, the draft Provisions significantly lower the thresholds that trigger the obligation to undergo a government-administered security assessment or adopt Standard Contracts.  Moreover, in the event of a conflict between the draft Provisions and the PIPL’s implementing regulations (including the Measures on the Standard Contract for the Cross-Border Transfer of Personal Information and the Measures for Security Assessment of Cross-Border Data Transfer), the draft Provisions would prevail.

Below, we provide additional details on key changes proposed in the draft Provisions.

  • Transfer of non-personal and “non-important” data: Data generated by activities such as “international trade, academic cooperation, cross-border manufacturing or marketing” that does not contain personal information or important data, would not trigger obligations to submit an application for the government-administered security assessment, enter into Standard Contracts, or obtain a personal information protection certification. This helps clarify that the transfer of non-personal and “non-important” data generally does not require pre-transfer approval from the CAC.
  • Transfer of important data: Unless a company is informed by the regulator or a public notice that it processes “important data,” it is not necessary for the company to proactively assess its processing or undergo a security assessment due to the transfer of “important data” out of China.
  • Specific transfer scenarios exempted fromtransfer mechanism requirement:
    • Exemption for specific categories of transfer purposes:
      • The cross-border transfer of personal information that is necessary for the purpose of entering into and performing a contract to which the individual is a party, such as cross-border e-commerce, cross-border remittance, air ticket / hotel booking and visa processing;
      • The cross-border transfer of personal information of employees that is necessary to carry out human resources management in accordance with lawfully formulated labor policies or a lawfully concluded collective agreement; and
      • The cross-border transfer of personal information that is necessary to protect the life, health, and physical safety of a natural person in an emergency situation.
    • Exemption based on the volume of records transferred:
      • If it is estimated that the personal information transferred out of China within a year involves fewer than 10,000 individuals, a transfer mechanism is not required.  It is unclear whether the 10,000 threshold would be calculated after excluding HR data or other data that would already be exempted.  
    • Exemption based on “negative lists” established by free trade zones:
      • Borrowing from the concept of “negative lists” for foreign investment, which identifies specific sectors and industries where foreign investment is either restricted or prohibited, the draft Provisions contemplate that local governments in free trade zones (“FTZs”) can propose a negative list for data that would still be subject to the transfer mechanism requirement for the specific FTZ, even if other types of data will generally be exempted.
      • Once such lists are approved by the local CAC and filed with the central CAC, cross-border transfers of data that fall outside of the negative list can freely flow out of that FTZ without a transfer mechanism. In other words, companies established in FTZs could enjoy even less restrictions on data transfers, depending on the specific negative lists proposed by the local FTZ governments.
    • Exemption for data originating outside of China that merely transits through China.
  • Thresholds for security assessment or Standard Contracts:
    • If it is estimated that the personal information transferred out of China within a year involves 10,000 or more (but fewer than 1 million) individuals, the company can choose to adopt the Standard Contract or obtain a certification, but there is no obligation to apply for the government-administered security assessment. In other words, the security assessment is only required for companies that are transferring personal information of over 1 million individuals out of China.

If adopted in the current form, the draft Provisions could significantly reduce the burden that companies have faced in the past few months to comply with the PIPL’s implementing regulations in relation to the security assessment and Standard Contracts. However, CAC emphasized in the proposed rule that (1) specific consent is still required under the PIPL for cross-border transfers, if consent is the legal basis for the data processing; and (2) even in circumstances where pre-transfer approval is not required, the CAC maintains the authority to investigate high-risk transfers, and it may even order companies to stop transfers altogether. So while it is a welcoming step from CAC to reduce burdens forthe majority of multinational companies that transfers data out of China in their daily operation, it is still important to evaluate high-risk transfers and the strategies around such transfers.

(This blog post was written with contributions from Mingxin Liu.) 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the…

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the rapidly-evolving Chinese cybersecurity and data privacy rules. Her work includes high-stakes compliance advice on strategic issues such as data localization and cross border data transfer, as well as data protection advice in the context of strategic transactions. She also advises leading Chinese technology companies on global data governance issues and on compliance matters in major jurisdictions such as the European Union and the United States.

Yan regularly contributes to the development of data privacy and cybersecurity rules and standards in China. She chairs Covington’s membership in two working groups of China’s National Information Security Standardization Technical Committee (“TC260”), and serves as an expert in China’s standard-setting group for Artificial Intelligence and Ethics.

Yan is named as Global Data Review’s40 under 40” in 2018 and is frequently quoted by leading media outlets including the Wall Street Journal and the Financial Times.

Prior to joining the firm, Yan completed an internship with the Office of International Affairs of the U.S. Federal Trade Commission in Washington, DC. Her experiences in Brussels include representing major Chinese companies in trade, competition and public procurement matters before the European Commission and national authorities in EU Member States.

Yan is a Certified Information Privacy Professional (CIPP/Asia) by the International Association of Privacy Professionals and an active member of the American Bar Association’s Section of Antitrust Law.

Photo of Xuezi Dan Xuezi Dan

Xuezi Dan is an associate in the firm’s Beijing office. Her practice focuses on regulatory compliance, with a particular focus on data privacy and cybersecurity. Xuezi helps clients understand and navigate the increasingly complex privacy regulatory issues in China.

She also has experience…

Xuezi Dan is an associate in the firm’s Beijing office. Her practice focuses on regulatory compliance, with a particular focus on data privacy and cybersecurity. Xuezi helps clients understand and navigate the increasingly complex privacy regulatory issues in China.

She also has experience advising clients on general corporate and antitrust matters.

Photo of Nicholas Shepherd Nicholas Shepherd

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing…

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing laws, and other privacy and cybersecurity laws worldwide. Nick counsels on topics that include adtech, anonymization, children’s privacy, cross-border transfer restrictions, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements in relation to transparency, consent, lawful processing, data sharing, and others.

A U.S.-trained and qualified lawyer with 7 years of working experience in Europe, Nick leverages his multi-faceted legal background and international experience to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.