Nearly six months after the Cyberspace Administration of China (CAC) was first introduced for public consultation, its draft regulations propose relaxing outbound data transfers from China (proposed rules) (China releases draft regulations to significantly ease cross-border data transfers | See Privacy World article), the long-awaited final rules on regulating and facilitating cross-border data flows have been published and will be published in 2024. It came into force on March 22, 2019 (new regulation). The new regulations largely repeat the draft regulations, but further ease the export of personal data from China.
On the same day, CAC also released the “Data Export Security Assessment Application Guide (2nd Edition)” and the “Submission Guide for Personal Data Export Standard Agreement (2nd Edition)” (hereinafter collectively referred to as the “2nd Edition”). It has been announced. guide) and make corresponding adjustments according to the new regulations.
Exceptions to signing standard contracts and relaxing government security assessment standards
The new regulation largely implements the exceptions set out in the draft regulation, allowing for imports from China without the need to sign or submit a Standard Contract (SC) or submit a Personal Information Privacy Impact Assessment (PIPIA). Allows certain cross-border transfers of personal data. C.A.C. However, compared to the draft regulations, the new regulations further reduce export obligations requiring SC and PIPIA declarations by increasing the threshold for unclassified data from 10,000 to 100,000 individuals.
The new regulations further significantly raise the bar for exporters to apply for mandatory government safety assessments. As a guide, we compare the old and new regulations as follows.
Management measures | Old regulations (before March 22, 2024) | New rules (from March 22, 2024) |
New exceptions implemented for certain categories of personal data (no need to pass a security assessment or sign/submit a standard contract) | Not applicable | 1. Export of personal data of employees necessary for human resource management purposes based on formally established human resources policies and collective labor agreements.
2. Export of personal data necessary for the performance of a contract to which you are a party, such as online shopping, cross-border delivery, cross-border payments, hotel and flight reservations, visa applications, examination services, etc. 3. Export of personal data necessary to protect the safety of human life, health, and property in an emergency 4. Exports other than CIIO1 less than |
Mandatory safety assessment by government (exports in these categories require government approval) | 1. Export important data2
2. If the exporter is CIIO, 3. If the exporter is a controller that processes personal data of 1 million or more people 4. Export of over 100,000 personal data per year; 5. Export of at least 10,000 individuals |
Unless exempted under exceptions (1) to (4) above:
1. Export important data 2. If the exporter is CIIO 3. Export personal data of over 1 million people per year 4. Over 10,000 sensitive personal data exports per year Note: |
Sign and submit standard contracts and personal information privacy implications to government evaluation |
Required if you want to export other personal data | Unless exempted by exceptions (1) through (4) above, it is currently only required if:
1. Export more than 100,000 but less than 1 million pieces of personal data per year 2. Export up to 10,000 sensitive personal data per year. |
Other explanations
The new regulations also clarify key points of general concern for multinationals and businesses.
- You may freely transfer your business/marketing/scientific data (excluding personal and sensitive data).
- A specific list or catalog of “sensitive data” is provided by the government through publication or notification to specific actors. Therefore, companies no longer have to self-determine whether they have or process sensitive data.
- The export of personal data originally collected and generated outside China and subsequently transferred to China for processing is subject to government security assessments and the signing of standard agreements, unless domestic personal or sensitive data is brought into the country. Exempted from submission. processing.
- The validity of government safety assessments will be extended from two to three years, with the possibility of an additional three-year extension.
- Free trade areas may establish whitelists to further ease data flows between applicable jurisdictions.
Application to external controller?
Although not explicitly stated in the new regulations, the second edition guide states that “data export” includes the extraterritorial processing of personal data of Chinese residents, as stated in Article 3 of the Personal Information Protection Law (PIPL). is interpreted to include. This article covers the processing of personal data of Chinese nationals residing outside China for the purpose of providing services or products to Chinese residents or analyzing the behavior of Chinese residents. You may notice that this is similar to the applicability of the extraterritorial effects of his GDPR in the EU/UK. This interpretation seems to suggest that foreign managers may also have to pass a government assessment or sign a standard contract to which the PIPL applies. However, it is unclear how this will be implemented. For example, when personal data is collected directly from an individual, it is unclear which party is the “data exporter” and which party is the “foreign recipient.” Furthermore, given that the PIPL applies only to the purpose of providing products, services, or behavioral analysis, such purposes fall under exception (2) above and are therefore subject to government assessments and SCC signatures and submissions. seems to be exempted from. .
Recommendations
The new regulations came into force upon publication, i.e. on March 24, 2024. We strongly recommend that companies quickly identify data exports from China, including the categories and amounts of data transferred in each of the scenarios listed above, to assess compliance with the new regulations. . Additionally, even if companies are exempt from having to pass a government security assessment or sign and submit a standard contract, they will continue to provide the necessary notices to individuals and obtain relevant consents. It is also important to bear in mind that legal obligations must be met. , for data transfer activities he not only carries out PIPIA.