TThe Regulation on the Facilitation and Standardization of Cross-Border Data Flows (Regulation) was published on 22 March 2024. Since then, the process of developing China's cross-border data export regulations has gradually become clearer. However, there are still many challenges at a practical level. This article provides a brief review and comprehensive analysis.
development process
Relevant legislation arrives on the scene. Initially, the Cybersecurity Act only targeted critical information infrastructure operators (CIIOs) and no support measures were taken, so restrictions on data exports were minimal. Four years later, the Data Security Act and the Privacy Act come into force, comprehensively introducing disclosure, individual consent, privacy impact assessment, and advance procedures (applied one at a time), known as the “compliance trio.” It happened. One of the four options is sufficient for cross-border transfers of personal information).
Significant data exports by non-CIIOs are currently under supervision, but are still at a stage characterized by high expectations but limited implementation.
Challenges in implementing the three regimes. From July 2022, supporting documents for a series of three systems will be introduced, ranging from “Measures for safety assessment of cross-border data transfers” to “Implementation Regulations for Personal Information Protection Certification” and “Standard Contractual Clauses for Export of Personal Information”. has been maintained. Introduced one after another. All parties are facing a huge challenge with data export, and critical data exporters, CIIOs, and bulk personal data exporters are undergoing security assessments. Meanwhile, small-volume personal data exporters are required to submit their SCC applications. Additionally, in certain cross-border scenarios, exporters have the option of choosing a privacy certification. After more than a year of struggle, implementation of the three regimes proved extremely difficult.
Survey of data export regulations in the Greater Bay Area. In December 2023, the Implementation Guidelines on Standard Contracts for Cross-Border Flow of Personal Information within the Guangdong-Hong Kong-Macau Greater Bay Area (Mainland, Hong Kong) were published. Following the failure of the data export pilot zone in the free trade zone and the failure to formulate a low-risk data catalog under the Shanghai Municipal Data Regulations, the Greater Bay Area (GBA) establishes a green channel for SCC applications for mainland China did. Hong Kong data transfer. Although regional trials are timely, they do not adequately address widespread concerns and highlight the experimental nature of these efforts.
Finally, new regulations will be introduced. The draft regulations were published on September 28th. After about six months, this regulation finally came into effect on March 22, 2024.
Examining this regulation reveals several notable points: Adoption of the “no claims, no acceptance” principle for disputes involving important data. Exemption from data export pre-procedures in six specific scenarios. Security assessment thresholds and standard contract (SCC) conclusion will be redrawn. The number of people that separates the evaluation in the evaluation year (100,000 people and 1 million people who are involved in outbound personal information, and 10,000 people who are involved in outbound confidential personal information). and the possibility of a negative list (i.e. special administrative measures) for free trade areas.
Regulations are more than just patches. These herald a new era of cross-border data flows. The regulation sets out the circumstances in which CIIO is exempt from conducting a security assessment for exports of sensitive data and personal information, redefines standards for high-volume personal information processors, and exempts pre-procedures in some scenarios. do. Individual consent for outbound personal information may be becoming more relaxed, but we need to continue to monitor its specific implementation.
unresolved issues
As regulations have been promulgated, real-world scrutiny has revealed a number of unresolved issues in cross-border data regulation. Some of them are outlined below.
Boundaries of personal information. The Personal Information Protection Act stipulates the scope of personal information, but the criteria for determining whether specific information falls under personal information needs to be further refined. The combination of identification and association criteria and the challenge of achieving effective anonymization have significantly expanded the scope of personal information.
Definition of domestically collected data. Further clarification is required regarding the interpretation of “personal information collected and generated overseas” and “domestic personal information” in Article 4 of the Regulation. There is ongoing debate as to whether “direct collection overseas and servers located overseas” fall under this definition.
Range of exemption scenarios. Article 5 of the same regulation stipulates four types of exemption cases, three of which determine whether “the provision to overseas parties is truly necessary.'' In the case of a “contract in which an individual is a party”, does the subject of personal information have to be the “contractor” of the contract?
Relationship between SCC conclusion and application. Article 8 of the Regulation sets out the circumstances in which it is necessary to conclude an SCC. The Scope section of the Guidelines for Filing Standard Contracts for Cross-Border Transfers of Personal Information (Second Edition) specifies scenarios in which filings may be required after an SCC is established. Does this mean that there are scenarios where an SCC is established but no application is necessary?
Methods of data statistics. When accessing domestic personal information from overseas, it is necessary to clarify how the number of individuals in the evaluation year will be aggregated. Should it be based on the number of individuals corresponding to the permission granted to the international recipient, or should it be based on the number of individuals actually accessed? ”, should the count include only new additions, or should it include all individuals with permissions after “January 1” of each evaluation year?
Although challenges and concerns remain, a new era of cross-border data flows has officially arrived.
Calvin Peng is the next partner. Oshiro a law office. He can be reached by phone at: +86 twenty one 5878 8300 and by email calvin.peng@dentons.cn