/ 2 min read / Reed Smith Client Alerts

CAC issues draft of Provisions on Regulating and Promoting Transborder Data Flow for comments

Authors

Vivien Li, Barbara Li, Amy Yin

Key takeaways

  • On 28 September 2023, the Cyberspace Administration of China (CAC) released the Provisions on Regulating and Promoting Transborder Data Flow (Draft Provisions) to solicit public opinions by 15 October 2023.
  • Once they are finalized and come into effect, the Draft Provisions will undoubtedly have a significant impact on cross-border data transfer and the compliance burden can be relaxed for MNCs and their operations in China. It is therefore important to keep a close watch on the regulatory developments moving forward.

On 28 September 2023, the Cyberspace Administration of China (CAC) released the Provisions on Regulating and Promoting Transborder Data Flow (Draft Provisions) to solicit public opinions by 15 October 2023.

Circumstances that will not be subject to security assessment by CAC, conclusion of China SCC or certification for the protection of personal information (Certification)

Once finalised, and assuming it is implemented in its current form, the Draft Provisions would appear to be a positive development for MNCs and their business operations in China. According to the Draft Provisions, the following forms of cross-border data transfer will not be subject to security assessment, China SCC or Certification:

  1. Outbound transfer of data generated in international trade, academic collaboration, multinational manufacturing or marketing activities, provided that the data does not contain personal information or important data.
  2. Outbound transfer of personal information that is not collected or generated in China.
  3. Outbound transfer of personal information that is necessary for the conclusion or performance of a contract to which the individual is a party, such as cross-border e-commerce, fund remittance, ticket and hotel booking, visa application, etc.
  4. Outbound transfer of personal information that is necessary for human resource management under applicable labour rules and regulations and a collective contract entered into in accordance with the law.
  5. Outbound transfer of personal information that is necessary to safeguard an individual’s life, health or property in the event of an emergency.
  6. Where it is expected that personal information of fewer than 10,000 individuals will be transferred overseas within a year; however, it is not crystal clear as to whether this refers to a calendar year or any continuous period of 12 months. Also, the cross-border data transfer must be subject to the consent of the data subjects in the event that the personal information is collected and processed on the basis of their consent.
  7. Outbound transfer of data falling outside the scope of the negative list to be formulated by the free trade zones and filed with CAC. The cross-border transfer of data within the scope of such negative list will be subject to approval by the provincial CAC and filing with CAC.

Items 4 and 6 above, in particular, will have significant implications for the transfer of personal data between Chinese entities and their overseas affiliates for the purpose of HR management, and for data handlers that transfer limited amounts of personal data abroad. As the draft is still at the stage of soliciting public comments, it is not clear if these provisions will remain unchanged in the finalised version.

Important data

According to the Draft Provisions, a data handler is not required to apply for security assessment for the outbound transfer of important data if the data does not fall into a category that has been expressly notified, identified or publicly announced as an important data category by the relevant department or region.

Based on this provision, data handlers will not need to assess whether they are transferring or processing important data.

Security assessment

The Draft Provisions also stipulates that if the volume of cross-border data transfers within a year relates to more than 10,000 but fewer than 1 million individuals, the data handler is not required to go through security assessment by CAC, provided that it has concluded and filed the China SCC or obtained Certification. However, for the outbound transfer of the personal information of 1 million individuals or more, security assessment by CAC is required.

We note that the thresholds in the Draft Provisions only refer to personal information; it remains to be seen if sensitive personal information will be addressed in the finalised version.

Practical considerations and next steps

The Draft Provisions will undoubtedly have a significant impact on personal information handlers that are either proceeding with one of the three approaches for the outbound transfer of data or taking a wait-and-see approach. However, as the Draft Provisions has not yet come into effect, we suggest that personal information processors continue to pursue the approach applicable to the outbound transfer of data in accordance with the relevant measures already in place (in particular, the Measures for the Standard Contract for the Outbound Transfer of Personal Information), to ensure compliance by the end of November 2023 when the six-month grace period expires.

Client Alert 2023-221

Related Insights

Our insights