- On 28 September 2023, the Cyberspace Administration of China (CAC) released the Provisions on Regulating and Promoting Transborder Data Flow (Draft Provisions) to solicit public opinions by 15 October 2023.
- Once they are finalized and come into effect, the Draft Provisions will undoubtedly have a significant impact on cross-border data transfer and the compliance burden can be relaxed for MNCs and their operations in China. It is therefore important to keep a close watch on the regulatory developments moving forward.
On 28 September 2023, the Cyberspace Administration of China (CAC) released the Provisions on Regulating and Promoting Transborder Data Flow (Draft Provisions) to solicit public opinions by 15 October 2023.
Circumstances that will not be subject to security assessment by CAC, conclusion of China SCC or certification for the protection of personal information (Certification)
Once finalised, and assuming it is implemented in its current form, the Draft Provisions would appear to be a positive development for MNCs and their business operations in China. According to the Draft Provisions, the following forms of cross-border data transfer will not be subject to security assessment, China SCC or Certification:
- Outbound transfer of data generated in international trade, academic collaboration, multinational manufacturing or marketing activities, provided that the data does not contain personal information or important data.
- Outbound transfer of personal information that is not collected or generated in China.
- Outbound transfer of personal information that is necessary for the conclusion or performance of a contract to which the individual is a party, such as cross-border e-commerce, fund remittance, ticket and hotel booking, visa application, etc.
- Outbound transfer of personal information that is necessary for human resource management under applicable labour rules and regulations and a collective contract entered into in accordance with the law.
- Outbound transfer of personal information that is necessary to safeguard an individual’s life, health or property in the event of an emergency.
- Where it is expected that personal information of fewer than 10,000 individuals will be transferred overseas within a year; however, it is not crystal clear as to whether this refers to a calendar year or any continuous period of 12 months. Also, the cross-border data transfer must be subject to the consent of the data subjects in the event that the personal information is collected and processed on the basis of their consent.
- Outbound transfer of data falling outside the scope of the negative list to be formulated by the free trade zones and filed with CAC. The cross-border transfer of data within the scope of such negative list will be subject to approval by the provincial CAC and filing with CAC.