On September 28, 2023, the Cyberspace Administration of China ("CAC") issued the Notice to Seek Public Consultation on the Provisions on Regulating and Facilitating Cross-Border Data Flows (Draft for Public Comments) ("Regulations"). We believe that new Regulations will substantially change the regulatory framework for Cross Board Data Transfer ("CBDT") in China, and the Multinational Companies will have much less uncertainty in the process of CBDT.
Specifically, compared to the Measures on Security Assessment for Outbound Data Transfer ("Security Assessment Measures") and Measures for the Administration of Standard Contracts for Outbound Transfer of Personal Information("Standard Contract Measures"), the Regulations significantly streamline enterprises' cross-border compliance responsibilities. By introducing "exemptions" and refining the criteria that initiate security assessments, standard contracts, and certifications, the Regulations aim to considerably diminish enterprises' compliance overheads, paving the way for a more business-friendly environment and a relaxed oversight for cross-border data transfers.
In this article, We will focus on why the Regulations were introduced so quickly, and provide a guidance for Multinational Companies on reshaping their compliance strategies within this new regulatory context. Our objective is to offer enterprises lucid direction, enabling them to navigate cross-border data activities compliantly under this fresh framework
1. Background of the Regulations
Under the original CBDT regulatory system, companies not only bear a heavier compliance obligations, but the lack of clarity in the CAC's reviewing standards has made it difficult for companies to assess what types of data can be properly go abroad, leading many to downsize their business operations in China as a result. The original CBDT regulatory system seems weaken China's market competitiveness and is inconsistent with the basic national policy of maintaining opening reform and attracting foreign investment.
For reference, we have chronologically arranged the relevant policies and important events as a background.
|
Serial Number |
Policy or Important events |
Date |
Specific Content |
|
1. |
Opinion on Better Utilizing Data as an Essential Factor |
2022.12.2 |
(11) Construct mechanisms for the secure, compliant, and orderly flow of data across borders. |
|
2. |
Xi Jinping's keynote speech at the Central Economic Work Conference |
2022.12.15 |
Emphasize attracting and utilizing foreign capital more vigorously. |
|
3. |
Government Work Report 2023 |
2023.3.13 |
(4) Strengthen efforts to attract and utilize foreign capital. |
|
4. |
Central Political Bureau Meeting |
2023.4.28 |
Discuss and study the current economic situation and economic tasks. |
|
5. |
Central Political Bureau Meeting |
2023.7.24 |
Prioritize the attraction of foreign investments and stress the importance of supporting qualified free trade experimental zones and free trade ports. |
|
6. |
Premier Li Qiang's speech during his inspection in Shanghai |
2023.7.26-27 |
Addressing the significant concerns surrounding cross-border data flow and management. |
|
7. |
Opinion on Further Optimizing the Foreign Investment Environment |
2023.8.13 |
(14) Explore streamlined mechanisms for the secure management of cross-border data flows... |
|
8. |
State Council Information Office Press Conference |
2023.8.17 |
Director Wang Dongtang of the Ministry of Commerce indicates plans to release policy documents on the development of digital trade. |
|
9. |
State Council's thematic study on accelerating the development of the digital economy |
2023.8.21 |
Premier Li Qiang emphasizes exploring new models for cross-border data management and actively participating in international digital economy collaborations. |
|
10. |
Central Political Bureau's thematic study on active participation in WTO reforms |
2023.9.27 |
President Xi Jinping underscores the importance of fostering a market-oriented, legal, and internationalized business environment. |
What is clear is that the Regulation was issued the day after the
27th Central Political Bureau's thematic study.
2. What Changes and What Remains Consistent under the Regulations?
The Regulations, the Security Assessment Measures, and the Standard Contract Measures have all been promulgated by the CAC, any discrepancies between them should be addressed by adhering to the Regulations, given the Regulations become effective. The following is our analysis of the key points of change in the Regulation:
a) Introduction of "exemption". According to Article 38 of the Personal Information Protection Law ("PIPL"), enterprises engaged in the cross-border transfer of personal information must declare security assessment, file standard contract, apply for certifications, or comply with relevant statutes, administrative guidelines, and other CAC directives. Building on this foundation, the CAC established the Security Assessment Measures and the Standard Contract Measures, which delineate distinct cross-border compliance pathways tailored to enterprises based on their data numbers (for example, entities handling the personal data of over 1 million individuals) and the nature of the data (such as key data). Based on this framework, the Regulations creatively introduces an "exemption" mechanism. Enterprises fulfilling certain criteria can bypass the usual procedures of security assessment declarations, standard contract filings, or certifications when partaking in cross-border data transfers:
|
The "exemptions" under the Provision |
1) An enterprise transfers personal information of less than 10,000 individuals in a year. |
|
2) An enterprise transfers the personal information collected outside of China abroad. |
|
|
3) It's necessary for the conclusion and fulfillment of a contract to which the individual is a party. |
|
|
4) It's necessary to transfer employees' personal information abroad for conducting human resource management under the labor rules and regulations developed in accordance with the law and a collective contract signed in accordance with the law. |
|
|
5) It's necessary to transfer the personal information abroad for protecting the life, health and property of human beings in emergency circumstances. |
|
|
6) Data excluded from the negative list formulated by the Free Trade Experimental Zone. |
b) Alterations to the applicable conditions governing the original
data export compliance mechanism.
Once the Regulations take effect, enterprises that don't fall under the "exemptions" will no longer check their outbound data transfer on the conditions provided by the Security Assessment Measures and Standard Contract Measures. Instead, such enterprises should refer to the Regulations and establish their compliance mechanism for outbound data transfers, tailored to their specific business:
|
The conditions that an enterprise should declare a security assessment according to the Regulations: |
|
|
The conditions that an enterprise can conduct standard contracts filing or certification according to the Regulations: |
|
c) Maintaining Procedures for Security Assessment, Standard
Contracts, and Certification.
The Regulations modify the criteria for undergoing security assessments, standard contracts, and certifications, and add an "exemption" provision. However, the fundamental methods for these evaluations remain consistent. For instance, companies, when subject to security assessment requirements under the Regulations, should diligently prepare essential documentation like declaration forms, risk self-assessment reports, and other legal papers. This should align with the stipulations in the Security Assessment Measure and the Guidelines on Security Assessment Declaration of Outbound Data Transfer (First Edition), emphasizing on the explanation of the necessity for the business scenarios and fields during cross-border data transfer.
3. Compliance Obligations under the Regulations
Currently, the Regulations are in the public consultation phase. Their final form could significantly influence the strategies enterprises adopt for cross-border data transfer compliance. With the present version of the Regulations as our guide, we offer the subsequent recommendations for enterprises' consideration.
a) Refrain from Using the Draft as a Ground for "Exemption" during Current Outbound Data Transfer.
The Regulations are undergoing public consultation and are not legally enforceable. Certain provisions may see adjustments in the finalized version. Hence, businesses should not rely solely on the present Regulations for outbound data transfers. We advise companies to await the official version, evaluate it thoroughly, and then determine the appropriate venues for legally compliant cross-border data transfers. Specifically, companies that have obtained partial approvals for security assessments from the CAC should exercise caution. For data fields or business scenarios that failed the security assessment but might be exempted under the Regulations, the CAC already has it on record. We suggest such businesses hold steady and await the official Regulations. Should the final version offer specific exemptions or stipulations, companies can then devise their cross-border data transfer compliance strategies accordingly.
b) Accentuate Other Compliance Mandates and Maintain Records.
The Regulations provide specific relaxations in compliance requirements for cross-border data transfers under certain scenarios. However, enterprises must still respect prevailing laws, administrative regulations, and fulfill their data security obligations, including but not limited to:
(1) Notification Obligation. Per Article 39 of the PIPL, businesses that transfer personal information abroad must inform the concerned individuals regarding the overseas recipient's details, processing intent, methods, types of data collected, and how individuals can exercise their rights against the foreign recipients. Regardless of any legal basis changes or compliance mechanism alterations, these requirements persist.
(2) Personal Information Protection Impact Assessment (PIA). Under Article 55 of the PIPL, any entity transferring personal information abroad should first conduct a PIA. This assessment should analyze the transfer's legality, legitimacy, necessity, potential risks, the efficacy of protection measures, and other vital facets. Both the PIA report and processing logs must be preserved for a minimum of three years.
(3) Ensuring Foreign Recipient to Maintain PIPL Standards. Article 38 of the PIPL mandates that entities ensure the data processing activities of foreign recipients align with PIPL's stipulated standards. We advocate that businesses intending cross-border transfers formalize agreements with foreign recipients to mandate and oversee their processing activities' compliance with Chinese laws.
(4) Establishing a Data Security Response Mechanism. Articles 9 and 10 of the Regulations underscore data security risk management. MNCs should especially institute effective global data security emergency response mechanisms, given their geographically dispersed data processing operations. We urge businesses to craft localized measures responsive to Chinese regulatory mandates for continuous internal oversight and risk mitigation. Special attention should be given to compliance training, emergency response traceability, and prompt risk assessments in case of security incidents. Moreover, it's prudent to report any data security event or detected heightened risk to the CAC.
c) Confirm the Scope of Key Data in Advance.
According to the Regulations, enterprises must declare a security assessment for "key data" transfers officially categorized by relevant departments or regions. While this provision might aid businesses in discerning "key data" boundaries, it doesn't absolve them from their compliance responsibilities. Given that various industry authorities are working on key data catalogs and definitions of key data have not been publicly disclosed, it's prudent for enterprises to proactively engage with relevant authorities to ascertain the classification of their data. Relying solely on the absence of an official key data catalog is not advisable.
d) Process and Transfer Sensitive Information Involving Party, Government, or Military Entities.
The Regulations indicate that transferring sensitive information related to the Party, government, military, or classified entities abroad requires adherence to pertinent laws, administrative rules, and departmental directives. Given the highly sensitive nature of such data, potential leaks could jeopardize national security. We recommend businesses rigorously assess this data, even if it's not categorized as "key data" or doesn't fall under other assessment or contractual requirements. Before considering cross-border transfers of such data, a stringent evaluation is essential.
4. Conclusions.
The introduction of the Regulations underscores China's determination to refine data governance while championing the seamless flow of data to bolster economic progression. Set against a backdrop of sustained openness and the proactive courting of foreign investments, effective and secure cross-border data transfers emerge as pivotal economic catalysts.
In all, the Regulations not only gives a clear signal that the cross-border flow of data should not be a heavy burden on businesses operating in China, but also offers a more relaxed framework for cross-border data compliance than the GDPR. It is foreseeable that with the enactment of the Regulation, "ex post facto supervision" will be the new regulatory model for cross-border data governance in China for a long time to come.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
