CAC Released Its Rules to Ease Restriction on Cross Border Data Transfer to Hear Public Comments
On 28 September 2023, the Cyberspace Administration of China (the “CAC”) released the draft of Measures on the Regulation and Promotion of Cross Border Data Flow (the “Draft”) to hear public comments.
1. Data Export Security Assessment
Before we look into the details of the Draft, it is worth spending some time to briefly introduce China’s legal regulatory mechanism on cross border data transfer. On 7 July 2021, CAC released the Measures for Data Export Security Assessment (the “Data Export Measures”) which has come into effect since 1 September 2021. The Data Export Measures was the first cornerstone laid by the Chinese government to build the legal regulatory mechanism. According to the Data Export Measures, when a data processor provides data overseas and falls under any of the following circumstances, the data processor shall apply for a data export security assessment to the state cyberspace administration via the provincial cyberspace administration for its domicile:
(1) where the data processor provides important data overseas;
(2) where the data processor is a critical information infrastructure operator or a data processor that processes personal information of at least one million persons;
(3) where the data processor has provided personal information of 100,000 individuals or sensitive personal information of 10,000 individuals overseas on a cumulative basis since 1 January of the previous year; and
(4) where the data processor falls under any of the other circumstances stipulated by the state cyberspace administration where a data export security assessment needs to be applied for.
The processor shall conduct a self-assessment before making the application for security assessment. The security assessment will be conducted by the state administration on cyberspace, which is CAC itself on a case-by-case basis. The security assessment shall be completed within 45 business days following the acceptance of the application, but the CAC is allowed to make an “open-end” extension, if the case turned out to be complicated or new materials are required to be added on.
In reading the above provision, it is clear that the concept of ‘important data’ is the key in determining whether a security assessment is required. However, the Data Export Measures only sets out a very rough definition of ‘important data’ as ‘data that may endanger national security, economic operation, social stability, public health and safety, etc. once they are tampered with, destroyed, leaked, or illegally obtained or used’.
2. The Standard Contract
Following the Data Export Measures, on 23 February 2022, the CAC released the Measures on the Standard Contract for Outbound Transfer of Personal Information (the “SCC Measures”) which came into effect since 1 June 2023. According to the SCC Measures, when personal information export does not fall in the requirement set forth in the Data Export Measures for a security assessment, the transferor and transferee shall at least enter into a standard contract and file with the relevant authority.
However, the SCC Measures also requires that the processor shall file its report of PIA together with the standard contract to the provincial cyberspace administration, which means any processor who intends to export personal information out of China is, at least, obliged to conduct a PIA and filed the standard contract.
More importantly, the SCC Measures requires that any export of personal information conducted before the enactment of the SCC Measures which was not in compliance with the SCC Measures shall be corrected within 6 months following the enactment of the SCC Measures. Such a requirement means that all personal information processors who export personal information out of China shall complete the PIA and file with the relevant authority before the end of November 2023.
In fact, in practice, the SCC Measures has a greater impact than the Data Export Measures. Because almost all foreign invested companies and many domestic invested companies in China are transferring personal information out of China. Most typically, sharing local staff’s personal information to the overseas headquarter for the purpose of employment management or transferring customer’s personal information to headquarter or other associated companies for business development purpose. But in almost all cases, the quantity of personal information was not even close to the requirements set forth in the Data Export Measures, which renders the SCC Measures became the major legal requirement that most processors shall abide.
However, it is obviously not proportionate to spend all the efforts to conduct the PIA and file the SCC just for sharing a few dozens of local staff’s personal information. And, on the other hand, the possible huge workload of filing would very likely render the procedure an unworkable one. But as the time limit getting closer, we are seeing increasing concern of violating the SCC Measures and many companies are balancing between taking a “hold on” or proceed with the PIA and filing.
II. The Draft
Now, it is the time to look what does the Draft say.
First of all, the Draft reinstates the position that data export generated from international trading, academic cooperation, overseas manufacturing and marketing activities is not required to pass the security assessment or entering into the standard contract or pass the personal information protection certification, so long as the data exported does not contains important data or personal information.
Secondly, as we mentioned above the Data Export Measures does not set out a clear definition and scope of the concept of “important data” which makes the processor feel difficult to determine whether a security assessment is required. Therefore, the Draft clearly states that the processor does not need to conduct a security assessment so long as the exported data has not been clearly published or declared as important data by relevant authorities.
Furthermore, the Draft set out three exemptions for security assessment, standard contract and personal information protection certification. Namely, (1) when export of personal information was necessary to sign and perform the contract to which the personal information subject is a party such like cross border shopping, cross border remittance, booking of hotels and air tickets and application for visas, (2) when staff’s personal information is required to be exported in accordance with by company’s duly established employment regulations and collective employment contract for the purpose of human resources management and (3) when it is necessary to export personal information to protect the safety, health and property rights in urgent situations.
Most importantly, the Draft clearly states that, regardless of purpose, if only no more than 10,000 person’s personal information is estimated to be exported within one year, there is no need to conduct the security assessment, enter into standard contract or pass the personal information protection certification. If more than 10,000 but less than 1 million person’s personal information is estimated to be exported within one year, then entering the standard contract and filing with the provincial administration of cyberspace would suffice and security assessment is not required under such a case, which has actually eased the requirement for security assessment.
Finally, the Draft allows the free trade zones (FTZs) to establish its own negative list on data export. Export of data not included in the negative list does not need to pass the security assessment, enter into standard contract or pass the personal information certification.
As the Draft is still in the status of collecting public comments, we do not know whether and when will the Draft be officially promogulated and whether the final version will be the same with the Draft. But apparently, China’s data regulatory authority is reacting to the concern from the business side and try to carve out a more feasible, efficient, and business friendly regulation mechanism on cross border transfer of data.However, the Draft shall under no circumstances to be construed as unloading data processor’s obligations regarding legal compliance. It is true that if the Draft is finally approved with the articles we are seeing right now, maybe most of the companies who are exporting personal information would longer be required to enter into the standard contract and file with the relevant authority. But it does not mean the companies can be released from its obligation to conduct a PIA. It is worth mentioning that according to Article 55 of the Personal Information Protection Law, a PIA shall be conducted so long as the processor intents to export persona information.