On 28 September 2023, the Cyberspace Administration of China (CAC) released the draft Provisions on Regulating and Promoting Transborder Data Flow for comments, with the aim of easing regulatory requirements for cross-border data transfers and enhancing the business environment. Within the draft provisions, the free trade zones (FTZs) are empowered to formulate and adopt local preferential policies for companies within their respective jurisdictions.
Recent, significant developments in the FTZs of Shanghai, Beijing and Tianjin have positioned them at the forefront in China in this regard. This client alert summarises the key points of these new local developments and discusses what practical steps companies can take in response to the changes.
Shanghai
On 8 February 2024, the Shanghai Lingang FTZ issued the Provisional Measures for Administering Classification and Grading of Cross-Border Data Transfer (Lingang Measures), with a valid term of one year from 8 February 2024 to 7 February 2025. The full text of the Lingang Measures was not made public until 18 February. According to the Lingang Measures, the Shanghai Lingang FTZ will classify data into three categories and undertake corresponding measures:
- Core data (prohibited from being transferred out of China).
- Important data (can be transferred after a security assessment). The Shanghai Lingang FTZ will formulate a catalogue of important data, the cross-border transfer of which will be submitted to the Shanghai Lingang Cross-border Data Transfer Service Center for security assessment.
- General data (freely transferable if relevant requirements are met). The Shanghai Lingang FTZ will formulate a catalogue of general data, without prejudice to national security, public interest and personal privacy. The catalogue will be updated by the Shanghai Lingang FTZ from time to time. Companies processing general data must file with the regulator so that they can transfer such general data freely, subject to the relevant conditions.
In addition to the above, it seems that the Shanghai Lingang FTZ will also formulate a catalogue of data subject to security assessment, SCC filing or security certification, subject to the approval of the CAC at the Shanghai municipal level.
According to recent regulations in China, core data and important data should be properly identified. In practice, organisations can consider the data they handle as non-core or non-important unless notified otherwise by the regulators.
The Shanghai Lingang FTZ intends to offer further clarity, aiming to finalise the categories of important data and general data by March 2024. Priority sectors such as transportation, finance, shipping and biotech/pharma have been identified. Key business activities highlighted include product R&D for automobiles, market intelligence sharing, internal data management for financial services, and clinical trials and pharmacovigilance in the biotech/pharma field.
In addition to the above, Shanghai released a circular on 3 February 2024 (Shanghai Circular), to align with internationally recognised economic and trade regulations and promote the further opening up of the Shanghai FTZ.
The Shanghai Circular explicitly allows financial institutions to transfer financial data for daily operational purposes, with the caveat that the transfer must follow the security assessment mechanism under China’s national regulations. Local governmental agencies from CAC, the Ministry of Public Security, the People’s Bank of China and industry regulators will work together to facilitate data transfers by financial institutions. The Shanghai Circular also mandates the establishment of a service centre in the Lingang Area to facilitate cross-border data transfers.
Furthermore, the Shanghai Circular states that a data sharing mechanism will be established to promote data-related innovations, including novel uses of big data, under the supervision of the Shanghai Data Bureau.
Beijing
In Beijing, a cross-border data transfer service centre was recently established at the Beijing FTZ by the Daxing International Airport Economic Zone Management Committee. The Beijing centre, which is the Beijing FTZ’s public service platform to provide data security and governance, aims to facilitate cross-border data flow. Beijing is also enhancing international cooperation in the field of digital technology and promoting cross-border data transfers by establishing an international information industry and digital trade hub.
The Beijing Bureau of the CAC has been spearheading the promotion of cross-border data transfers, as evidenced by its granting the first-ever security assessment approval, and completing the first-ever SCC filing, within the entire country. More specific rules governing the Beijing FTZ are currently being drafted and we will keep you posted.
Tianjin
On 7 February 2024, Tianjin issued the Enterprise Data Classification and Grading Standards and Specifications for Companies in the Tianjin Pilot Free Trade Zone (Tianjin Specifications).
The Tianjin Specifications apply to the classification and grading of data generated, collected, stored, transmitted and processed by companies based in the Tianjin FTZ during their production and operation processes.
The Tianjin Specifications divide data into three categories: core data, important data and general data. From an industry perspective, the Tianjin Specifications highlight 13 sectors: strategic materials and commodities; natural resources and the environment; industry; defence science and technology; telecommunications; radio, television and audio media; finance; transportation; health care; food and medicine; public safety, internet services and e-commerce, science and technology and others. Each sector is further divided into several sub-categories. Guidance is provided under each of these industry designations to help businesses assess and classify their data.
The Tianjin Specifications emphasise that, in most cases, data affecting business organisations or individuals only will not be considered important data.
A notable breakthrough, the Tianjin Specifications provide that the following personal information will be deemed important data if it meets certain thresholds: the personal information of over 10 million individuals, the sensitive personal information of over one million individuals or the personal bank/insurance account information and other personally identifiable information of over 100,000 individuals. These thresholds are 10 times higher than those set under China’s Personal Information Protection Law and other applicable legislation.
Compliance suggestions
The recent strides in Shanghai, Beijing and Tianjin underscore the pivotal importance of this period, in which China is exploring solutions to effectively balance the promotion of the digital economy with the need to address data security concerns. The most recent regulatory developments in the realms of data protection and privacy serve as a clarion call for business organisations to take advantage of the new, favourable policies while fortifying their compliance efforts. While Shanghai, Beijing and Tianjin lead the charge, it is anticipated that other FTZs in China will swiftly follow suit.
The hotly anticipated comprehensive catalogue of general data, akin to a coveted “white list” for outbound data transfers, could prove transformative. By potentially slashing compliance costs and streamlining operations for international businesses in China, this initiative signals a seismic shift in the compliance landscape. To navigate this terrain effectively and with confidence, we suggest that companies consider the following compliance measures:
- Conduct comprehensive data mapping: Companies must embark on a thorough voyage of data mapping, charting the intricate flow of data within their operations. By meticulously cataloguing data categories, establishing the status of cross-border data transfers, scrutinising IT systems, fortifying security protocols, and collating other requisite information in the prescribed form, organisations can lay a firm foundation in ensuring the robustness of their compliance measures.
- Implement dynamic data assessment: The exigencies of compliance demand a proactive stance. Companies must engage in regular assessments of their catalogues of core data, important data and general data, ensuring alignment with evolving regulatory benchmarks. It is essential to monitor major changes to business scenarios and plan data processing activities accordingly.
- Adopt and document compliance measures: Companies must take the requisite measures to remain compliant with the applicable Chinese data laws and regulations. They must establish robust data protection policies and protocols, regularly review and update contracts, conduct compliance trainings, and perform data breach drills.
- Be prepared for regulatory changes: The regulatory landscape governing data in China is characterised by rapid evolution. Business organisations are strongly advised to closely monitor developments in legislation and enforcement related to data protection and security in China. Preparing for necessary compliance measures in advance will be instrumental in maintaining compliance with the evolving regulations.
Client Alert 2024-042