On March 22, 2024, the Cyberspace Administration of China (CAC) published the Regulations on Promoting and Regulating Cross-border Data Flow (the “Regulations”), effective immediately. The Regulations supplement China data protection laws (the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law), and take precedence over previously-issued data transfer rules, such as (a) the Measures for the Security Assessment of Outbound Data Transfer (effective September 1, 2022), and (b) the Guidelines for Filing the Standard Contract for Outbound Transfer of Personal Information (effective June 1, 2023).
The following are key takeaways of China’s data transfer regime as it has now been amended by the Regulations.
Thresholds under which Data Export Security Assessments are Required
As a refresher, the Regulations maintain the thresholds that, when triggered, require a data exporter to apply to the CAC for a data export security assessment:
- Critical information infrastructure operator (CIIO) – CIIOs must generally apply for a CAC export assessment whenever exporting personal information or important data.
- Non-CIIO – Non-CIIOs remain subject to the more limited requirement to apply for a CAC export assessment when:
- Since January 1 of the current year, exporting (a) non-sensitive personal information of more than 1,000,000 individuals or (b) sensitive personal information of more than 10,000 individuals.
- Exporting “important” data. Prior versions of the Regulations required a permit for any exports of “important” data. However, the Regulations now provide somewhat more comfort for business: data is “important” only if the exporter has been notified that the data is important by its relevant regulator (either by an actual notification or by published regulations).
If a company applies for and receives a data export security assessment, it is valid for three years from the issuance date. A data exporter may apply for a three-year extension sixty business days before the expiration date.
Six New Exempted Data Export Scenarios
The Regulations provide six new scenarios in which a data exporter can transfer data overseas without applying to the CAC for a data export security assessment. In fact, the Regulations exempt the following scenarios from any obligation to put transfer safeguards in place – i.e., not only there is no CAC application required, but there is also no obligation to execute CAC-issued Standard Contractual Clauses, nor any obligation to obtain a “personal information protection certificate” from a CAC-recognized certification agency (similar to the GDPR’s certification scheme – and like under GDPR, it is currently little-used).
The excepted scenarios are as follows:
- No personal information or important data is transferred.
- Personal information has been collected outside of China, and is only processed in China without incorporating any personal information of Chinese nationals or important data collected within China.
- Since January 1 of the current year, the exporter has transferred non-sensitive personal information of less than 100,000 individuals.
- The transfer is for the purpose of entering or performing a contract, such as for cross-border shopping, delivery, remittance, payment, account opening, air ticket and holiday booking, visa processing, and examination.
- The transfer is made for cross-border HR management according to labor laws and regulations, or to collective employment contracts.
- The transfer is made during emergencies, such as to protect the life, health, and property of natural persons.
Where applicable, an exempt data exporter still needs to obtain individual consent and conduct a privacy impact assessment for the cross-border personal information transfer as may otherwise be required by China’s Personal Information Protection Law.
Thresholds for Standard Contractual Contracts and Certifications Remain the Same
Even if no CAC-approved security assessment is needed to permit a transfer, non-CIIO exporters must still implement other required transfer safeguards in two key situations. The required safeguard could either be (a) entering the CAC-issued Standard Contractual Clauses, or (b) obtaining a personal information protection certificate. Exporters must continue to implement these transfer safeguards in the following scenarios:
- Exporting non-sensitive personal information of more than 100,000 but less than 1,000,000 individuals since January 1 of the current year, or
- Exporting sensitive personal information of less than 10,000 individuals since January 1 of the current year.
You can read the Regulations here (available in Chinese only). Check the Alston & Bird Privacy Blog (China) for our prior blog posts on China data protection laws. Please contact Alston & Bird’s Privacy, Cyber & Data Strategy team if you have any questions.