On March 22, 2024, the Cyberspace Administration of China (“CAC”) promulgated the final version of the Regulations on the Promotion and Regulation of Cross-Border Data Flows (the “Final Regulations”).1 The release of the draft version on 28 September 2023 concludes the consultation process that began.2 The explicit change in terminology from “regulation and facilitation” to “facilitation and regulation” within the final regulations is, at least nominally, a strategy toward prioritizing the facilitation of international data flows over strict controls and restrictions. It means a change of focus. This will be consistent with Article 24 liberalization of the old and new State Councils.3
In particular, the preamble to the final clause states that the CAC formally approved the clause on November 28, 2023. The basis for the four-month delay in subsequent publication remains unclear, despite widespread expectations as the draft raised hopes that the final terms would be reflected in the final terms. It significantly reduces the compliance burden faced by the countless companies involved in cross-border data transactions. The promulgation of the Final Regulations appears to coincide strategically with the date of the high-profile China Development Forum, in which multinational corporations (“multinationals”), CEOs, and international investors are advised that China It sends a positive signal that you are committed to creating a more welcoming environment for your business. Foreign investment, as indicated in various policy documents.
The final regulations significantly relax existing data export compliance rules by 1) carving out certain common data export scenarios from all submission requirements; 2) Raise the criteria for triggering the submission obligation. 3) Narrow down the range of important data. 4) Establish a more flexible policy space to implement negative list management in free trade zones (“FTZs”) where many foreign-invested enterprises are registered.
Compliance requirements predate the final regulations.
In retrospect, the current data export security compliance regime is underpinned by three alternative pillars: (i) Mandatory CAC-led data export security assessment when certain thresholds are exceeded (initial review conducted by CAC at state level, final review) (ii) PI standards for submission to CAC at local level Contractual Clauses (“SCC”), or (iii) PI Protection Certification (“PIPC”) by a third party professional PI Protection Certification Company (“PIPC”) as specified by the CAC.
Under the rule prior to the final rule, the mandatory data security assessment applies to (a) critical information infrastructure operators (“CIIOs”); (b) Sensitive Data. (c) if her PI of more than 1 million individuals is processed; (d) 100,000 cumulative PIs or 10,000 sensitive PIs were exported after January 1 of the previous year.
If a non-CIIO data processor processes and exports PI under the “1 million/100,000/10,000” threshold, it will still be subject to SCC filing or PIPC. As a practical matter, multinational companies are unlikely to be designated as CIIOs and are unlikely to process sensitive data unless the number of individuals for which the PI is processed exceeds one million, in which case the PI is considered to constitute sensitive data. .
The previous rule did not provide for any exceptions. This means that many multinational companies will at least need to apply for SCC or implement PIPC when exchanging information containing PI with overseas parent companies, affiliates, and business partners.
Waiver of submission requirements:
The final regulations set out certain conditions under which cross-border data transfers are fully exempted from three regulatory compliance obligations. There are two types of exemptions: scenario-based exemptions and volume-based exemptions.
Scenario-based exemptions: Data that falls under the following scenarios is not subject to the aforementioned regulatory requirements when crossing international borders, regardless of the amount transferred:
1) Data collected and generated in international trade, cross-border transportation, academic collaboration, multinational production, manufacturing, and marketing activities and provided to foreign entities that do not contain PI or sensitive data. This means that exporting production, business, financial and operational data of a Chinese multinational company to overseas affiliates will not be subject to any declaration requirements unless the data contains his PI or critical data. means.
2) Re-export PI that is processed in China and then generated or collected overseas. provided, however, that such re-exported PI shall not integrate any PI or material data from China.
3) Necessary for the performance or performance of a contract with a private party, such as cross-border shopping, cross-border mailing, cross-border remittances, cross-border payments, cross-border account opening, flight or hotel reservations, etc. Individuals transferring abroad, visa applications, testing services, etc.
Four) Cross-border human resources (“HR”) management necessary to implement legally established labor regulations and legally signed labor contracts that require the provision of PI for employees abroad.
Five) PI necessary to protect the life, health and safety of property of natural persons in emergency situations.
Exemption based on quantity:
6) From January 1 of this year, non-CIIO data processors that provide non-confidential PI of fewer than 100,000 individuals abroad.
Submission requirement threshold:
In addition to the exclusion scenarios listed above, the final rule specifies mandatory security assessment conditions that apply to:
1) CIIO to export PI or critical data.
2) Data processors other than CIIO that export sensitive data.or
3) Non-CIIO data processors that export more than 1 million individuals' non-confidential PI or more than 10,000 individuals' confidential PI after January 1 of this year.
The final regulations also clarify the conditions under which the SCC or PIPC will continue to apply, including:
1) Non-CIIO data processors that export non-confidential PI of 100,000 or more but less than 1 million individuals.or
2) Data processors other than CIIO that export sensitive PI for fewer than 10,000 individuals after January 1 of this year.
While the SCC and PIPC volume thresholds have been increased for non-CIIO companies to include exports of unclassified PI involving 100,000 or more individuals, such It is important to note that no quantity threshold is set. This means that exports of sensitive PI will require at least an SCC or PIPC, if not a security assessment when quantities reach 10,000 people. except where subject to certain exemptions based on certain scenarios, such as where necessary to fulfill or exercise cross-security. Where necessary for cross-border contractual obligations or cross-border human resources management as described above. Therefore, multinational companies must rigorously justify the need for cross-border transfers of sensitive PI or face onerous regulatory filing requirements that predate the final rule. It turns out. Sensitive personal information typically includes data such as an individual's girlfriend ID/passport information, bank account and personal property information, biometric information (photos, fingerprints, etc.), medical records, and similar items. This adjustment is likely to reduce the transfer of sensitive PI by multinational companies overseas unless absolutely necessary.
important data
A positive development is that unless a data processor is notified by the relevant industry regulator or local authority that the relevant data constitutes sensitive data or is defined as sensitive data in published regulations, the data processor may This is the first time that the final regulations have clarified that there is no need to process Delete any data as sensitive or perform a data export security assessment.
Negative list in free trade areas
Importantly, pilot FTZs will be empowered to establish a “negative list” regime, and all future data export activities not included in such a negative list will be subject to data export security assessments, SCC applications and PIPC requirements. You will be excluded from the target. Pilot FTZs may seek to compete by offering a broader “negative list”.
conclusion
The final provisions are poised to significantly reduce the compliance burden faced by multinational companies when dealing with complex data export regulations. This provision streamlined the requirements and introduced practical exemptions based on scenario and volume. This will greatly reduce the burden faced by typical multinational companies doing business in China, and will be welcomed by the domestic and international business community.