After nearly six months since the initial draft was issued for public comments on September 28, 2023 (see here for our previous alert on that development), on March 22, 2024, the Cyberspace Administration of China (“CAC”) issued the final version of the Provisions on Promoting and Standardizing Cross-Border Data Flows (促进和规范数据跨境流动规定) ( “Provisions”) (Chinese version available here). The Provisions take effect immediately.
The newly finalized Provisions introduce significant changes to China’s existing cross-border data transfer regime. These changes primarily involve exemptions from the previously mandated transfer mechanisms outlined in the Personal Information Protection Law (“PIPL”) and its implementing regulations. Such mechanisms included undergoing a government-led security assessment, entering into a standardized contract, or obtaining personal information protection certification. As a result, many companies that previously faced these requirements may now be exempt, easing their compliance burden for cross-border data transfers. Importantly, the Provisions take precedence over any conflicting provisions within PIPL’s implementing regulations, including the Measures on the Standard Contract for Cross-Border Transfer of Personal Information and the Measures for Security Assessment of Cross-Border Data Transfer.
We summarize below some key changes introduced and clarifications made by the Provisions:
- Transfer of non-personal and “non-important” data (Article 3): Cross-border transfers of data collected and generated during activities such as “international trade, cross-border transportation, academic cooperation, cross-border manufacturing or marketing” is exempted from the requirement to adopt a transfer mechanism if the data does not contain personal information or important data. This clarification means that the transfer of non-personal and “non-important” data generally does not require pre-transfer approval from the CAC.
- Transfer of important data (Article 2): A data processing entity must identify and declare “important data” according to regulations to be issued by sectoral regulators and/or local regulators. Importantly, the Provisions clarify that unless a company is informed by the regulator or through a public notice that it processes “important data,” it is not necessary for the company to proactively undergo a security assessment for the transfer of “important data” out of China.
- Exemption for specific categories of transfer purposes (Article 5):
- Contractual necessity: transfers that are necessary for the purpose of entering into and performing a contract to which the individual is a party, such as “cross-border e-commerce, cross-border delivery, cross-border remittance, cross-border payment, cross-border account opening, air ticket / hotel booking, visa processing and examination”;Employee data: transfers of personal information of employees that are necessary to carry out “cross-border human resources management” in accordance with lawfully formulated labor policies or a lawfully concluded collective agreement; and
- Emergency: transfers that are necessary to protect the life, health, and physical safety of a natural person in an emergency situation.
- Exemption based on “negative lists” established by free trade zones (Article 6):
- Borrowing from the concept of “negative lists” for foreign investment, which identifies specific sectors and industries where foreign investment is either restricted or prohibited, the Provisions contemplate that local governments in free trade zones (“FTZs”) can propose a negative list for data that will still be subject to the transfer mechanism requirement for the specific FTZ. Other types of data will generally be exempted.
- Exemption for data originating outside of China that merely transits through China without involving any domestic personal information or important data (Article 4).
- Thresholds for adopting transfer mechanism (Article 7 and Article 8):
- Consistent with the existing rules, (1) transfer of personal information by a critical information infrastructure (“CII”) operator; or (2) transfer of important data will directly trigger a mandatory CAC-led security assessment.
- With respect to volume-based thresholds that would be applicable to transfer by no-CII entities, the Provisions made significant changes, both in comparison with the existing rules and with the draft issued in September 2023. The Provisions removed one threshold that was focused on entities with large volumes of in-country data processing (i.e., involving at least 1 million individuals). Instead, the current volume-based thresholds are all focused on the transfer to be made since January 1 of a given year, as shown below.
Transfer Mechanism | Data Transferred by Non-CII Operators Since January 1 of That Year |
Security Assessment | Non-sensitive personal information transferred ≥ 1 million individuals |
Sensitive personal information transferred ≥ 10,000 individuals | |
Standard Contract / Certification | 100,000 individuals ≤ non-sensitive personal information transferred < 1 million individuals |
1 ≤ sensitive personal information transferred < 10,000 individuals | |
Exempted | Non-sensitive personal information transferred < 100,000 individuals |
- Note that if a transfer falls under the exemptions outlined in Article 3, Article 4, Article 5, or Article 6, companies engaging in these exempted transfers are not required to factor in the volume of personal information being transferred when considering the applicability of the transfer mechanisms. For example, a company does not need to include the number of the employees when assessing whether they have transferred over 100,000 individuals’ non-sensitive personal information since January 1 of that year.
In response to the changes introduced by the Provisions, updated versions of the security assessment and standard contract guidelines have been issued. These include the Guidelines for Application for Security Assessment of Cross-border Data Transfer (Second Edition) and the Guidelines for Filing of Standard Contract for Cross-border Transfer of Personal Information (Second Edition) (see here for full text). Further, under the Provisions, the validity period of the security assessment result is extended from the current two years to three years, counting from the date when the result is issued (Article 9).
Consistent with the draft issued in September 2023, the CAC emphasized in the Provisions that transferring personal information outside of China still has to comply with PIPL requirements related to notice, separate consent, and personal information protection impact assessment (Article 10). Furthermore, the Provisions underscore the strengthened oversight by the CAC during all stages of cross-border data transfers and the CAC retains its investigatory authority over high-risk transfers (Article 12).
(This blog post was written with contributions from Mingxin Liu.)