On September 28, 2023, the Cyberspace Administration of China proposed draft regulations, the Regulations on Regulating and Facilitating Cross-border Data Flow (Draft Regulations), seeking public comment. If adopted, it will significantly reduce the restrictions on cross-border data transfers from China. This is a material effort by China to improve free data flows and an implementation of the “whitelist” mentioned under the 24 provisions for attracting foreign investment published in August 2023.
Personal Data Export Exceptions
Most importantly, the Draft Regulations provide several important exceptions allowing the cross-border transfer of personal data without having to execute China’s Personal Data Export Standard Contract (the Standard Contract), including the need to file and obtain approval by the government. These exceptions are proposed to include the:
- Transfer of employee data necessary for the purpose of HR management
- Transfer of personal data for the purpose of performing a contract, such as online shopping, hotel/flight booking, visa applications, etc.
- Transfer of no more than 10,000 individuals’ personal data per year
If any of the above exceptions apply, there is no requirement to (i) sign or file a Standard Contract, (ii) file a personal data privacy impact assessment and (iii) pass government security assessment.
To find the current requirements for government security assessment, please find our blog China Issues Guidelines for Submitting the Personal Information Protection Impact Assessment for Data Exports, or for signing and filing of the Standard Contract, please find our blog China Releases the Standard Contract on Personal Information Export.
These exemptions, if passed, should release the burden of signing and filing the Standard Contract for a large number of multinational companies operating in China.
Government Security Assessment Threshold Lowered
In addition, the Draft Regulations propose that the thresholds for undergoing a mandatory government security assessment be significantly lowered:
- Under the current rules, a mandatory assessment must be done in the event the export involves more than 100,000 individuals’ data per year or 10,000 individuals’ sensitive data per year. The Draft Regulations propose that a mandatory assessment be required only in the event that more than 1 million individuals’ data is to be exported accumulatively.
- The Draft Regulations further propose that the mandatory assessment applies only to the “export” of 1 million individuals’ data. Under the current rules, it would appear that a mandatory assessment is required by a data exporter (Controller) that simply processes 1 million individuals’ data locally while exporting only a small amount of that data.
- Under the Draft Regulations, the export of more than 10,000 but less 1 million individuals’ data will still require the signing a Standard Contract with the data recipient abroad and the filing of it, together with the personal information privacy impact assessment (specifying why the export is minimal and necessary, along with a number of other details) with the government.
The Draft Regulations also make important clarifications on a couple of issues that are commonly asked by multinational companies and businesses:
- Business/marketing data (other than personal data and Important Data) can be freely transferred.
- The definition of “important data” will be provided by the government, either through public announcement or specific notice. Accordingly, businesses will not need to make a self-judgement of the meaning.
It is our expectation that the final version of the Draft Regulations will soon be released after the public comment period ends on October 15, 2023. However, until then, the current regulations, requiring implementation by December 1, 2023, for existing data transfers, remain in place. As implementing the full scope of these transfers will take some time, it leaves businesses in a difficult position, preparing to comply with uncertain regulations. That said, the draft exclusions are certainly a welcomed move and, if adopted, will substantially lighten the compliance burden imposed on international companies doing business in and/or with China. Needless to say, we will continue to monitor developments closely and will provide an update to our clients at the relevant juncture.
If you would like to discuss these measures or any other regulation applicable to other jurisdictions, please feel free to reach out to any of our market-leading global data group including, besides Lindsay and Scott, Charmian Aw and Nick Chan (for Asia Pacific), David Naylor and Charles Helleputte (for Europe) or Alan Friel and Julia Jacobson (for the US).
Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.