On the eve of the "Golden Week" in China, the Cyberspace Administration of China (CAC) published the draft Provisions on Regulating and Promoting Cross-Border Data Transfers (the "Draft Provisions") on 28 September 2023.1
The Draft Provisions provide a welcome rollback of some of the onerous cross-border data transfer regime, first introduced by the Personal Information Protection Law (PIPL) in November 2021,2 and seem to address some of the concerns raised by many companies operating in the People's Republic of China (PRC) that compliance with the cross-border data transfer requirements was very difficult to achieve.
Under the PIPL, there are three mechanisms that data controllers may utilise to export personal information out of the PRC: (i) the Security Assessment; (ii) the Certification or (iii) the Standard Contract. The Security Assessment and the Standard Contract are the two key transfer mechanisms. The Certification mechanism, like the Standard Contract, may only be utilised by organisations that fall below the Security Assessment thresholds and remains a less popular option given its more onerous requirements compared to the Standard Contract (e.g., on-site inspection by a certification agency) and the lack of clarity on the specific requirements for certification.
The actual procedures and deadlines for the Security Assessment and the Standard Contract were issued in the last year or so, with deadlines for compliance at end of February 2023 (Security Assessment) and end of November 2023 (Standard Contract) (see Measures for the Security Assessment of Data Exports (the “Security Assessment Measures”) of 1 September 2022 and Measures on Standard Contracts for the Export of Personal Information (the “SC Measures”) of 1 June 2023).
Under the SC Measures, data controllers that commenced exporting personal information prior to 1 June 2023 are required to comply with the SC Measures by 30 November 2023 (i.e. carry out the necessary Personal Information Protection Impact Assessments and Standard Contract filings as detailed in the Standard Contracts for Exporting Personal Information (Guidelines)).
The Draft Provisions come just two months before the end of the 30 November 2023 grace period, raising the threshold for the Security Assessment, providing clarity on the scope of “important data”, and setting out proposed exemptions for businesses that would otherwise be subject to the Standard Contract requirements.
In this Legal Update, we look at how the Draft Provisions may impact cross-border data transfers from the PRC, if finalised in their present form.
New Threshold for Security Assessment
Under the Security Assessment Measures (see our legal update on the Security Assessment Measures), data controllers who have exported the personal information of 100,000 people or personal information of 10,000 people since January 1 of the previous year are required to carry out a Security Assessment.
The Draft Provisions stipulate that the Security Assessment requirement may be waived for data controllers that have carried out the relevant Standard Contract filing procedures if they export the personal information of more than 100,000 but less than 1 million people.
While the Security Assessment requirement is still subject to a waiver (as opposed to an outright raising of the threshold), this nonetheless signifies a relaxation of the CAC’s stance, perhaps motivated by the high number of security assessment applications received by the CAC, and the realisation that the previously set thresholds may have been too burdensome, especially for companies catering to the world’s largest population.
Transfer of Important Data
Whether a company handles “important data” is another critical consideration in determining whether a data controller is subject to the stricter Security Assessment mechanism. Other than the personal information exports thresholds referred to above, all exports of important data are also subject to the Security Assessment.3
Under the Security Assessment Measures, “important data” had been defined broadly to include “data that, once tampered with, destroyed, leaked, illegally obtained or illegally used, may endanger national security, economic operation, social stability, public health and safety, and so forth.” This has been the cause of a fair degree of uncertainty given the breadth of the definition.
However, the Draft Provisions now make it clear that data will only be regarded as “important data” if it is explicitly designated as such by regulators or local authorities.4
This means that companies may proceed on the presumption that they do not process important data (and hence do not have to apply for a security assessment for transfers of this data out of the PRC), unless they have been informed by the regulators or through a public notice, that specified types of data in their possession have been classified as "important data".
The Draft Provisions exempt the following cross-border data transfers from the transfer mechanisms requirements set out in Article 38 of the PIPL (i.e., the Security Assessment, the Certification and Standard Contract):
- Cross-border transfers of data generated in activities such as international trade, academic cooperation, cross-border manufacturing and marketing that do not contain personal information or important data;5
- Personal information that is not collected or generated within the PRC;6
- Where it is necessary for the performance of a contract to which the data subject is a party to, such as for cross-border e-commerce, cross-border payments, plane ticket and hotel bookings, and visa applications;7
- Employee data cross-border transfers that are necessary for human resources (HR) management in accordance with legally formulated labour policies or collective employment contracts;8
- Cross-border data transfers that are necessary for protecting the health and property safety of a natural person in an emergency;9
- Cross-border data transfers by data controllers that expect to transfer the personal information of less than 10,000 individuals out of the PRC within a year;10 and
- Cross-border data transfers falling outside the negative list to be formulated by Free Trade Zones (FTZs).11
While the Draft Provisions seem to provide some easing of the cross-border data transfer obligation, there are still unclear provisions which again bring uncertainty to the scope of the exemptions.
Notably, exemptions (3), (4) and (5) above match the established exceptions to consent in Article 13 of the PIPL, which means that the same difficulties may arise when proving (in practice) that the data transfer activities fall within these exceptions.
The negative list to be formulated by FTZs also echoes the recent Greater Bay Area data flow developments (see our previous Legal Update on PRC-Hong Kong MoU Signed: Will Cross-border Data Transfers within the Greater Bay Area Be Easier Now?), and augurs well for data flows within the Greater Bay Area and potentially beyond.12
In the absence of clarification as to what would amount to “necessity” (i.e. necessary for HR management, or necessary for the performance of a contract), it is unclear what types of data will fall within the exemption and may be provided freely overseas. Would such data, for example, include sensitive data (e.g., financial information, credit card information, health information etc.)? It is also unclear, given the use of “such as”, whether there will be other specified industries that may also rely on the contractual necessity exemption.
Nevertheless, the above exemptions provide many companies with some relief, particularly companies in sectors that have been explicitly named (e.g., hospitality and airline industries), and companies engaged in business-to-business activities where the main application of PIPL relates to HR data and some minimal (<10,000 data subjects) business contact information of customers.
The Draft Provisions also rather redundantly clarify that the cross-border data transfer restrictions do not apply to overseas data controllers that collect information of PRC-based data subjects, provided there is no processing of such data in the PRC. Given the extraterritorial application of the PIPL, this has been a bit of a puzzle for companies doing business with, but not present in, the PRC. The data of PRC based data subjects they collect overseas is caught by PIPL, but how would the cross-border transfer rules even apply if the data was not collected in the PRC?
The rollout of the Draft Provisions appears to be an attempt by CAC to reassure foreign businesses which have been very vocal about their concerns regarding compliance with the onerous data export restrictions. The exemptions proposed under the Draft Provisions will reduce compliance costs significantly and facilitate many companies' data exports, if implemented.
The proposed exemptions only apply to the data transfer mechanisms under the PIPL. While this is all good news, compliance with the general data protection obligations should not be overlooked :
- Notification: companies must explicitly notify data subjects before transferring personal information out of the PRC;
- Processing data on a legal basis: if consent is the legal basis for cross-border data transfers, companies are still required to obtain prior consent from the data subjects;
- Conducting privacy impact assessment (PIA): conducting a privacy impact assessment of cross-border data transfers. The records of the PIA must be retained for at least three years.
Given that the CAC still retains the discretion to “supervise beforehand, during and after the data export activities”13 and has the power to stop transfers, companies should continue to ensure full compliance with the PIPL and the other PRC data laws (the Data Security Law and the Cybersecurity Law, in particular with respect to assessing a company's risk level in accordance with the Multi-Level Protection System14)
The Draft Provisions are open for public comment until 15 October 2023. Although it is unclear when the finalised rules will be issued, given the rushed timeline for public commentary (~2 weeks, inclusive of China’s Golden Week!) and the imminent deadline for companies to file the Standard Contract by 30 November there is a strong likelihood that the CAC will aim to finalise the Draft Provisions before the end of November.
In the context of the rapidly changing landscape of the PRC data laws, companies with a presence or business interest in the PRC, are advised to be alert to further developments to determine whether the proposed exemptions for cross-border transfers will apply to them, and to calibrate their compliance efforts accordingly.
The authors would like to thank Roslie Liu, Intellectual Property Officer at Mayer Brown, for her assistance with this Legal Update.
1 Original texts can be found here: http://www.cac.gov.cn/2023-09/28/c_1697558914242877.htm
2 Article 11 of the Draft Provisions specifically provides that the Draft Provisions shall prevail over any conflicts with the Security Assessment Measures or the SC Measures.
3 Article 4(1), the Measures for Security Assessment for Cross-Border Data Transfers
4 Article 2, the Draft Provisions
5 Article 2, the Draft Provisions
6 Article 3, the Draft Provisions
7 Article 4(1), the Draft Provisions
8 Article 4(2), the Draft Provisions
9 Article 4(3), the Draft Provisions
10 Article 5, the Draft Provisions
11 Article 7, the Draft Provisions
12 China recently issued new Guidelines on further optimizing the foreign investment environment, which touched on the formation of a catalogue of freely flowing general data between Beijing, Tianjin, Shanghai and the GBA
13 Article 10, the Draft Provisions
14 See Article 21, Cybersecurity Law, and Article 27, Data Security Law.