©2020 Adaltys Avocats.
Retour au blog
Lettre d’information
Overview of China’s new rules on data outbound transfer
02/04/2024

On March 22, 2024, the Cyberspace Administration (“CAC”) of China officially issued the Provisions on Promoting and Regulating Cross-border Flow of Data (“New Rules”) about half a year after the draft of the New Rules was published on September 28, 2023.

Before the release of the New Rules, enterprises are demanded to perform at least one of the three obligations for data outbound transfers, including the security assessment (“SA”), the conclusion of a standard contract (“SCC”) and the certification of personal information (“3 Obligations”), depending on the nature and volume of the transferred data.

Practically, compared to the SA, even though the SCC and the certification are less complicated and can be selected by enterprises with limited need for data outbound transfer, enterprises are still troubled by onerous paperwork and the data transfer activities may be slowed down by the administrative procedure.

As of March 22, 2024, the compliance burden for some enterprises may be largely relieved. Some enterprises may benefit from the exemptions prescribed by New Rules and are thus not required to fulfill any of the 3 Obligations.

  • Part. 1. In some scenarios, data processors may be exempted from 3 Obligations  
  • Scenario 1: low volume of data outbound transfer

Calculating accumulatively from January 1of the current year of data outbound transfer, if the personal information (excluding sensitive personal information and important data) transferred abroad by a non-CIIO (i.e. critical information infrastructure operator) is less than 100,000 individuals’ personal information, the data processor may be exempted from the 3 Obligations for data outbound transfer.

  • Scenario 2: data outbound transfer is a necessity for specific purposes

The New Rules provide that, 3 Obligations may be exempted if the transfer of personal information (excluding important data) abroad is necessary to:

  • conclude or perform contracts to which the individual is a party, such as cross-border shopping, cross-border consignment, cross-border remittance, cross-border payment, cross-border account opening, air ticket and hotel reservation, visa application, and examination services, etc.; or

  • conduct cross-border human resources management in accordance with lawfully formulated labor rules and regulations and with lawfully concluded collective contracts; or
  • protect life, health and property of natural persons in emergency cases.
  • Scenario 3: temporary data transit

For the outbound transfer of the personal information collected and generated overseas by data processors, the personal information may be transferred abroad without performing any of the 3 Obligations, provided that no personal information or important data from China is introduced in the course of processing.

  • Scenario 4: transferring non-regulated data abroad

Under the legal framework of data outbound transfer, personal information and important data are the focus of regulation. New Rules reiterate that, if personal information and important data are not included in the course of data outbound transfer, data processor may be exempted from 3 Obligations.

Besides, New Rules empower free trade zones to formulate their own data negative list, which may provide greater freedom of data flow to the enterprises in the free trade zone. Since 2020, some of China’s free trade zones have been continuously exploring the modes of cross-border data flow, for example, free trade zones in Tianjin and in Lingang, Shanghai have issued relevant specifications trying to categorize data and implement different compliance requirements for different kinds of data.

  • Part. 2. Thresholds for SA, certification of personal information protection and SCC are modified.
MechanismPrevious thresholdsNew thresholds
SAWhen providing data abroad by an entity: that is a CIIO; or that provides important data abroad; orthat processes the personal information of 1 million individuals or more; orthat provides accumulatively personal information of 100,000 individuals or more in total abroad since January 1 of the previous year; or that provides accumulatively sensitive personal information of 10,000 individuals or more in total abroad since January 1 of the previous year.When providing data abroad by an entity: that is a CIIO; or that provides important data abroad; or that provides accumulatively personal information of 1 million or more (excluding sensitive personal information) abroad in total since January 1 of the current year; orthat provides accumulatively sensitive personal information of 10,000 individuals or more in total abroad since January 1 of the current year.  
SCC or CertificationSituations other than the above.When providing personal information abroad by an entity:   that provides accumulatively personal information (excluding sensitive personal information) of more than 100,000 individuals but less than 1 million individuals in total abroad since January 1 of the current year; or that provides accumulatively sensitive personal information of less than 10,000 individuals in total abroad since January 1 of the current year.

To be noted is that the exempted data listed in Part 1 are not included in the calculation of the total amount of data transferred abroad.

  • Part. 3. Specific regulations on sensitive personal information and important data

According to the New Rules, sensitive personal information and important data may not enjoy exemptions or be imposed stricter conditions for exemptions. To be precise:

(1) If data processors would like to transfer sensitive personal information abroad, when the sensitive personal information concerned is (“X”):

  • X<10,000 individuals: certification or SCC;
  • 10,000 individuals ≤ X: SA.

(2) If data processors would like to transfer important data abroad, regardless of the volume of the important data, SA must be conducted.

(3) Data processors of important data may not be exempted from the 3 Obligations under scenario 2 presented in Part 1.

At this stage, specific catalogs of important data in different industries and different regions are still under development. Many enterprises may be confused as to whether their data will be defined as important data and consequently subject to special regulations. To address this confusion, New Rules explicitly stipulate that, if relevant data is not announced or published by relevant departments or regions as important data, data processors are not required to apply for SA for such data.

However, New Rules impose obligations on data processors to identify and declare important data in accordance with the relevant regulations. Therefore, enterprises are suggested to pay close attention to the catalogs to be published in the future, and perform their identification and declaration obligations in accordance with the law. 

  • Part. 4. Other obligations regulated by laws and regulations remain effective

Even though 3 Obligations may be exempted based on the New Rules, other obligations related to the protection of personal information and data security shall still be performed by data processors and relevant parties, before data can be transferred abroad. These obligations include but are not limited to:

  • Obtaining separate consent from the individuals (notably, according to the second version of Guidelines for Applying for Security Assessment, under the circumstances stipulated in Article 13, para 1, sub-para 2-7 of Personal Information Protection Law, obtaining consent can be exempted);

  • Notifying individuals about the information related to the overseas recipients, the purpose and method of processing, the type of personal information and the ways and procedures for exercising rights toward the overseas recipients, etc.;
  • Conducting and documenting personal information protection impact assessment;

  • Taking necessary measures so as to ensure the protection level of personal information of overseas recipients is the same as the one of Chinese laws and regulations.
  • Part. 5. Suggestions to enterprises

New Rules have entered into force on March 22, 2024. Enterprises that have actual needs to transfer personal information abroad are suggested to internally sort out the nature and volume of data transferred abroad and the purpose of data outbound transfer.

Especially enterprises who would like to take advantage of the exemptions provided for in the New Rules are advised to establish and improve relevant rules and systems, such as the proper conclusion of employment contracts and the formulation of work rules and disciplines, in order to meet the conditions of exemptions and justify the necessity of data outbound transfer.

If the threshold for applying for the SA or filing the SCC is met, enterprises may refer to the second version of the guidelines relating to the application for the SA and the filling of the SCC published by the CAC on March 22, 2024 for better preparing necessary materials and having knowledge of relevant application formalities.

LI Huini
Avocate associée
Découvrir son profil
Alban Renaud
Avocat associé
Découvrir son profil
Denis Santy
Avocat associé
Découvrir son profil
Articles liés
bg
Le Moniteur
Analyse de jurisprudences – Avril 2024
18/04/2024
bg
Contrats Publics
Une nouvelle dérogation à l’obligation d’allotissement
16/04/2024
bg
Opérations immobilières
La validité des actes conclus par les sociétés en cours de formation
16/04/2024