After nearly six months since the initial draft was issued for public comments on September 28, 2023 (see here for our previous alert on that development), on March 22, 2024, the Cyberspace Administration of China (“CAC”) issued the final version of the Provisions on Promoting and Standardizing Cross-Border Data Flows (促进和规范数据跨境流动规定) ( “Provisions”) (Chinese version available here).  The Provisions take effect immediately.  

The newly finalized Provisions introduce significant changes to China’s existing cross-border data transfer regime.  These changes primarily involve exemptions from the previously mandated transfer mechanisms outlined in the Personal Information Protection Law (“PIPL”) and its implementing regulations.  Such mechanisms included undergoing a government-led security assessment, entering into a standardized contract, or obtaining personal information protection certification.  As a result, many companies that previously faced these requirements may now be exempt, easing their compliance burden for cross-border data transfers.  Importantly, the Provisions take precedence over any conflicting provisions within PIPL’s implementing regulations, including the Measures on the Standard Contract for Cross-Border Transfer of Personal Information and the Measures for Security Assessment of Cross-Border Data Transfer.

We summarize below some key changes introduced and clarifications made by the Provisions:

  • Transfer of non-personal and “non-important” data (Article 3): Cross-border transfers of data collected and generated during activities such as “international trade, cross-border transportation, academic cooperation, cross-border manufacturing or marketing” is exempted from the requirement to adopt a transfer mechanism if the data does not contain personal information or important data.  This clarification means that the transfer of non-personal and “non-important” data generally does not require pre-transfer approval from the CAC.
  • Transfer of important data (Article 2): A data processing entity must identify and declare “important data” according to regulations to be issued by sectoral regulators and/or local regulators.  Importantly, the Provisions clarify that unless a company is informed by the regulator or through a public notice that it processes “important data,” it is not necessary for the company to proactively undergo a security assessment for the transfer of “important data” out of China.
  • Exemption for specific categories of transfer purposes (Article 5):
    • Contractual necessity: transfers that are necessary for the purpose of entering into and performing a contract to which the individual is a party, such as “cross-border e-commerce, cross-border delivery, cross-border remittance, cross-border payment, cross-border account opening, air ticket / hotel booking, visa processing and examination”;Employee data: transfers of personal information of employees that are necessary to carry out “cross-border human resources management” in accordance with lawfully formulated labor policies or a lawfully concluded collective agreement; and
    • Emergency: transfers that are necessary to protect the life, health, and physical safety of a natural person in an emergency situation.
  • Exemption based on “negative lists” established by free trade zones (Article 6):
    • Borrowing from the concept of “negative lists” for foreign investment, which identifies specific sectors and industries where foreign investment is either restricted or prohibited, the Provisions contemplate that local governments in free trade zones (“FTZs”) can propose a negative list for data that will still be subject to the transfer mechanism requirement for the specific FTZ.  Other types of data will generally be exempted.
  • Exemption for data originating outside of China that merely transits through China without involving any domestic personal information or important data (Article 4).
  • Thresholds for adopting transfer mechanism (Article 7 and Article 8):
    • Consistent with the existing rules, (1) transfer of personal information by a critical information infrastructure (“CII”) operator; or (2) transfer of important data will directly trigger a mandatory CAC-led security assessment.
  • With respect to volume-based thresholds that would be applicable to transfer by no-CII entities, the Provisions made significant changes, both in comparison with the existing rules and with the draft issued in September 2023.  The Provisions removed one threshold that was focused on entities with large volumes of in-country data processing (i.e., involving at least 1 million individuals).  Instead, the current volume-based thresholds are all focused on the transfer to be made since January 1 of a given year, as shown below.    
Transfer MechanismData Transferred by Non-CII Operators Since January 1 of That Year
Security AssessmentNon-sensitive personal information transferred ≥ 1 million individuals
Sensitive personal information transferred ≥ 10,000 individuals
Standard Contract / Certification100,000 individuals ≤ non-sensitive personal information transferred < 1 million individuals
1 ≤ sensitive personal information transferred < 10,000 individuals
ExemptedNon-sensitive personal information transferred < 100,000 individuals
  • Note that if a transfer falls under the exemptions outlined in Article 3, Article 4, Article 5, or Article 6, companies engaging in these exempted transfers are not required to factor in the volume of personal information being transferred when considering the applicability of the transfer mechanisms. For example, a company does not need to include the number of the employees when assessing whether they have transferred over 100,000 individuals’ non-sensitive personal information since January 1 of that year.

In response to the changes introduced by the Provisions, updated versions of the security assessment and standard contract guidelines have been issued.  These include the Guidelines for Application for Security Assessment of Cross-border Data Transfer (Second Edition) and the Guidelines for Filing of Standard Contract for Cross-border Transfer of Personal Information (Second Edition) (see here for full text).  Further, under the Provisions, the validity period of the security assessment result is extended from the current two years to three years, counting from the date when the result is issued (Article 9).

Consistent with the draft issued in September 2023, the CAC emphasized in the Provisions that transferring personal information outside of China still has to comply with PIPL requirements related to notice, separate consent, and personal information protection impact assessment (Article 10). Furthermore, the Provisions underscore the strengthened oversight by the CAC during all stages of cross-border data transfers and the CAC retains its investigatory authority over high-risk transfers (Article 12).

(This blog post was written with contributions from Mingxin Liu.) 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a particular emphasis on adapting to regulatory changes and ensuring compliance to support technology sector business strategies.

In recent years, Yan has guided leading multinational companies in sectors such as cloud computing, consumer brands, and financial services through the rapidly evolving cybersecurity and data privacy regulations in major Asian jurisdictions, including China. She has addressed challenges such as compliance with data localization mandates and regulatory audits. Yan’s work includes advising on high-stakes compliance issues like data localization and cross-border data transfers, navigating cybersecurity inspections for multinational companies, and providing data protection insights for strategic transactions. Additionally, Yan has counseled leading Chinese technology companies on global data governance and compliance challenges across major jurisdictions, including the EU and the US, focusing on specific regulations like GDPR and CCPA.

More recently, Yan has supported leading technology companies on geopolitical risk assessments, particularly concerning how geopolitical shifts impact sectors at the cutting edge, such as artificial intelligence and semiconductor technologies.

Yan was named as Global Data Review’s40 under 40” in 2018 and is frequently quoted by leading media outlets including the Wall Street Journal and the Financial Times.

Prior to joining the firm, Yan completed an internship with the Office of International Affairs of the U.S. Federal Trade Commission in Washington, DC. Her experiences in Brussels include representing major Chinese companies in trade, competition and public procurement matters before the European Commission and national authorities in EU Member States.

Photo of Xuezi Dan Xuezi Dan

Xuezi Dan is an associate in the firm’s Beijing office. Her practice focuses on regulatory compliance, with a particular focus on data privacy and cybersecurity. Xuezi helps clients understand and navigate the increasingly complex privacy regulatory issues in China.

She also has experience…

Xuezi Dan is an associate in the firm’s Beijing office. Her practice focuses on regulatory compliance, with a particular focus on data privacy and cybersecurity. Xuezi helps clients understand and navigate the increasingly complex privacy regulatory issues in China.

She also has experience advising clients on general corporate and antitrust matters.