July 2024


New Chinese Regulations Ease Cross-Border Data Flows

New Chinese Regulations Ease Cross-Border Data Flows
By Dezan Shira & Associates

The Cyberspace Administration of China (CAC) has released the final version of a set of regulations aimed at facilitating cross-border data transfer (CBDT) for companies based in China.

The new “Regulations to Promote and Standardize Cross-Border Data Into Flows” came into effect 22 March 2024.

In September 2023, the CAC released a draft version of the regulations for public comment. The final version has been altered only slightly from the draft, retaining many of the original proposals.

The new regulations specifically deal with facilitating procedures required to export data from China. Under China’s Personal Information Protection Law (PIPL), companies that wish to export certain volumes and types of personal information (PI) outside of China must undergo one of three compliance procedures: Applying for a data export security assessment conducted by the CAC, entering a standard contract with the overseas recipient of the data, or undergoing PI protection certification by a third-party agency.

Which procedure a company must choose will depend on the amount of PI they handle, whether the data is considered “important,” and whether the company itself is a critical information infrastructure operator (CIIO).

The new regulations provide several measures that will facilitate cross-border data flows for companies in China, greatly easing compliance burdens and allowing for the free flow of data in certain scenarios.


Increased Data Volume Thresholds

A major change in the new regulations is an increase in the data volume thresholds that trigger one of the compliance procedures from the ones stipulated in the PIPL and related regulations. This means that companies will be able to handle a higher volume of data than was previously allowed before they are required to undergo one of the compliance procedures.

Under the previous measures for the implementation of the security assessment with the highest bar of compliance, a company was required to undergo a security assessment by the CAC in any of the following circumstances:

  • The company exports “important data” overseas;
  • The company is a CIIO or is a company handling the PI of more than 1 million people, and exports PI overseas;
  • The company has exported the PI of more than 100,000 people or the “sensitive” PI of more than 10,000 people since 1 January of the previous year and provides PI overseas; and
  • The company engages in any other situations stipulated by the CAC.

Meanwhile, companies can choose to undergo PI protection certification by a third-party agency or sign a standard contract with the overseas recipient if they fall below the above thresholds.

However, the new regulations increase the data volume thresholds that trigger a compliance procedure. For the security assessment procedure, the threshold for accumulated non-sensitive PI has been increased from that of 100,000 people to that of 1 million people. For the standard contract and PI protection certification procedures, the threshold has been increased from the non-sensitive PI of less than 100,000 people to that of between 100,000 and 1 million people.

In addition, the timeframe has also been shortened from the accumulated PI from 1 January of the previous year to 1 January of the current year. This effectively cuts the maximum period for accumulated PI that is considered for compliance procedures from two years to just one year and allows the company’s accumulated volume to be reset to zero at the start of every year, making it less likely they will exceed the limits.

Finally, if a company has processed the PI of less than 100,000 people since 1 January of the current year, it will not be required to undergo any compliance procedures. Previous regulations did not have any exemptions for lower volumes of PI.

The changes in data volume limits are summarized in the table.

Change in PI Export Volume Thresholds for CBDT Compliance Procedures

Required Compliance Procedure

Previous Regulations

New Regulations

No procedures required

N/A

Cumulative since 1 January of the current year:

< 100,000 (normal PI)

PI protection certification or standard contract signing

Cumulative since 1 January of the previous year:

< 100,000 (normal PI); or

< 10,000 (sensitive PI)

Cumulative since 1 January of the current year:

≥ 100,000 (normal PI)

< 1,000,000 (normal PI); or

< 10,000 (sensitive PI)

Security assessment by CAC

Cumulative since 1 January of the previous year:

≥ 100,000 (normal PI); or

≥ 10,000 (sensitive PI)

Cumulative since 1 January of the current year:

≥ 1,000,000 (normal PI); or

≥10,000 (sensitive PI)

Note that the above changes do not apply to companies that are CIIOs, which will still be required to undergo a security assessment regardless of the volume or type of data they export, nor does it apply to companies that are exporting important data.

However, the new regulations also outline several additional circumstances in which a company may be exempt from undergoing compliance procedures even if they exceed the new thresholds. These exceptions are outlined further.


Easing Requirements for the Export of ‘Important Data’

As mentioned above, companies that wish to export important data out of China must undergo a data export security assessment by the CAC, the most cumbersome of the three options.

However, what data is considered “important” has not been clearly defined in relevant regulations, leaving many companies uncertain of whether they must apply for the security assessment.

In the measures governing the security assessment procedures, important data is defined simply as “data that may endanger national security, economic operation, social stability, or public health and safety once tampered with, destroyed, leaked, or illegally obtained or used.” However, the authorities haven’t yet released a reference document for the type of data that would be deemed to fall under this definition, leaving it largely up to interpretation.

Despite this, the new regulations state that companies are required to identify and declare important data in accordance with relevant regulations. While the regulations do not provide any additional clarity on the definition, they do provide an important caveat that will help to reduce uncertainty in many cases. If relevant government departments or regions have not publicly identified certain data as “important,” then the company will not be required to apply for the data export security assessment to export the data.

This means that if the data has not explicitly been defined as important by national or local authorities, then it will be deemed not to be for the time being.


Exemptions for Certain Cross-Border Data Transactions

Under the new regulations, there are several scenarios where a company can be exempt from undergoing any of the three compliance procedures to export data out of China.

First, if a company collects and generates data through activities such as international trade, cross-border transportation, academic cooperation, transnational manufacturing, and marketing, and it wishes to provide this data overseas, then it is not required to undergo any of the three compliance procedures, provided the data does not contain any PI or important data.

Second, if the PI collected and generated by a company outside of China is transferred to China for processing and then retransferred abroad, then the company is exempted from the compliance procedures, provided no domestic PI or important data is introduced during the processing.

Finally, the regulations outline cases in which the company may be exempt from the compliance procedures, if it meets certain conditions. These conditions include the following:

  • It is necessary to export PI to enter into and perform a contract to which an individual is a party, such as cross-border e-commerce, postal services, remittances, and payments, opening accounts, air ticket and hotel booking, visa processing, and examination services;
  • It is necessary to export the PI of employees to implement human resources management in accordance with the labor rules and regulations, and the collective contract signed with employees;
  • It is necessary to export PI overseas to protect the life, health, and property of natural persons in an emergency; and
  • If a company other than a CIIO has provided PI of less than 100,000 people (excluding sensitive PI) overseas since 1 January of that year.

Note that important data is not included in the above scenarios, and a company will still need to undergo a security review to export it.


Facilitated Data Flows in Free Trade Zones

The new regulations allow China’s free trade zones (FTZs) to independently implement their own negative list of data that must be subject to compliance procedures when exported. These lists will be applicable to companies established in the FTZs.

Companies based in the FTZs exporting data that is not included in the negative lists will be exempt from undergoing the compliance procedures, thus greatly facilitating cross-border data flows in and out of the zone. The criteria for being based in the zone will presumably depend on the FTZs own standards for business presence, as is the case for qualifying for preferential tax treatment within the zones, although the regulations do not specify this.

Enabling the FTZs to implement their own data negative lists will greatly enhance the attractiveness and competitiveness of these zones, providing yet another benefit to establishing a business within these areas.

The FTZs are still in the process of developing these negative lists. In January 2024, the Lingang New Area of the Shanghai Pilot FTZ revealed a set of trial measures that will divide data for cross-border transfer into “core,” “important,” and “general” data categories, depending on their risk level. The local government also stated that it will release a “general data” catalogue, which will include types of data that can be transferred freely out of the area, and an “important data” catalogue, which will be subject to restrictions. The full trial measures have not yet been released to the public.


Extension of Security Assessment Validity Period

The new regulations extend the validity of a security assessment from two to three years from the date of issuance of the assessment result, thus decreasing the frequency with which a company will be required to undergo assessments.

The new regulations also simplify the procedures for the extension of a security assessment. If a company needs to continue its data export activities after its assessment has expired, it can apply for an extension through the local provincial cybersecurity and informatization department within 60 working days of the assessment’s expiration date. In this instance, the company won’t need to conduct another data export security assessment. If the application is successful, the assessment can be extended for another three years.


Implications of the New Regulations for Foreign Companies in China

The new regulations are a major step toward reducing barriers to cross-border data flows and clarify issues that impede the normal business operations of foreign companies in China.

The increase in the data volume thresholds for the compliance procedures will make it easier particularly for smaller companies, which have fewer resources to handle the additional compliance burden to follow with data transfer rules. The various exemptions given will also greatly facilitate business operations in fields such as cross-border trade, e-commerce, and HR.

Meanwhile, the new regulation on important data removes a considerable regulatory headache for companies by acknowledging that the current regulations are insufficiently clear for companies to follow and places the onus on government authorities to specify which data is considered important. It may also allow companies whose applications for data export have been denied due to their inclusion of undefined important data to have these decisions overturned, at least until the authorities provide a clear definition. This will help to alleviate uncertainty and greatly facilitate companies’ normal operations in the interim.

It’s nonetheless important to note that the compliance procedures remain in place for larger volumes of data, as well as for all important data and CIIOs. Larger multinationals, in consumer-facing industries, are still likely to reach the thresholds for compliance procedures on a regular basis and will have to continue to allocate time and resources toward compliance.

Large companies are advised to closely monitor the regulatory bodies of their respective industries for news on the definition of important data to ensure that they remain compliant. Companies located in FTZs are also advised to carefully monitor news from local authorities regarding the release of data negative lists and to maintain open lines of communication with local authorities to ensure the correct understanding and implementation of the regulations.


This article was originally published in China Briefing, which is produced by Dezan Shira & Associates. The firm assists foreign investors throughout Asia from offices across the world, including in ChinaHong KongVietnam, Singapore, India, and Russia. Readers may write to [email protected] for more support.








Dezan Shira & Associates
Dezan Shira & Associates assists foreign investors throughout Asia from offices across the world, including in China, Hong Kong, Vietnam, Singapore, India, and Russia. Readers may write to [email protected] for more support.
Do you like our content? Join the PayrollOrg community to get free education and articles straight to your inbox! 
Career-Center

Next Issue:

Country Spotlight

Meet Tartanjulia North

Payroll: Untapped Potential!

 

nextissuepic2