LANGUAGE

×

Comprehensive Reserve of Knowledge And Capabilities

China Eased Its Regulation on Cross-border Data Transfer: CAC’s New Rules on Data Export Officially Enacted

Hanling & Partners Hanling & Partners Hanling & Partners
Hanling & Partners Hanling & Partners Mar 28,2024
Hanling & Partners Hanling & Partners 349

China Administration of Cyberspace (CAC) officially enacted and published its new rules on data export. The new regulation, namely Measures on Promotion and Regulation of Cross-border Data Transfer (the “New Measures”) was published by CAC on 22 March 2024 with an immediate effect.

 

The draft of the New Measures was first published on 28 September 2023 to hear public comments and was approved by CAC on 28 November 2023. But it was not officially published until 22 March 2024, more than three months after its approval.


Reders are highly recommended to read our previous article (CAC Released Its Rules to Ease Restriction on Cross Border Data Transfer to Hear Public Comments) introducing the legal framework of China’s regulation on data export and the highlights of the draft of the New Measures. This article will mainly focus on the major points of the New Measures and those were changed from theearly draft.


 I.         Limited Scope of “Important Data”

According to the Data Security Law and the Measures for Data Export Security Assessment (the “Data Export Measures”), export of “important data” shall be more heavily regulated compared with export of ordinary data. But neither the Data Security Law nor the Data Export Measures set out a clear definition or scope of “important data” which caused concerns on data processors as how to judge whether the data they are processing will be treated as important data and how to avoid compliance risk.

 

The New Measures reinstated its position in the early draft that for those data which have not been informed or publicly stated by relevant authority as “important data”, the processor is not required to apply for a data export security assessment.

 

However, the New Measures require data processors to identify important data and such an obligation was not included in the early draft. Therefore, attention shall be drawn to the new national standard with respect to the identification of important data which released just one day earlier, namely Data Security Technology-Rules on Data Categorization and Classification (GB/T43697-2024).


 II.     From 10,000 to 100,000

The most important change in the final version of the New Measure is the further eased requirement for personal information export security assessment.

 

According to the draft of the New Measures, if only no more than 10,000 persons’ personal information is estimated to be exported within one year, there is no need to conduct the security assessment, enter into standard contract or pass the personal information protection certification.

 

However, in the official version of the New Measure, if a data processor, other than CIIO, exports no more than 100,000 persons’ personal information since each 1 January, then there is no need to conduct the security assessment, enter into standard contract or pass the personal information protection certification. As most data processor does not fall into the scope of CIIO, the final version of the New Measure has actually further eased the regulation on export of personal information.

 

 III.  Adjusted Standards for Data Export Security Assessment

Accordingly, the New Measures modified the standards for data export security assessment. The following chart sets out the comparison between the old and new standards.

 

Data Export   Measures

New Measures

In case of any   of the following situations, the data processor shall conduct data export   security assessment before the data export.

(1)      where the data processor provides important data   overseas;

(2)      where the data processor is a CIIO or a data   processor that processes personal information of at least 1,000,000   individuals;

(3)      where the data processor has provided personal   information of 100,000 individuals or sensitive personal information of   10,000 individuals overseas on a cumulative basis since 1 January of the   previous year; and

(4)    where the data   processor falls under any of the other circumstances stipulated by the state   cyberspace administration where a data export security assessment needs to be   applied for.

(1)      CIIO exports personal information or important   data;

(2)      Processor other than CIIO exports important   data or non-sensitive personal information of more than 1,000,000   individuals or sensitive personal information of more than 10,000   individuals on a cumulative basis since 1 January of current year.

 

Under the new standards, quantity of personal information processed by data processor no longer matters. The new standards simply focus on the quantity of the personal information that has been exported and the threshold has been raised from 100,000 to 1,000,000. For those who exports non-sensitive personal information of more than 100,000 individuals but less than 1,000,000 individuals, the processor shall execute standard contract or pass the personal information protection certification.

 

CIIO and export of “important data” will still be heavily regulated. However, CAC clearly mentioned that data processor will not be treated as a CIIO unless it is informed by relevant authority as a CIIO.


 IV.  Special Treatments for FTZs

The final version of the New Measures allows Free Trade Zones (FTZs) to produce its own negative list of data export. And when such negative list is approved by provincial cyber security administration, all processors located in such FTZ can freely export any data without the necessity of applying for data export security assessment, executing standard contract and passing the personal information protection certification so long as such data does not fall in the scope of the negative list.

 

The special treatment for FTZs were not included in the early draft.


 V.      Other Exemptions

The final version of the New Measures maintained its position that data generated from international trading, academic cooperation, overseas manufacturing and marketing activities is not required to pass the security assessment or entering into the standard contract or pass the personal information protection certification, so long as the data exported does not contains important data or personal information.

 

Also, same as the early draft, the New Measures exempts (1)export of personal information was necessary to sign and perform the contract to which the personal information subject is a party such like cross border shopping, cross border remittance, booking of hotels and air tickets and application for visas, (2) export of employees’ personal information in accordance with by company’s duly established employment regulations and collective employment contract for the purpose of human resources management and (3) export of personal information to protect the safety, health and property rights in urgent situations from the obligations to pass the security assessment or execute standard contract or pass the personal information protection certification.

 

Finally, the New Measures exempt the export of personal information which were originally collected abroad and processed within China so long as there is no domestic personal information or important data mixed during the processing in China.


 VI.  Summary

Therefore, the data export regulations in China after the enactment of the New Measures can be roughly summarized as the following.

 

Free Export

(No Special   Requirement)

Middle Level   Regulation

 (Standard Contract or Protection   Certification)

Heavy Regulation   (Data Export Security Assessment)

(1)      Ordinary data without important data or personal   information.

(2)      Mere processing of overseas personal information.  

(3)      Ordinary cross-border individual commercial   activities.

(4)      Employment management.

(5)      Urgent situation.

(6)      Non-sensitive personal information less than   100,000 per year.

(7)      Export by FTZ processors of non-negative list   data.

(1)      Export of non-sensitive personal information of   more than 100,000 individuals but less than 1,000,000 individuals.

(2)      Export of sensitive personal information of less than   10,000 individuals.

(1)      Export of important data.

(2)      Export of any personal information by CIIO.

(3)      Export of non-sensitive personal information of   more than 1,000,000 individuals by non-CIIO.

(4)      Export of sensitive personal information of more   than 10,000 individuals by non-CIIO.