Insight,

FAQs for China's New Rules on Cross-border Data Transfer

26 March 2024

Our People
CN | EN
Current site :    CN   |   EN
Australia
EN |
China
JP | ZH | EN |
China Hong Kong SAR
ZH | EN |
Japan
JP | ZH | EN |
Singapore
ZH | EN |
United States
EN |
Global
ZH | EN |

Tag:digital-economy-intellectual-property-telecommunications-media-entertainment-and-technology-data-protection-and-privacy

Since the promulgation of the Cybersecurity Law of China in 2017, the Chinese government has been focusing on the regulation over cross-border data transfer out of China. As of today, the PRC legal regime for the cross-border data transfer has been generally established, while special requirements may vary across different industries or regions. In recent years, China have enacted a set of regulations and voluntary rules on cross-border data transfer that data processors and their counterpart recipients should abide by concerning the outbound transfer of personal information or Important Data. Some of the compliance requirements can be rather stringent and onerous to be put into practice, especially for MNCs with limited resource in China. On March 22, 2024, the Cyberspace Administration of China (the “CAC”) enacted the much-awaited Provisions on Promoting and Regulating Cross-border Data Flows (the “New Provisions”) which was published for public comments in September 2023. The newly-issued New Provisions has significantly eased the triggering conditions of complicated compliance obligations by proposing a series of exemptions for scenarios that would otherwise be subject to data transfer restrictions. It is widely deemed as the regulator’s positive attitude of relaxing the control over cross-border data transfer and streamline the data exchange between China and overseas in the real world.

Through this article, we enumerate some frequently asked questions pertaining to outbound data transfer in enterprises’ business operations and share our observations on these questions, aiming to provide some guidance on cross-border data transfer for other data processors in China.

I. What are the key regulatory requirements for transferring data collected in China to abroad?

Under the current regulatory framework, a domestic data processor would have to take one of the following three routes so as to legally export personal information or Important Data to abroad.

Route 1 (Security Assessment). The following data exporters must pass a security assessment for outbound data transfer (“Security Assessment”) organized by the CAC before transferring data to abroad:

  • Data processors seeking to transfer Important Data to abroad;
  • Critical information infrastructure operators (“CIIOs”)[1] seeking to transfer personal information to abroad; and
  • Data processors other than CIIOs who have cumulatively transferred personal information of more than one million individuals (excluding sensitive personal information) or sensitive personal information of more than 10,000 individuals out of China since Jan. 1 of the year.

Route 2 (Standard Contract). If none of the thresholds for the Security Assessment listed above is triggered, a data exporter who has cumulatively transferred personal information of more than 100,000 individuals but less than one million individuals (excluding sensitive personal information) or sensitive personal information of less than 10,000 individuals out of China since Jan. 1 of the year, is seeking to transfer any personal information out of China can opt to conclude a contract with the foreign recipient in the form of the Standard Contract for Cross-border Transfer of Personal Information formulated by the CAC (“Standard Contract”)[2] and file the executed Standard Contract with the CAC’s local branch at provincial level.

Route 3 (Protection Certification). As an alternative for Route 2, a data exporter who has cumulatively transferred personal information of more than 100,000 individuals but less than one million individuals (excluding sensitive personal information) or sensitive personal information of less than 10,000 individuals out of China since Jan. 1 of the year, may opt to undergo the personal information protection certification conducted by specialized institutions according to the requirements of the CAC (“Protection Certification”).

Exemption. According to the New Provisions, data processors that meet at least one of the following exemption conditions (“Exemption Condition”) do not need to take any of the three routes mentioned above:

  • Export of personal information generated and collected outside China after they are processed within China, without involving any personal information or Important Data generated or collected domestically in China;
  • Export of personal information that is necessary for the conclusion or performance of a contract to which the personal information subject is a party, such as cross-border shopping, shipping, remittance, account opening, flight ticket and hotel bookings, visa applications, examination services, etc.;
  • Export of employees’ personal information that is necessary for purposes of implementing cross-border human resource management according to the legally-formulated internal labor policies or legally-signed collective labor contracts;
  • Export of personal information that is necessary for purposes of protecting individuals’ life, health, or property security in emergency situations; or
  • Export of personal information by data processors other than CIIOs that have cumulatively transferred personal information of no more than 100,000 individuals (excluding sensitive personal information) out of China since Jan. 1 of the current year.

With respect to the last item in the foregoing Exemption Conditions, the New Provisions further increase the exemption threshold from 10,000 individuals in the original draft for public opinions to 100,000 individuals, but specifically single out sensitive personal information as an exception in applying the quantitative exemption. This is in consistency with international practice and the spirit of PIPL to impose stricter protection over sensitive personal information.

It is also worth noting that the requirements relating to the cross-border data transfer mentioned in this article do not apply to entities registered in the Free Trade Zones and the nine cities in the Guangdong-Hong Kong-Macao Greater Bay Area. The eligible enterprises may enjoy the benefits from the relaxed measures according to the special regional provisions.

II. What are the regulatory requirements for transferring employees’ personal information collected in China to overseas affiliates for centralized human resource administration?

No pre-procedure (i.e., Security Assessment, Standard Contract or Protection Certification) is required for the transfer of employees’ information collected in China to overseas affiliates, as long as such transfer is necessary for purposes of implementing cross-border human resource management according to the legally-formulated internal labor policies or legally-signed collective labor contracts.

Nevertheless, the New Provisions has been silent on the criteria in determining whether a cross-border transfer is necessary or not. In our view, the “necessary” criteria should be a relatively subjective call – from employer’s perspective, if the cross-border transfer of employees’ certain type of personal information can be reasonably justified for achieving a specific purpose clearly stated in the abovementioned internal labor policies or collective labor contracts, the transfer may be deemed “necessary” under the New Provisions.

Further, many may have a false sense that the exemptions proposed by the New Provisions has lifted the requirements of conducting a personal information protection impact assessment (the “PI Assessment”). This is not true. PIA Assessment is to evaluate (i) if the cross-border transfer of personal information is legal and necessary; (ii) if the protective measures adopted are legal, effective, and match the risks; and (iii) the impacts on the rights and interests of relevant data subjects, etc. Data processors eligible for the Exemption Conditions should still conduct PIA assessment but will no longer be required to submit the PI Assessment reports to the local authorities for filing or approval.

III. Which party is to undertake compliance obligations in the scenario where overseas affiliates directly provide services to and collect data from Chinese domestic customers?

Neither overseas affiliates nor the Chinese subsidiaries will be deemed as to undertake compliance obligations of the PI Exporters under the PIPL when the overseas affiliates directly provide services to and collect data from domestic customers.

To be more specific, some MNCs may choose to set up a subsidiary in China for the purpose of market promotion and/or customer retaining. In case a Chinese customer (could be either an individual user or a company customer) subscribes the services, it is the foreign headquarter (or another foreign entity) rather than the Chinese subsidiary, that would be providing the services (e.g., cloud services) to the Chinese customers directly. In this scenario, the foreign entity would directly collect personal information from the Chinese customers so as to provide the subscribed services, though the Chinese customers may have entered services contracts with the Chinese subsidiary.

The PIPL defines “personal information processor” as the entity or individual who on its own decides for what purpose and how the personal information would be processed in personal information processing activities. As the Chinese subsidiary neither provides the services nor collects, stores, otherwise processes the personal information provided by the Chinese customers, the Chinese subsidiary would not be deemed a personal information processor under the PIPL. In this connection, the issue is which party, as the PI Exporter, is to undertake the compliance obligations of cross-border data transfer – it really depends on if the Chinese customer is a data subject or a personal information processor:

  • If the Chinese customer is an individual user who directly transfers his/her own personal information to abroad: in this case, the Chinese customer is not a personal information processor under the PIPL and the compliance requirements thereunder would not be applicable;
  • If the Chinese customer is a personal information processor who process the personal information of others: in this case, the Chinese customer as the PI Exporter shall undertake the compliance obligations pertaining to cross-border transfer of personal information.

IV. Does the personal information processor need to enter into the Standard Contract or undergo the Protection Certification for occasional cross-border transfer of personal information?

No Standard Contract or Protection Certification is required, as long as the occasional cross-border transfer of personal information meet at least one of the following Exemption Conditions as described in Question 1 (Articles 4 and 5 of the New Provisions):

  • The personal information to be exported was generated and collected outside China, without involving any personal information or Important Data generated or collected domestically in China;
  • Export of the personal information that is necessary for the conclusion or performance of a contract to which the personal information subject is a party, such as cross-border shopping, shipping, remittance, account opening, flight ticket and hotel bookings, visa applications, examination services, etc.;
  • Export of employees’ personal information that is necessary for purposes of implementing cross-border human resource management according to the legally-formulated internal labor policies or legally-signed collective labor contracts;
  • Export of personal information that is necessary for purposes of protecting individuals’ life, health, or property security in emergency situations; or
  • Export of personal information by data processors other than CIIOs that have cumulatively transferred personal information of no more than 100,000 individuals (excluding sensitive personal information) out of China since Jan. 1 of the current year.

V. Are personal information processors of more than one million individuals required to conduct the Security Assessment?

According to the Measures on Security Assessments of Cross-border Data Transfers (the “Security Assessment Measures”), a personal information processor who has processed personal information of one million people shall first pass the Security Assessment before transferring personal information to abroad. This requirement generally focuses on large-scale internet platforms processing a great amount of personal information in China. In this connection, even only one small amount of personal information is to be transferred abroad, such processors shall file for Security Assessment. Theoretically speaking, a personal information processor may eventually meet the “one million people” threshold if it continues to collect and process personal information over years. And it is quite burdensome for a personal information processor to undergo Security Assessment upon exceeding the said threshold even if only one piece of personal information is to be exported. This compliance requirement does cause confusion among domestic PI Exporters.

The New Provisions aim to fix this problem. According to the New Provisions, when transferring data to aboard, personal information processors are required to conduct the Security Assessment only if one of the following conditions is triggered:

  • These personal information processors seek to transfer Important Data to abroad;
  • These personal information processors are also deemed as CIIOs and seek to transfer personal information to abroad; or
  • These personal information processors have cumulatively transferred personal information of more than one million individuals (excluding sensitive personal information) or sensitive personal information of more than 10,000 individuals out of China since Jan. 1 of the current year.

In other words, the threshold of “one million individuals” should be calculated from Jan.1 of each year instead of “day one” of processing personal information.

VI. Will Security Assessment be required if a data processor exports data that is not clearly defined as Important Data?

Data processors are not required to apply for the Security Assessment if the exported data has not been notified or published as Important Data by relevant authorities or regions. (Article 2 of the New Provisions)

To be more specific, according to the Measures for Security Assessment of Outbound Data Transfers, which was issued by the CAC on July 7, 2022 and took effect on the September 1, 2022, “Important Data” refers to data that may jeopardize national security, economic operation, social stability, public health and safety if it is tampered with, damaged, leaked, or illegally accessed or illegally utilized. In case the data processed by a data processor falls within the scope of Important Data, the data processor would be required to comply with the applicable requirements relating to Important Data under the PRC law. For example, a processor will be required to file for the Security Assessment if the processor is intending to export Important Data to abroad, without regard to the amount of Important Data to be exported.

However, the definitive scope of Important Data is yet to be clearly defined by law. According to the Data Security Law of China, the regional and industry authorities shall formulate specific catalogues of Important Data for their relevant regions and industries. By far, the regional and industry authorities have been mulling over the formulation of the catalogues of Important Data, except in the automobile industry - in August of 2021, the CAC, the Ministry of Transport of China and several other ministries of the PRC jointly issued the Several Provisions on the Security Management of Automobile Data (Trial) (the “Automobile Data Provisions”). Article 3 of the Automobile Data Provisions fleshes out the scope of Important Data in the automotive industry. For other industries and regions, the scope of Important Data remains unclear.

On March 15, 2024, the Chinese authorities released the recommended national standard Information Security Technology – Rules for Data Classification and Grading (the “Data Standard”), which will take effect on October 1, 2024. The Data Standard provides some criteria and guidance on identifying Important Data, aiming to add some clarity on the complicated rules regulating Important Data regime.

The New Provisions effectively reduces the burden on the data processors, and according to Article 2 of the New Provisions, the data processors are not required to apply for the Security Assessment if the exported data has not been notified or published as Important Data by the authorities in relevant regions and industries.

VII. What are the compliance requirements for exporting personal information collected outside China?

The export of personal information collected or generated outside China and subsequently processed within China is not subject to the Security Assessment, Standard Contract or Protection Certification. (Article 4 of the New Provisions)

In reality, many Chinese companies may provide services outside China, with their overseas affiliates directly collecting personal information outside China and then transferring the personal information back to a server located in China for storage. Every time the overseas affiliate accesses or processes the personal information stored in China, the server in China provides the personal information to the overseas affiliate. In this case, the export activity will no longer trigger the requirement for the Security Assessment, Standard Contract or Protection Certification under the New Provisions.

VIII. How long is the Security Assessment valid for?

The result of the Security Assessment would be valid for three years, calculated from the date of issuance of the result. Upon the expiration of the validity period, if the cross-border data transfer still needs to continue and no incidents requiring the re-application of the Security Assessment occur, the data processor may, within 60 business days prior to the expiration of the validity period, apply for an extension for the Security Assessment through the CAC’s local branch at provincial level. Upon approval by the national CAC, the validity period of the result of the Security Assessment can be extended for additional three years. (Article 9 of the New Provisions)

IX. How should the data processors deal with the Security Assessment or the Standard Contract completed or in the process before the implementation of the New Provisions?

For data export activities that have passed the Security Assessment before the implementation of the New Provisions, the data processors may continue to transfer the data to aboard in accordance with the Security Assessment.

For data export activities that have not passed or partially failed the Security Assessment before the implementation of the New Provisions and are now exempted from the Security Assessment in accordance with the New Provisions, the data processors may transfer the data to aboard by undergoing either the Standard Contract procedure or the Protection Certification procedure.

If a data processor has already applied for the Security Assessment or the Standard Contract filing prior to the implementation of the New Provisions, and is now not required to carry out these procedures in accordance with the New Provisions, the data processor may continue to proceed with the original procedure, or withdraw the application for the Security Assessment or the Standard Contract filing. (Press conference regarding the New Provisions dated March 22, 2024)

Thanks to Yuan Jiangyue for her contributions to this article.

Scan the QR code to subscribe to "King & Wood Mallesons" for more information

The Rules on Critical Information Infrastructure Security Protection defines “critical information infrastructure” as network facilities and information systems, industries and fields such as telecommunications and information services energy, transportation, water conservancy, finance, public service, on-line government service, national defense science and other important industries and fields, as well as other important network facilities and information systems, of which the destruction, lost function or data leakage make seriously endanger national security, public wellbeing and public interest. The competent authorities of the important industries and areas will notify the CIIOs of the determination results in a timely manner. Therefore, enterprises do not need to guess on whether they are CIIOs or not; as long as they have not been notified by the relevant competent authorities, they are not CIIOs.

Please refer to the official website of the CAC (http://www.cac.gov.cn/2023-02/24/c_1678884830036813.htm) for the full text of the Standard Contract template.
Categories

Reference

  • [1]

    The Rules on Critical Information Infrastructure Security Protection defines “critical information infrastructure” as network facilities and information systems, industries and fields such as telecommunications and information services energy, transportation, water conservancy, finance, public service, on-line government service, national defense science and other important industries and fields, as well as other important network facilities and information systems, of which the destruction, lost function or data leakage make seriously endanger national security, public wellbeing and public interest. The competent authorities of the important industries and areas will notify the CIIOs of the determination results in a timely manner. Therefore, enterprises do not need to guess on whether they are CIIOs or not; as long as they have not been notified by the relevant competent authorities, they are not CIIOs.

  • [2]

    Please refer to the official website of the CAC (http://www.cac.gov.cn/2023-02/24/c_1678884830036813.htm) for the full text of the Standard Contract template.

MEET THE AUTHORS

LATEST THINKING
Insight
Ad hoc Arbitration in China: Progress and Uncertainty
As the revision of the Arbitration Law of the People’s Republic of China (“PRC Arbitration Law”) progresses, ad hoc arbitration is gaining more attention in China. Previously, there was discussion on whether ad hoc arbitration will truly take root in the country. Recently, there have been notable advancements in the adoption of practical rules surrounding ad hoc arbitration in certain regions while on the national level, there appears to be more of a cautious stance in expanding the scope of ad hoc arbitration. This article provides a brief summary of these developments, starting with a national perspective and discussion of the key issues regarding the draft amendments to the PRC Arbitration Law. The article then ends with an overview of regional efforts to introduce ad hoc arbitration, including initiatives under the current regional system in Shanghai.dispute resolution and litigation-domestic arbitration

14 March 2025

Insight
Guangdong’s Capital Market Drive: New Measures Bring Opportunities
On January 12, 2025, the Guangdong Provincial Government introduced the Measures for High-Quality Development of Capital Markets to Support Guangdong’s Modernization (the “Measures”). These Measures lay out a detailed framework aimed at strengthening Guangdong’s multi-tiered capital markets, boosting tech-driven enterprises, and improving the overall quality of listed companies. The overarching goal is to position Guangdong as leading financial hub and embrace innovation to attract global investment.

07 March 2025

Insight
Shanghai Sets Sights on Digital Trade: Global Hub Plan Revealed
On January 16, 2025, the General Office of the Shanghai Municipal People’s Government released the Implementation Plan for Promoting the High-Quality Development of Digital Trade and Service Trade in Shanghai (the “Implementation Plan”). This strategic blueprint aims to establish Shanghai as a global hub for digital trade, which includes digital products, and technology-driven trade, as well as service trade, covering sectors such as finance, insurance, logistics, and cultural services. With a strong focus on reform, innovation, and the opening of key sectors, the Implementation Plan sets out a series of priorities and actionable steps to achieve these goals by 2029.

07 March 2025

EXPLORE LATEST THINKING
OUR PEOPLE
LOCATIONS
MEDIA CENTRE
CAREERS
ABOUT US
CROSS-JURISDICTIONAL PRACTICE OFFICE
Explore Our Expertise
Explore insights
Explore Our Insights

Advertising and Targeting Cookies