To print this article, all you need is to be registered or login on Mondaq.com.
On 22 March 2024, the Cyberspace Administration of China
(CAC) officially enacted the long-awaited
Provisions on Facilitating and Regulating Cross-border Data
Flows (Provisions), which became effective on
the same date. The Provisions relax the data export requirements by
introducing modifications and exemptions to the three mechanisms
for cross-border data transfer, namely (i) CAC security assessment;
(ii) China’s standard contract for outbound cross-border
transfer of personal information (Standard
Contract) and (iii) personal information protection
certification (Certification) (collectively
Cross-border Data Transfer Mechanisms). A draft of
the Provisions was released on 28 September 2023 for public
consultation. Please refer to our previous article China relaxes measures on cross-border data
transfers from China | Data notes (hsfnotes.com)).
1. Exemptions from cross-border data transfer mechanisms
A data transferor in mainland China is no longer required to
adopt any of the Cross-border Data Transfer Mechanisms in the
following scenarios:
- Data generated in activities such as international trade,
cross-border transportation, academic cooperation, cross-border
manufacturing and marketing where the data does not contain
personal information or important data. - Personal information which is not collected within mainland
China and remains separate from personal information or important
data originated from mainland China. This refers to export of
personal information which has been imported into mainland China
for processing. - Personal information (including sensitive personal information)
which is required to be provided outside of mainland China in any
of the following circumstances (Exempted
Circumstances):
- for the purpose of entering into and performing a contract to
which the individual is a party, such as for cross-border shopping,
cross-border delivery, cross-border remittance, cross-border
payment, cross-border account opening, air ticket and hotel
reservation, visa processing, examination services, etc.; - to implement cross-border human resources management in
accordance with labour rules and regulations and any collective
contract signed in accordance with the law; or - to protect the life, health and property safety of natural
persons in emergency situations.
- for the purpose of entering into and performing a contract to
- Personal information (excluding sensitive personal information)
of fewer than 100,000 individuals which has cumulatively been
transferred outside of mainland China since 1st January of that
year by a data transferor which is not a critical information
infrastructure operator (CIIO).
2. Changes to the thresholds for cross-border data transfer
mechanisms
Compared with the existing thresholds for the three Cross-border
Data Transfer Mechanisms, the main changes are in:
- the amount thresholds of personal information for non-CIIO data
transferors; and
the Exempted Circumstances applicable to personal information and
to all types of data transferors including CIIOs. - A CAC security assessment is still required for export of
important data, and unless any of the Exempted Circumstances is
applicable, a CAC security assessment is still required for
cross-border transfers of personal information by CIIOs.
The Exempted Circumstances are not applicable to important data
but only personal information (including sensitive personal
information). The personal information and sensitive personal
information transferred under the Exempted Circumstances could be
excluded from the calculation of the amount thresholds of personal
information for non-CIIO data transferors.
The Provisions further clarify that:
- where a non-CIIO data transferor cumulatively provides outside
of mainland China the personal information (excluding sensitive
personal information) of 100,000 or more individuals but fewer than
1,000,000 individuals since 1st January of that year, either the
Standard Contract or the Certification can be adopted; and - where a non-CIIO data transferor cumulatively provides outside
of mainland China the personal information (excluding sensitive
personal information) of 1,000,000 or more individuals since 1st
January of that year, the CAC security assessment must be
adopted.
The Provisions emphasise the protection of sensitive personal
information:
- where a non-CIIO data transferor cumulatively provides outside
of mainland China the sensitive personal information of fewer than
10,000 individuals since 1st January of that year, either the
Standard Contract or the Certification can be adopted; and - where a non-CIIO data transferor cumulatively provides outside
of mainland China the sensitive personal information of 10,000 or
more individuals since 1st January of that year, the CAC security
assessment must be adopted.
3. Applicable cross-border data transfer mechanisms
We have summarised the applicable Cross-border Data Transfer
Mechanism(s) and the relevant circumstances in the table below.
| Applicable Cross-border Data Transfer Mechanism(s) | Circumstances |
| CAC security assessment |
|
| Standard Contract or Certification |
|
| None of the Cross-border Data Transfer Mechanisms is
required |
|
4. Extension of validity period of CAC security assessment
Under the Provisions, the validity period of the results of a
CAC security assessment has been extended to three years
(originally two years provided for under the Measures for the
Security Assessment of Outbound Data Transfers), calculated
from the date of issuance of the assessment results.
If the validity period expires and there is no change in any of
the circumstances requiring a new application to the CAC for a new
assessment, the data transferor can submit an application to extend
the validity period of the assessment results for 3 years within 60
working days before the expiry of the validity period.
5. Other data protection requirements
Data transferors that export personal information outside of
mainland China must still fulfil other data protection obligations
including obtaining separate consent from the data subjects and
conducting the personal information protection impact
assessment.
As a general requirement, data processors are required to
implement technical and other measures to ensure data security. In
the event of a data security incident, data processors are required
to take measures to mitigate the consequences and notify competent
authorities of the incident.
6. Updated guidelines for cross-border data transfer
mechanisms
The CAC has also issued the updated Guide to Applications
for Security Assessment of Outbound Data Transfers (Second
Edition) and Guidelines for Filing the Standard Contract
for Outbound Cross-Border Transfer of Personal Information (Second
Edition). Among other things, the template of the personal
information protection impact assessment report has been
substantially simplified.
An online data export declaration portal has been created for
online submission of applications for the CAC security assessment
and Standard Contract filing. The website is at https://sjcj.cac.gov.cn. A data transferor
which has already submitted an application to the CAC in paper form
is not required to resubmit its application through the online
portal. The offline paper form channel will continue to be
available to CIIOs or other scenarios whereby the online portal is
not applicable.
7. Determination of important data and CIIOs
The Q&A session of the Provisions has further clarified how
to identify important data and CIIOs. Such clarification has
substantial impact on compliance.
Data which has not been identified or publicly released as
important data by the relevant regulator within a sector or region
is not important data and thus subject to the CAC security
assessment.
The relevant regulators of important sectors and fields are
responsible for formulating guidelines on how to identify critical
information infrastructure in their respective sectors and fields
and notifying the CIIOs of the same.
8. Treatment of pending applications
For data transfers which have not passed or have partially
passed the CAC security assessment before the implementation of the
Provisions and which are now exempted from the CAC security
assessment according to new rules, the data transferor can legally
transfer personal information outside of mainland China by adopting
other Cross-border Data Transfer Mechanisms, ie the Standard
Contract or Certification.
As for applications to the CAC for security assessment or
Standard Contract filing which have been submitted before the
implementation of the Provisions and which are now exempted from
adopting any of the Cross-border Data Transfer Mechanisms pursuant
to the new rules, the data transferor has the option of either
proceeding with or withdrawing its application.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from China
#CAC #Revises #CrossBorder #Data #Transfer #Measures #Facilitate #Data #Export #Mainland #China
