Cyberspace Administration of China (CAC)

After nearly six months since the initial draft was issued for public comments on September 28, 2023 (see here for our previous alert on that development), on March 22, 2024, the Cyberspace Administration of China (“CAC”) issued the final version of the Provisions on Promoting and Standardizing Cross-Border Data Flows (促进和规范数据跨境流动规定) ( “Provisions”) (Chinese version available here).  The Provisions take effect immediately.  

The newly finalized Provisions introduce significant changes to China’s existing cross-border data transfer regime.  These changes primarily involve exemptions from the previously mandated transfer mechanisms outlined in the Personal Information Protection Law (“PIPL”) and its implementing regulations.  Such mechanisms included undergoing a government-led security assessment, entering into a standardized contract, or obtaining personal information protection certification.  As a result, many companies that previously faced these requirements may now be exempt, easing their compliance burden for cross-border data transfers.  Importantly, the Provisions take precedence over any conflicting provisions within PIPL’s implementing regulations, including the Measures on the Standard Contract for Cross-Border Transfer of Personal Information and the Measures for Security Assessment of Cross-Border Data Transfer.Continue Reading China Eases Restrictions on Cross-Border Data Flows

On September 28, 2023, the Cyberspace Administration of China (“CAC”) issued draft Provisions on Standardizing and Promoting Cross-Border Data Flows (Draft for Comment) (规范和促进数据跨境流动规定(征求意见稿)) (draft “Provisions”) (Chinese version available here) for a public consultation, which will conclude on October 15, 2023. 

The draft Provisions propose significant changes to the existing cross-border data transfer regime established under China’s Personal Information Protection Law (“PIPL”).  Specifically, the draft Provisions provide certain exemptions to the requirement to adopt a transfer mechanism under Article 38 of the PIPL. In addition, the draft Provisions significantly lower the thresholds that trigger the obligation to undergo a government-administered security assessment or adopt Standard Contracts.  Moreover, in the event of a conflict between the draft Provisions and the PIPL’s implementing regulations (including the Measures on the Standard Contract for the Cross-Border Transfer of Personal Information and the Measures for Security Assessment of Cross-Border Data Transfer), the draft Provisions would prevail.Continue Reading China Proposes Significant Changes to Cross-Border Transfer Rules

On May 30, 2023, one day before the Measures on the Standard Contract for the Cross-Border Transfer of Personal Information (“Measures”) were scheduled to take effect, the Cyberspace Administration of China (“CAC”) released a first edition of its guidance on how organizations should complete the filing procedure for Standard Contracts (“CAC Guidance”). (See our prior blog posts on the Standard Contract here.)Continue Reading China Releases Guidance on Filing Standard Contract for the Cross-Border Transfer of Personal Information

On April 11, 2023, the Cyberspace Administration of China (“CAC”) released draft Administrative Measures for Generative Artificial Intelligence Services (《生成式人工智能服务管理办法(征求意见稿)》) (“draft Measures”) (official Chinese version available here) for public consultation.  The deadline for submitting comments is May 10, 2023.

The draft Measures would regulate generative Artificial Intelligence (“AI”) services that are “provided to the public in mainland China.”  These requirements cover a wide range of issues that are frequently debated in relation to the governance of generative AI globally, such as data protection, non-discrimination, bias and the quality of training data.  The draft Measures also highlight issues arising from the use of generative AI that are of particular concern to the Chinese government, such as content moderation, the completion of a security assessment for new technologies, and algorithmic transparency.  The draft Measures thus reflect the Chinese government’s objective to craft its own governance model for new technologies such as generative AI.

Further, and notwithstanding the requirements introduced by the draft Measures (as described in greater detail below), the text states that the government encourages the (indigenous) development of (and international cooperation in relation to) generative AI technology, and encourages companies to adopt “secure and trustworthy software, tools, computing and data resources” to that end. 

Notably, the draft Measures do not make a distinction between generative AI services offered to individual consumers or enterprise customers, although certain requirements appear to be more directed to consumer-facing services than enterprise services.

This blog post identifies a few highlights of the draft Measures.Continue Reading China Proposes Draft Measures to Regulate Generative AI

On March 7, 2023, during the annual National People’s Congress (“NPC”) sessions, China’s State Council revealed its plan to establish a National Data Bureau (NDB) as part of a broader reorganization of government agencies. The plan is being deliberated by the NPC and is expected to be finalized soon. Continue Reading China Reveals Plan to Establish a National Data Bureau

On February 24, 2023, the Cyberspace Administration of China (“CAC”) released the final version of the Measures on the Standard Contract for the Cross-border Transfer of Personal Information (“Measures”) (only available in Chinese here), including a template contract (“Standard Contract”) accompanying the Measures.  The Measures will take effect on June 1, 2023, but are subject to a 6-month grace period to allow companies time to bring their activities into compliance.

The finalization of the Measures marks another important step forward in the establishment of China’s cross-border data transfer framework.  With implementing rules for all three lawful transfer mechanisms now in place, China appears to be entering into a new phase where cross-border transfer activities will be more closely regulated and enforcement actions are more likely to arise for non-compliance. Continue Reading China Finalizes Standard Contract for Cross-Border Transfers of Personal Information

On August 31, 2022, one day before the Measures for Security Assessment of Cross-border Data Transfer (“Measures”) were scheduled to take effect, the Cyberspace Administration of China (“CAC”) released a first edition of its guidance on how organizations should complete the security assessment application (“CAC Guidance”). Covington’s previous posts on the Measures can be found here.Continue Reading China Releases Guidance on Cross-border Data Transfer Security Assessment Application

On July 21, 2022, the Cyberspace Administration of China (“CAC”) – the country’s primary regulator for cybersecurity and privacy – imposed a fine of RMB 8.026 billion (around $1.2 billion USD) on China’s largest ride-hailing company for violating data protection laws, including the Cybersecurity Law, Data Security Law

Continue Reading China Imposes $1.2 Billion Fine for Data Violations

In addition to the two developments we reported on in our last blog post, on July 7, 2022, the long-waited, final version of the Measures for Security Assessment of Cross-border Data Transfer (《数据出境安全评估办法》, “Measures”) were released by the Cyberspace Administration of China (“CAC”).  With a very tight implementation schedule, the Measures will take effect on September 1, 2022.  The full text of the Measures can be found here (currently available only in Mandarin Chinese).

In this blog, we highlight a few key takeaways from the final Measures.Continue Reading China Releases Measures for a Security Assessment of Cross-Border Data Transfers To Take Effect in September 2022

On July 2 and July 5, 2021, China’s Cybersecurity Review Office (“CRO”), an office established under the Cyberspace Administration of China (“CAC”) responsible for coordinating the implementation of China’s Cybersecurity Review framework (more details about this framework can be found in our previous blogpost, available here), announced that it had initiated cybersecurity reviews against four mobile applications operated by three Chinese companies:  Didi Chuxing (“Didi”), Yunmanman, Huochebang and BOSS Zhipin (announcements are available here and here).

According to CRO’s announcements, these cybersecurity reviews were initiated based on requirements under the National Security Law (“NSL”), the Cybersecurity Law (“CSL”) and the Measures on Cybersecurity Review (“Measures”) and are aimed at “preventing national data security risks, maintaining national security and safeguarding public interests.”  This is the first time that CRO publically announced the initiation of cybersecurity reviews against companies after the Measures took effect on June 1, 2020.  Per the announcements, these apps are prohibited from registering new user accounts during the review period.

Separately, on July 4, CAC ordered the Didi app to be removed from Chinese app stores on the ground that the app seriously violated Chinese laws and regulations by “illegally collecting and using personal information” (the announcement is available here).  It is unclear whether this “take down” order is related to CRO’s ongoing cybersecurity review of Didi.

This post explains the requirements and procedures of cybersecurity review under the Measures, analyzes the focus of the current review against these three companies, and provides more background on recent enforcement actions against apps illegally collecting and processing personal information.
Continue Reading China Initiates Cybersecurity Review of Didi ChuXing and Three Other Chinese Mobile Applications