The Cyberspace Administration of China (the “CAC”) has released the Draft Provisions on Regulating and Promoting Cross-Border Data Transfer (the “Draft Provisions”) for public comment on September 28th, 2023. The Draft Provisions propose some welcome adjustments to the increasingly burdensome requirements of the “three mechanisms” (i.e.: 1) data outbound security assessment organized by the CAC; 2) certification of personal information protection by a specialized agency; and 3) conclusion of the standard contract.) for data outbound activities established in the past two years.
This positive shift mainly aims to adjust the thresholds of data outbound security assessment set forth in the Security Assessment Measures for Data Outbound, exempt the application of the three mechanisms initially set forth in the Personal Information Protection Law for some scenarios where data outbound activities are necessary, frequent, and low risky, as well as partially reduce the compliance burden of enterprises whose business and daily operations are hardly separated from data outbound activities while the volume of data is relatively small.
1. Standards of applying the three mechanisms
| Mechanism | Current standards | Anticipated new standards |
| Conduct the data outbound security assessment | when providing important data abroad. | It is clarified that “important data” excludes the data that has not been notified by relevant departments or regions or has not been publicly announced as important data. |
| When providing personal information abroad by an entity: that is a critical information infrastructure operator (CIIO);that processes the personal information of more than 1,000,000 individuals; orthat has provided personal information of 100,000 individuals or sensitive personal information of 10,000 individuals in total abroad since January 1st of the previous year. | When expecting to provide abroad the personal information of more than 1,000,000 individuals. | |
| Obtain certification of personal information protection or conclusion of the standard contract | Situations other than the above. | When estimating to provide abroad the personal information of more than 10,000 but less than 1,000,000 individuals within one year. |
| Without the application of the three mechanisms | If otherwise stipulated in the international conventions or treaties. | Exemptions below. |
It is stipulated that the Draft Provisions shall prevail in case of any discrepancy with the Security Assessment Measures for Data Outbound Transfer and the Measures on the Standard Contract for Outbound Transfer of Personal Information. Hence, if the Draft Provisions become effective, it is likely that the expected volume of personal information to be transferred abroad in one year will be the main index to determine whether the data outbound security assessment is required. However, when calculating the volume of data to be transferred abroad, it remains to be further clarified whether the volume of data benefiting from the following exemptions would be deducted.
The Draft Provisions also stipulate that the transfer of important data and personal information by a CIIO and the provision of sensitive personal information shall be subject to relevant laws, administrative regulations, and departmental rules. In this case, it also remains to be clarified whether CIIOs and the transfer of sensitive personal information would apply the new standards and/or exemptions below.
2. Exemptions of the application of the three mechanisms
Under the current regulatory framework of data outbound transfer, data processors are generally required to apply one of the three mechanisms before transferring personal information abroad, regardless of the purpose and volume of the data outbound transfer. Considering the unreasonableness and burdensomeness in practice for both competent authorities and data processors, the Draft Provisions explicitly exempt the following circumstances in which a cross-border data transfer may be carried out without applying any of the three mechanisms:
a) Cross-border transfer of data (excluding personal information or important data) that is generated in activities such as international trade, academic cooperation, transnational manufacturing, and marketing;
b) Cross-border transfer of data that is not collected or generated within the territory of China (for example, in the scenario of processing trade, manufacturers in China do not need to apply one of the three mechanisms when transferring the data of foreign suppliers or carriers of raw materials to foreign importers of end products);
c) Where it is necessary for the conclusion and performance of a contract to which the individual concerned is a party, such as cross-border shopping, cross-border remittance, air tickets and hotel booking, and visa processing, etc.;
d) Where it is necessary to provide abroad the personal information of employees for human resources management implemented by legally formulated labor regulations and rules and collective labor contracts;
e) To protect the life, health, and property safety of natural persons in an emergency;
f) When estimating to provide personal information ofless than 10,000 individuals abroad within one year (for example, during daily operations, foreign-invested enterprises could collect and store personal information of suppliers, clients and employees in China. The volume of so collected data is generally small.);
d) When cross-border transferring data that is not included in the negative lists to be formulated by the free trade zones (“FTZs”). In the recent years, several FTZs have already published their promotional policies or guidelines to facilitate cross-border data transfer, such as promoting the establishment of low-risk data flow catalog mentioned in the China (Shanghai) Pilot Free Trade Zone Lingang New Area Regulations.
Nonetheless, in the case of cross-border transfer of personal information collected on the basis of the consent of individuals, the obligation of obtaining consent for cross-border transfer is not exempted. The other general obligations of protection of personal information such as inform-consent, remedy measures, and reporting to network security authorities, shall still be performed by data processors and relevant parties.
3. Advice to enterprises
It is recommended that enterprises pay close attention to the legislative developments in the field of cross-border data transfer and estimate their impact on the current administrative formalities and their preparatory work. Concerning the cross-border data transfer that may be subject to the exemptions proposed by the Draft Provisions, depending on the situation, enterprises may adjust their compliance strategies. For the unclear discrepancy between the new standards and current requirements, enterprises that have applied or are in the process of applying for one of the three mechanisms could actively consult with the authorities to find an optimal solution.
