01
Background
On March 22, 2024, the Cyberspace Administration of China (hereinafter referred to as the “CAC”) issued the Provisions on Promoting and Regulating Cross-Border Data Flows (hereinafter referred to as the “Provisions”) , which came into effect on the exaxt same day, together with the Guidelines for the Application for Security Assessment for Outbound Data Transfer (Second Edition), and the Guidelines for Filing the Standard Contract for Outbound Transfer of Personal Information (Second Edition). The introduction of the Provisions reveals that China's regulation of cross-border data transfer (hereinafter referred to as the “CBDT”) is presenting a trend of "overall relaxation, selective control", and enterprises should carry out corresponding work in a targeted and systematic manner.
02
The Exemptions
Pursuant to the Personal Information Protection Law of the PRC, the Measures for the Security Assessment of Outbound Data Transfer, the Measures for the Standard Contract for the Outbound Transfer of Personal Information and other relevant laws and regulations, the approval and/or recordation obligations related to the outbound provision of data include the following: a) applying for the security assessment of outbound data transfer (hereinafter referred to as the “Assessment”); b) concluding a standard contract for personal information transfer abroad (hereinafter referred to as the “SCC(s)”; c) undergoing personal information protection certification (hereinafter referred to as the “Certification”) (Collectively referred to as the “CBDT Obligations”).
Pursuant to the Provisions, the outbound provision of certain data in the following scenarios will not be subject to the CBDT Obligations:
Scenario A: The outbound provision of data that is collected and generated in international trade, cross-border transportation, academic cooperation, multinational production and manufacturing, marketing, and other activities that do not involve personal information or important data (Article 3).
Scenario B: The processing and subsequent outbound provision of personal information that is previously collected and generated outside the territory of the PRC by the data processor, provided that no personal information of persons within the territory of the PRC or important data is incorporated during the processing activities (Article 4).
Scenario C: It is necessary to transfer personal information abroad for the purpose of concluding and performing a contract to which the individual concerned is a party, such as cross-border shopping, cross-border mailing and delivery, cross-border remittance, cross-border payment, cross-border account opening, flight and hotel reservations, visa processing, and examination services (Article 5).
Scenario D: It is necessary to transfer the personal information of employees abroad for conducting cross-border human resource management under the labor rules and regulations formulated in accordance with the law and collective agreements signed in accordance with the law (Article 5).
Scenario E: It is necessary to transfer the personal information abroad in emergency situations, such as protection of the life, health and property safety of a natural person (Article 5).
03
The Thresholds Regarding Personal Information (excluding rules related to important data and critical Information Infrastructure Operator)
04
Other Key points
(一) The Critical Information Infrastructure Operator (hereinafter referred to as the “CIIO”)
The Provisions require CIIOs to apply for the Assessment whenever they are involved in providing personal information or important data outside the country, regardless of whether the thresholds are met in the case of outbound provision of personal information. Meanwhile, Paragraph 2 of Article 7 provides that "in cases falling under the provisions of Articles 3, 4, 5, and 6 of the Provisions (these articles are related to the exemptions referred to in Part B above and the “Negative List” below), the provisions shall apply as stipulated in those provisions." Paragraph 2 does not explicitly exclude the provision of personal information by a CIIO to a foreign country. Therefore, even in the case of a CIIO providing personal information abroad, if the relevant exemptions or negative lists are applicable, such a CIIO may still not be required to apply for the Assessment. Whether this is the case remains to be clarified in the course of subsequent practice.
(二) Pilot Free Trade Zones (hereinafter referred to as the FTZs) and the Negative Lists
The Provisions provide that FTZs can formulate their own lists of data that would potentially trigger the CBDT Obligations and those that would not (the so-called "Negative Lists") under the national data classification and grading protection system framework. Therefore, enterprises should pay close attention to the formal introduction of such Negative Lists and make corresponding corporate decisions depending on their actual CBDT needs to fullly take advantage of the favorable policies in the FTZs.
(三) Important Data
According to Article 7 of the Provisions, data processors are required to apply for the Assessment to the national cyberspace administration authority through cyberspace administration at the provincial level where such data processors are located whenever they provide important data out of the country. Article 2 of the Provisions clearly states that "for data that have not been notified or publicly announced as important data by the relevant departments or regions, the data processor does not have to treat the data as important data and apply for the Assessment." Hence enterprises only need to pay close attention to the notification and public release of important data by relevant departments and regions to determine whether they are engaging in the cross-border transfer of important data.
(四) The Validity Period of the Results of Passing the Assessment
Article 9 of the Provisions not only extends the validity period of the Assessment from two years (the Measures for the Security Assessment of Outbound Data Transfer) to three years from the date of issuance of the Assessment result, but also adds that, if the validity period expires and there is a need to continue the outbound transfer of data and no circumstances have been created that would require the re-application for the Assessment, the data processor may, within 60 working days before the expiration of the validity period, apply for the extension of the validity period of the Assessment result to the national cyberspace administration through the provincial cyberspace administrations. If the application is approved by the national cyberspace administration, the validity period of the Assessment result can be extended for three years.
As long as none of the following circumstances stipulated in Article 14 of the Measures for the Security Assessment of Outbound Data Transfer requiring re-application for Assessment has occurred, enterprises can apply for a 3-year extension of the validity period in accordance with the Provisions: "(i) there is any change in the purpose, method, or scope of the outbound data transfer or the type of data, or the purpose or method of data processing by the overseas recipient, which affects the security of the data transferred abroad, or the period for the storage of personal information and important data abroad is extended; (ii) there is any change in the data security protection policies or regulations or the cybersecurity environment or any other force majeure event occurs in the country or region where the overseas recipient is located, any change in the actual control of the data processor or overseas recipient, or any change in the legal documents concluded between the data processor and overseas recipient, among others, which may affect the security of the data transferred abroad; (iii) any other circumstance that may affect the security of the data transferred abroad."
(五) Other Obligations of the Data Processor
The Provisions also explicitly require data processors to fulfill the following obligations: (i) informing personal information subjects of data cross-border matters, obtaining the individual’s seperate consent for it, and conducting personal information protection impact assessments in accordance with the laws and regulations (Article 10); (ii) fulfilling the obligation of data security protection (adopting technological measures and other necessary measures to safeguard the security of the outbound transfer of data) (Article 11); and (iii) adopting remedial measures when data security incidents occur or are likely to occur, as well as timely reporting to the provincial-level or higher cyberspace administration authority and other relevant supervisory authorities (Article 11).
05
Summary Chart
作者简介
胡静 HU Jing
k8凯发天生赢家·一触即发北京合伙人
业务领域:数据合规、出口管制与经济制裁、公司治理
邮箱:hujing@3qaa.com
陈境轩 CHEN Jingxuan
k8凯发天生赢家·一触即发北京律师助理
业务领域:数据合规、公司治理、投资与并购
邮箱:chenjingxuan@3qaa.com
张钰坤 ZHANG Yukun
k8凯发天生赢家·一触即发北京实习律师
业务领域:数据合规、公司治理、投资与并购
邮箱:zhangyukun@3qaa.com
【 特别声明:本篇文章所阐述和说明的观点仅代表作者本人意见,仅供参考和交流,不代表本所或其律师出具的任何形式之法律意见或建议。】