The Cyberspace Administration of China (CAC) has released draft provisions which will relax the current requirements on cross border data transfers. The draft provisions set out exemptions from the need to comply with one of the three transfer mechanisms that would otherwise be required, namely (i) CAC assessment (ii) China’s standard contract or China standard contractual clauses (China SCCs) ; or (iii) certification. The consultation period for the draft provisions will end on 15 October 2023.
The draft provisions will immediately impact the on-going signing and filing of the China SCCs currently being undertaken by most organisations which do not need to go through the mandatory CAC security assessment. Given that the deadline for filing the China SCCs for existing cross-border data transfers is 30 November 2023, it is anticipated that the draft provisions are intended to take effect before then. This would relieve numerous organisations from having to file the China SCCs with CAC within the next two month
A. Exemptions from cross-border data transfer mechanisms
Under the draft provisions, none of the three mechanisms would be needed for the following cross border data transfer scenarios:
- Data generated in activities such as international trade, academic cooperation, cross-border manufacturing and marketing activities where the data does not contain personal information or important data.
- Personal information which is not collected within the country and is provided overseas. This means that personal information imported into China for processing and later exported after being processed will not be subject to the cross-border transfer mechanisms.
- Personal information which is required to be provided overseas in any of the following circumstances:
- For the purpose of entering into and performing a contract to which the individual is a party, such as for cross-border shopping, cross-border remittances, air ticket and hotel reservations or visa processing.
- To implement human resources management in accordance with labour rules and regulations or any collective contract signed in accordance with the law.
- To protect the life, health and property safety of natural persons in emergencies.
- Personal information of less than 10,000 individuals which is expected to be provided overseas within one year.
The situations in scenario 3 above are included in the Personal Information Protection Law as exceptions to the requirement to obtain consent for processing personal information. The draft provisions extended their application as exceptions to the cross-border transfer mechanisms in Article 38. Difficulties may still arise in practice in proving that the relevant cross-border transfer of personal information qualifies under one of these exceptions.
If the exemption in scenario 4 above comes into effect as currently drafted, it will have a substantial impact on the compliance measures needed for most MNCs.
B. Exemptions from mandatory security assessment
Where a data processor expects to provide the personal information of more than 10,000, but less than 1 million individuals overseas within one year, the mandatory security assessment is waived; it will only need to enter into the China SCCs and file it with the local regulator or obtain the personal information protection certification.
The CAC security assessment will still be required if the number of individuals whose personal information is transferred exceeds 1 million within one year.
Further, for important data for which the cross-border data transfer is subject to the mandatory security assessment, the draft provisions clarify that security assessment is not applicable to data which has not been notified by relevant departments or regions, nor been publicly released, as important data. This implies that important data will be notified by the relevant regulators and/or included in publicly released important data categories, which eases concerns around the ambiguity of the scope of important data.
Free trade pilot zone negative lists
Free trade pilot zones will have the authority to formulate their own data lists (referred to as negative lists) which will need to comply with the cross-border data transfer mechanisms. If a data processor exports data which is not on the negative lists, such data transfer is not required to adopt any of the cross-border data transfer mechanisms.
No exemptions for critical information infrastructure operators
The exemptions are not applicable to critical information infrastructure operators, which will still be required to follow the existing relevant laws, administrative regulations, and departmental rules when they provide personal information and important data overseas. Critical information infrastructure operators are those which have been or will be determined and notified by the relevant regulators.
Security protection measures remain an important concern for organisations
Data processors that provide important data and personal information overseas must fulfil their data security protection obligations and ensure the security of the data exported. If a data export security incident occurs or the data export security risk is found to have increased, they are required to take remedial measures and make a timely report to CAC.
Implications for compliance
The provisions are still in draft and may be subject to change before they are officially adopted. The deadline for comments is 15 October 2023.
For organisations which are in the process of preparing the China SCCs filings, the draft provisions are expected to be enacted before 30 November 2023 but there is uncertainty on the timeline.
It is worth noting that the provisions will not eliminate the other requirements on cross-border data transfer such as the requirements to obtain consent from individuals and to conduct a personal information protection impact assessment (ie self-assessment using the template issued by CAC) under the Personal Information Protection Law.