China’s Cybersecurity Law, Data Security Law and Personal Information Protection Law lay down three legal mechanisms for cross-border data transfers out of China (CBDT), including regulator-led security assessment, Chinese SCC and certification. The Cyberspace Administration of China (CAC) has issued multiple regulations providing detailed requirements on how to implement the CBDT legal mechanisms. In practice, the comprehensive extent of documents and information expected and the long timescale required to complete the CAC approval or filing have presented compliance challenges for MNCs and their operations in China.
On 28 September 2023, CAC released the draft Provisions on Regulating and Promoting Cross-border Data Flows (CBDT Regulations), which garnered widespread attention domestically and internationally. After several months, the CBDT Regulations were finally enacted on 22 March 2024, with immediate effect. The finalised CBDT Regulations keep most of the relaxations provided in the consultation draft and introduce some further provisions. The CBDT Regulations will prevail over existing CBDT rules or guidelines governing the security assessment, Chinese SCC and certification, in case of any discrepancies.
The CBDT Regulations convey a positive message aimed at alleviating the compliance burden associated with cross-border data transfers, consequently stimulating foreign investment in China. This article outlines the key highlights of the CBDT Regulations and implications for MNCs operating in China.
Exempted transfer scenarios
Under the CBDT Regulations, a company does not have to go through any of the CAC-led security assessments, Chinese SCC or certification in the following three scenarios:
- Where the outward data transfer is necessary for signing or performing a contract; for example, cross-border shopping, cross-border courier services, cross-border payment, cross-border account opening, hotel/air ticket booking, visa application or examination services to which an individual is a party.
- Where the outbound transfer of personal information is necessary to safeguard an individual’s life, health or property in the event of an emergency.
- Where the outbound transfer of employee data is necessary for the cross-border HR management purpose according to the applicable internal labour rules and a collective contract entered into with the employees. As provided by China’s Employment Contract Law, the employee handbook as well as its amendments must be adopted through a democratic consultation with the employees.
The exemption, particularly regarding employee data transfers, represents a significant relaxation of the CBDT regulatory requirements. Previously, under prevailing regulations governing security assessment and Chinese SCC for outward data transfers, if the volume of employee data reaches the thresholds (10,000 individuals for sensitive personal information or 100,000 individuals for general personal information), the company must submit to CAC for security assessment. Now, under the CBDT Regulations, employee data transfers are exempted from all three CBDT legal mechanisms, irrespective of data volume, provided that companies meet the aforesaid legal criteria.
However, it is worth noting that the exemptions do not seem to cover candidate data, and there remains ambiguity as to whether sensitive employee data such as bank account information or health data can be transferred abroad without triggering the CBDT legal mechanisms, as well as whether secondees are covered in the exemptions allowed under the CBDT Regulations. It is anticipated that CAC or industry regulators may issue further guidelines to provide guidance or clarification.
Exempted data volume
The CBDT Regulations outline three important thresholds concerning outbound data transfer: 10,000, 100,000 and 1 million individuals.
Under the CBDT Regulations, these thresholds entail the following implications:
- For outward transfers of non-sensitive personal information of less than 100,000 individuals from 1 January of the current year, no CBDT legal mechanism will apply.
- Outward transfers of personal information ranging between 100,000 and 1 million individuals or sensitive personal information of fewer than 10,000 individuals from 1 January of the current year are subject to the SCC filing or certification, rather than a CAC-led security assessment.
- Outward transfers of important data and personal information exceeding 1 million individuals or sensitive personal information exceeding 10,000 individuals from 1 January of the current year necessitate a security assessment.
It is important to note that these relaxed thresholds only apply to data handlers who are NOT classified as critical infrastructure information (CII) operators. The CII designation will be determined by regulators, so a data handler can assume it is not a CII operator unless notified otherwise.
Relaxations at free-trade zones
Pursuant to the CBDT Regulations, each free-trade zone (FTZ) in China can establish a negative list of cross-border data transfers subject to CBDT legal mechanisms. Such a negative list must be approved by the local provincial CAC and filed with both the central CAC and the National Data Bureau. Data transfers beyond the negative list are not required to go through the CBDT legal mechanisms, which appears to be in line with the proposal outlined in the 24-point opinions issued by the State Council in August 2023. Furthermore, on 19 March 2024, China’s State Council issued the Action Plan to Solidly Promote High-level Opening Up and Make Greater Efforts to Attract and Utilize Foreign Investment, further supporting secure data flows between the headquarters of MNCs and their Chinese subsidiaries and encouraging research and development, production and sales by MNCs.
The negative list under the CBDT Regulations showcases the stance taken by China’s central government on facilitating cross-border data transfer. The FTZs in Shanghai, Beijing and Tianjin have formulated local regulations on relaxed requirements for cross-border data transfer by companies within their region. We believe that after the implementation of the CBDT Regulations, more FTZs will introduce relaxed policies to further promote international data flows.
Other notable aspects
The CBDT Regulations address other noteworthy aspects. For example, data handlers no longer need to apply for security assessment for the outbound transfer of important data unless the exported data has been expressly notified, identified or publicly announced as important data by relevant regulators. However, the CBDT Regulations still mandate companies to take self-regulating compliance steps by performing proper data mapping and identifying and reporting important data in accordance with relevant regulations. To date, the identification of important data and its formulation into a catalogue are still at the preliminary stage. The implementation of the CBDT Regulations will assist in improving important data management systems.
Despite the relaxed requirements noted above, the CBDT Regulations emphasize a full life cycle of data compliance. The CBDT Regulations do not exempt companies from their obligations to notify the data subjects, obtain separate consent, conduct self-assessment and ensure data security, in accordance with applicable laws and regulations. It is essential to note that the routine data compliance work remains unchanged despite the CBDT Regulations.
Compliance suggestions
Data is increasingly pivotal in driving high-quality development of the digital economy. Standardising and promoting cross-border data transfers are crucial for the rapid development of China’s digital economy. Compared to the current cross-border data transfer regime, the CBDT Regulations significantly ease the regulatory requirements and the mandatory governmental approval or review procedures for cross-border data flows, so will be much applauded by international and Chinese business organisations.
Below are our key takeaways for companies to consider from a practical perspective:
- MNCs are recommended to conduct a comprehensive data mapping exercise to align with the updated requirements set out in the CBDT Regulations. It would be beneficial to have an accurate understanding of the provisions of the CBDT Regulations and conduct a proper analysis of whether the company’s specific transfer scenarios will fall within the application scope of the relaxed CBDT Regulations, based on which the company should formulate and update its cross-border data transfer strategies. For example, if a previous security assessment submitted to CAC was partially or wholly rejected, the company may explore using SCC filing or certification to effectuate the data transfer, as it is now permitted by the CBDT Regulations. Where the CBDT legal mechanisms can be exempted under the CBDT Regulations, the company can decide whether to withdraw the security assessment or SCC filing applications, if already submitted.
- If any of the CBDT legal mechanisms still apply, MNCs should promptly take compliance measures for cross-border data transfer, including but not limited to preparing the necessary documentation and initiating the applicable governmental approval or filing process, if not yet done. Failure to do so will pose compliance risks for companies AND personal liabilities for the senior executives.
- To mitigate the risk, MNCs are advised to review and update existing data protection policy documents, privacy notices, consents, employee handbooks and labour contract templates to confirm that relevant legal documents contain all necessary provisions on the cross-border transfer of employee data, and also ensure the employee handbooks have been correctly adopted through the democratic consultation process as required under relevant Chinese labour rules.
- Data protection and network security efforts should be integrated into the company's daily operations, rather than treated as one-time endeavours. It is important to enhance employees’ compliance and risk prevention awareness through regular compliance training.
- According to the CBDT Regulations, FTZs will enjoy greater flexibility in relation to cross-border data transfer. Companies located in FTZs should keep a close watch on the negative list to be issued by their respective FTZs to take full advantage of the privileged policies contemplated in the CBDT Regulations.
We will continue to monitor the implementation of the CBDT Regulations going forward. If you require any assistance with the above, please do not hesitate to get in touch.
In-depth 2024-064
