Reed Smith In-depth

Key takeaways

  • China’s long-awaited regulations issued on 22 March 2024 to relax cross-border data transfers, with immediate effect
  • Significant business implications for MNCs and their business operations in China
  • Crucial to analyse the impacts of these regulations, review and update data strategies for China operations, and design and implement actions to take advantage of relaxed transfers

China’s Cybersecurity Law, Data Security Law and Personal Information Protection Law lay down three legal mechanisms for cross-border data transfers out of China (CBDT), including regulator-led security assessment, Chinese SCC and certification. The Cyberspace Administration of China (CAC) has issued multiple regulations providing detailed requirements on how to implement the CBDT legal mechanisms. In practice, the comprehensive extent of documents and information expected and the long timescale required to complete the CAC approval or filing have presented compliance challenges for MNCs and their operations in China.

On 28 September 2023, CAC released the draft Provisions on Regulating and Promoting Cross-border Data Flows (CBDT Regulations), which garnered widespread attention domestically and internationally. After several months, the CBDT Regulations were finally enacted on 22 March 2024, with immediate effect. The finalised CBDT Regulations keep most of the relaxations provided in the consultation draft and introduce some further provisions. The CBDT Regulations will prevail over existing CBDT rules or guidelines governing the security assessment, Chinese SCC and certification, in case of any discrepancies.

The CBDT Regulations convey a positive message aimed at alleviating the compliance burden associated with cross-border data transfers, consequently stimulating foreign investment in China. This article outlines the key highlights of the CBDT Regulations and implications for MNCs operating in China.

Exempted transfer scenarios

Under the CBDT Regulations, a company does not have to go through any of the CAC-led security assessments, Chinese SCC or certification in the following three scenarios:

  • Where the outward data transfer is necessary for signing or performing a contract; for example, cross-border shopping, cross-border courier services, cross-border payment, cross-border account opening, hotel/air ticket booking, visa application or examination services to which an individual is a party.