Article
Regulations on Promoting and Regulating the Cross-border Data Flow
Publish date: 25 March 2024
In the global digital economy, the movement of data across-borders is essential - carrying information and promoting innovation. However, in order to ensure national security, social stability, public interest, and domestic economic development, many countries and regions are exploring legislation to appropriately restrict cross-border data flow. In 2017, 35 countries worldwide had requirements for data localization and cross-border control, and in 2023, 62 countries and regions had implemented such restrictions already. The United States, which has been encouraging the data free flow leveraging its long arm jurisdiction, recently issued Executive Order 14117 to restrict the cross-border flow of sensitive information.
Since the implementation of the Cybersecurity Law, Digital Security Law, and Personal Information Protection Law, the Chinese government has continuously explored and practiced control models in the field of cross-border data transfer through the trial implementation of various regulations and rules. Finally, right after this year's two sessions, and before 2024 China Development Forum, through the actual implementation of cross-border data control in the past year, and fully considered the feedback from all parties, further implementing the national policy of promoting high-level opening up to the outside world, based on the "Regulations on Regulating and Regulating the Cross-border Flow of Acetate Essence Data (Draft for Comments)" launched last year, a new regulation on cross-border data control, the "Regulations on Promoting and Regulating Cross-border Data Flow", has been introduced to keep up with the times.
Summary & High-level Interpretation
(English abbreviation)
a. Personal Information – PI
b. Sensitive Personal Information – SPI
c. Cyberspace Administration of China – CAC
d. Critical Information Infrastructure – CII
e. Critical Information Infrastructure Operator – CIIO
At first, the change in the name of the new regulations from “regulating and promoting” to “promoting and regulating” indicates the positive attitude of the government towards the openness of cross-border data management.
Four scenarios are officially exempted from overseas, including data entry and re-exit, international contracts with individuals as one party, cross-border HR management, and emergency assistance scenarios. It eliminates obstacles to cross-border PI transfer in various routine international affairs and facilitates global unified HR management for multinational corporation.
For PI (non SPI), compared to the previously effective regulations and draft solicitations, the new regulations have further relaxed restrictions, and cross-border PI transfer of less than 100 thousand per year (excluding SPI) is also exempted. The draft for soliciting opinions is below 10 thousand. This greatly reduces the burden on businesses that do not handle large amounts of PI.
For SPI, in line with the international trend of increasing protection, the new regulations do not provide quantitative exemptions except for the four formal exemptions, which is consistent with the original effective regulations. The number of exemptions in the original draft for soliciting opinions was less than 10 thousand. While relaxing control over non SPI, maintaining the requirement for SPI is also in line with international practice and the spirit of PIPL to carefully collect and process SPI.
For important data, government has officially introduced the "Data Classification and Grading Requirements", in which Appendix G specifies guidelines for identifying important data. Industry regulators and local governments are also gradually introducing or updating important data catalogues for their respective industries and regions. For industries and regions that already have important data catalogues, enterprises must identify and declare them in accordance with Article 2 of the new regulations.
And, the new regulations officially grant the governments of each free trade zone the right to take the lead by setting up negative lists that can be adjusted and updated in a timely manner, creating a more convenient cross-border data management environment for enterprises in the zone.
At the same time, the updated guidelines for data cross-border transfer security assessment declaration (second edition) and guidelines for personal information cross-border transfer standard contract filing (second edition) have simplified the materials required for declaration and filing, and provided a data export declaration system (https://sjcj.cac.gov.cn) except for CIIO and other enterprises that are not suitable for using the data export declaration system, they can declare or file online, providing a more convenient application and filing environment.
In summary, while maintaining the bottom line of important data and SPI, the new regulations have greatly relaxed the control over the cross-border transfer of non SPI, exempting many common international affairs scenarios from cross-border transfer of PI. This is in line with the spirit of the country's promotion of high-level opening up to the outside world and greater efforts to attract and utilize foreign investment.
Finally, in order to facilitate the understanding of the new regulations, they were summarized from three perspectives: personal information, sensitive personal information, and important data, making it easier for readers to correspond the required compliance channels based on the type, data type, and quantity of their own enterprise.
Non SPI |
SPI |
Important Data |
||
Exemption |
All |
Process PI Process PI collected overseas |
Not informed or publicly designated as important data by relevant authorities or local governments |
|
Data subject as a party of an international contract |
||||
Cross-Border HR management |
||||
Emergency situation for life or property protection |
||||
Non CIIO |
Cross-border transfer less than 100 thousand PI since Jan 1st current year |
|||
Free Trade Zone |
Data not on the negative list |
|||
Security Assessment |
CIIO |
Any non exemption (Declare through offlinne channel) |
||
Non CIIO |
Cross-border transfer more than 1 million PI since Jan 1st current year |
Cross-border transfer more than 10 thousand SPI since Jan 1st current year |
Any Important data |
|
Submit material through https://sjcj.cac.gov.cn or offline channel |
||||
Free Trade Zone |
Data on the negative list and require security assessment |
|||
SCC/Certification |
CIIO |
NA |
||
Non CIIO |
Cross-border transfer more than 100 thousand and less than 1 million PI |
Cross-border transfer less than 10 thousand SPI since Jan 1st current year |
NA |
|
Submit material through https://sjcj.cac.gov.cn or offline channel |
||||
Free Trade Zone |
Data on the negative list and require SCC or certification |
Regulations on Promoting and Regulating the Cross-border Data Flow
National Cyberspace Administration Order
No. 16
The "Regulations on Promoting and Regulating the Cross-border Data Flow" were reviewed and approved at the 26th Office Affairs Meeting of the National Cyberspace Administration on November 28, 2023, and are hereby issued for implementation from the date of publication.
Director of the National Cyberspace Administration, Rongwen Zhuang
March 22, 2024
Article 1: To ensure data security, protect personal information rights, and promote the lawful, orderly, and free flow of data, in accordance with the "Cybersecurity Law of the People's Republic of China", the "Data Security Law of the People's Republic of China", the "Personal Information Protection Law of the People's Republic of China", and other relevant laws and regulations, this regulation is formulated for the implementation of data cross-border transfer security assessments, standard contracts for personal information cross-border transfer, personal information protection certification, and other related cross-border data transfer systems.
Article 2: Data handlers are required to identify and declare important data in accordance with relevant regulations. If not informed or publicly designated as important data by relevant authorities or local governments, data handlers are not required to declare such data for cross-border security assessment.
Article 3: Data collected and generated in activities such as international trade, cross-border transportation, academic cooperation, transnational production manufacturing, and cross-border marketing that do not include personal information or important data, is exempt from declaring for a cross-border security assessment, conclusion of standard contracts for personal information cross-border transfer and obtaining personal information protection certification.
Article 4: Personal information collected and generated by data handlers outside the Chinese mainland and transferred for domestic processing before being provided abroad, if not incorporating domestic personal information or important data during the processing, is exempt from declaring for a cross-border security assessment, conclusion of standard contracts for personal information cross-border transfer and obtaining personal information protection certification.
Article 5: Data handlers providing personal information overseas, if meeting any of the following conditions, are exempt from declaring for a cross-border security assessment, conclusion of standard contracts for personal information cross-border transfer, or obtaining personal information protection certification:
- It is necessary to provide personal information overseas for the purpose of concluding or fulfilling a contract to which the individual is a party, such as cross-border shopping, cross-border delivery, cross-border remittance, cross-border payment, cross-border account opening, flight and hotel bookings, visa applications, examination services, etc.;
- Implementing cross-border human resources management in accordance with labour rules and regulations formulated in accordance with the law and collective contracts signed in accordance with the law, where it is necessary to provide personal information of employees outside of Chinese mainland;
- In emergency situations to protect the life, health, and property safety of natural persons, where it is necessary to provide personal information overseas;
- Data handlers other than operators of critical information infrastructure (CIIO), from January 1st of the current year, cumulatively provide less than 100 thoudad individuals' personal information (excluding sensitive personal information) overseas.
The personal information provided overseas mentioned in the previous paragraph does not include important data.
Article 6: Free trade zones, within the framework of the national data classification and grading protection system, may independently develop a list of data that needs to be included in the cross-border security assessment, standard contracts for personal information cross-border transfer, and personal information protection certification management scope (hereinafter referred to as the negative list), which is upon approval by the provincial-level CAC, and filed with the national CAC.
Data handlers within free trade zones providing data not on the negative list overseas shall be exempt from declaring for a cross-border security assessment, conclusion of standard contracts for personal information cross-border transfer, or obtaining personal information protection certification.
Article 7: Data handlers providing data overseas, if meet any of the following conditions, shall apply for a cross-border security assessment to the national CAC through the provincial-level CAC:
- CIIO providing personal information or important data overseas;
- Data handlers other than CIIO providing important data overseas, or cumulatively providing personal information of more than 1 million individuals (excluding sensitive personal information) or sensitive personal information of more than 10 thousand individuals from January 1st of the current year.
Situations specified in Articles 3, 4, 5, and 6 are exempt from these provisions.
Article 8: Data handlers other than CIIO, from January 1st of the current year, cumulatively providing overseas personal information of more than 100 thousand individuals but less than 1 million individuals (excluding sensitive personal information) or sensitive personal information of less than 10 thousand individuals, shall legally conclude standard contracts for personal information cross-border transfer with the overseas recipient or obtain personal information protection certification.
Situations specified in Articles 3, 4, 5, and 6 are exempt from these provisions.
Article 9: The validity period of the results from a cross-border security assessment is three years, starting from when the assessment results are issued. If the data handler needs to continue cross-border data activities and no circumstances requiring reapplication for a cross-border security assessment have occurred, the data handler may apply for an extension of the assessment result validity period through the provincial-level CAC to the national CAC sixty working days before the expiration of the validity period. Upon approval by the national CAC, the validity period of the assessment results can be extended for another three years.
Article 10: Data handlers providing personal information overseas shall fulfil the obligations of notification, obtain separated consent of individual, and conduct a personal information protection impact assessment (PIPIA), in accordance with the provisions of laws and administrative regulations.
Article 11: Data handlers providing data overseas shall comply with the provisions of laws and regulations, fulfil data security protection obligations, and take technical measures and other necessary measures to ensure the security of data cross-border transfer. If a data security incident occurs or is likely to occur, remedial measures shall be taken, and reports shall be made promptly to the CAC at the provincial level or above and other relevant regulatory authorities.
Article 12: Cyberspace administrations at all levels shall strengthen guidance and supervision over data handlers' data cross-border activities, improve the cross-border security assessment system, optimize the assessment process; strengthen full-chain, full-domain supervision before, during, and after the fact, and, upon discovering significant risks in data cross-border activities or data security incidents, require data handlers to rectify and eliminate hidden dangers; for those refusing to correct or causing serious consequences, legal responsibilities shall be pursued in accordance with the law.
Article 13: Provisions that are inconsistent with this regulation in the "Measures of Data Cross-Border Transfer Security assessment" (Order No. 11 of the Cyberspace Administration of China) published on July 7th, 2022, and the "Measures for the Standard Contract for Personal Information Cross-Border Transfer " (Order No. 13 of the Cyberspace Administration of China) published on February 22nd, 2023, shall apply this regulation.
Article 14: This regulation shall come into effect on the date of its publication.