China: China Publishes Draft Rules To Ease Data Export Compliance Burden

The Cyberspace Administration of China ("CAC") on September 28, 2023 issued the draft Provisions on the Regulation and Promotion of Cross-Border Data Flows ("draft Provisions"),¹ just one year after China's data export security management framework was formally established.²The fact that CAC released the draft shortly before China's week-long National Holiday and set a short period for public comment (through October 15) suggests that CAC intends to finalize the draft and promulgate the Provisions soon.

The current data export compliance regime is underpinned by three alternative pillars: a mandatory data export security assessment when certain thresholds are crossed, personal information ("PI") standard contract clauses ("SCC") filing, or PI protection certification ("PIPC").

The draft Provisions are a short document, consisting of only eleven clauses. Nonetheless, if adopted in their current form, they would significantly soften the current data export rules by 1) raising the thresholds for triggering data export filing obligations; 2) establishing exemptions for common data export scenarios; 3) clarifying that certain PI/data would no longer be subject to export filing requirements; and 4) establishing a more flexible policy space for exercising negative-list management in free trade zones ("FTZ") where many foreign-invested enterprises are registered.

The draft Provisions may be understood as a response by Chinese officials to concern over the tremendous administrative, commercial and human resource burdens that the existing regulations impose on both domestic and international business communities as well as the burden on cybersecurity officials tasked with regulatory implementation. Pending finalization, they constitute a welcome development that will promote cross-border trade and investment amidst China's sluggish economy.

Raised Thresholds

• Annual PI export involving fewer than 10,000 individuals would no longer be subject to a mandatory data export security assessment, SCC filing or PIPC requirements.
• Annual PI export involving more than 10,000 but fewer than 1 million individuals would no longer be subject to a mandatory data export security assessment, replaced by a less burdensome SCC filing with the relevant provincial CAC or a PIPC.

Under the current rules, a data processor, i.e., a company or other entity operating in China, is subject to a mandatory CAC-led data export security assessment when the so-called "1 million/100,000/10,000" thresholds are met. If the thresholds are not met, a SCC filing or PIPC is required. The current thresholds for determining whether a data processor is subject to a mandatory security assessment are as follows:

a) processes PI of more than 1 million individuals; or

b) cumulative PI of 100,000 individuals or Sensitive PI of 10,000 individuals have been exported since January 1 of the previous year.

While the mandatory CAC-led security assessment also applies to data processed by critical information infrastructure operators ("CIIOs") and Important Data, as a practical matter, multinationals ("MNCs") are unlikely to be designated as CIIOs, and they are unlikely to process Important Data except in the instance where the number of individuals whose PI is processed exceeds 1 million, in which case the PI is deemed to constitute Important Data.

Currently, CAC nationwide has approved mandatory security assessments for only a few dozen large-scale companies which crossed the "1 million/100,000/10,000" thresholds, while many others remain in the queue. No data is publicly available on how many companies have crossed the thresholds, how many have chosen to file for review of their security assessments, or how many have been rejected. Even companies which have not crossed the "1 million/100,000/10,000" thresholds are subject to either a SCC filing or a PIPC requirement if they export any PI overseas. Such requirements cast a very wide net sweeping in large numbers of MNCs that exchange essential business and governance information with overseas affiliates or counterparts.

Moreover, even a SCC filing which triggers a self-assessment by the company or a PIPC which is outsourced to a third-party accredited institution is financially and administratively burdensome. Raising the filing thresholds will exempt many companies from the compliance requirements under the current data export regime.

Exempted Data

Data export security assessment, SCC filing and PIPC would also not be required if:

a) data export is necessary for the execution and performance of a contract to which an individual is a party, such as the cross-border purchase of goods, cross-border fund transfers, air tickets or hotel reservations, and visa processing;

b) data export is related to a company's internal employee data and necessary for human resources management in accordance with the company's labor policies and rules formulated on the basis of a law, regulation or collective bargaining contract; or

c) data export is necessary for the protection of personal safety, health or property security in an emergency.

The current compliance regime does not distinguish among the types of data that are transferred overseas. In fact, except for those MNCs which have completely localized their datasets in China, many MNCs currently share customer data and employee data with their overseas head offices to process cross-border transactions and manage human resources or simply for record keeping purposes, on a globally-integrated system. This means that under the current compliance regime, MNCs in theory are subject to at least an SCC filing or PIPC obligation, even if no mandatory security assessment threshold is crossed.

The data exemptions also may ease the burden facing cross-border e-commerce service providers, travel service providers and retail businesses that export customer data, as well as MNCs which maintain global employee data processing systems.

Further Clarification

• Unless specifically categorized as Important Data by government through notification or announcement, data processors would not need to treat their data as Important Data, which is subject to more stringent protection requirements than ordinary data, for purposes of a mandatory data export security assessment.
• Outbound transfers of data not containing PI or Important Data that is generated in international trade, academic collaboration, cross-border production, or marketing and sales activities would no longer be subject to a data export security assessment, SCC filing or PIPC.
• Data not collected or generated in China would not be subject to a data export security assessment, SCC filing or PIP certification obligation.

The scope of Important Data has been a persistent concern for MNCs, as any export of Important Data automatically triggers a mandatory security assessment, regardless of whether the relevant thresholds have been met. With the new Provisions, MNCs will no longer need to worry that the data they process will fall in the category of Important Data unless the data is specifically classified as Important Data. This clarity will create certainty and ease compliance burdens. MNCs handling data generated from overseas, such as PI of foreign nationals, would also face less onerous compliance burdens.

Negative List in Free Trade Zones

Critically, administrative responsibility in some instances will be transferred from CAC to more investment-friendly bodies. Pilot FTZs will be authorized to establish a "Negative List" regime and all future data export activities not covered in such Negative Lists would no longer be subject to data export security assessment, SCC filings or PIP certification requirements.

Conclusion

The draft Provisions are a response to the State Council's proposal to establish a security management mechanism to facilitate data cross-border flows, one of the measures to further optimize the environment for foreign investment.³

Unlike the European Union, which recognizes the value of cross-border data transfers and has been prepared to negotiate data protection agreements to ensure that PI and other data can be exported provided that the recipient jurisdiction provides protections equivalent to the General Data Protection Regulation, China seems to have imposed a rigid data export control regime focusing on national security considerations. The draft Provisions indicate a willingness to relax the burdens that the current regime has created.

The draft Provisions, if adopted in their current form, will exempt a large number of companies exchanging information with overseas affiliates and counterparts in normal business scenarios from data export filing requirements, unless they export Important Data, the scope of which has been limited, or the PI of a large number of individuals. This will significantly ease the burden facing a typical MNC operating in China, and will be welcomed by the business community domestically and internationally.

Footnotes

1. http://www.cac.gov.cn/2023-09/28/c_1697558914242877.htm

1. The Measures for Data Export Security Assessment took effect as of September 1, 2022, followed by the Announcement to Implement Personal Information Protection Certification and the Measures on the Standard Contract for Personal Information Export.

3. For more information regarding the State Council's Opinions to Further Optimize the Environment for Foreign Investment and Increase Efforts to Attract Foreign Investment, please refer to the WilmerHale publication available at https://www.wilmerhale.com/en/insights/client-alerts/20230815-china-issues-policy-to-further-boost-foreign-investment.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.