On 22 March 2024, the Cyberspace Administration of China (CAC) issued the Provisions on Promoting and Regulating Cross Border Data Flow (in Chinese: 促进和规范数据跨境流动规定, the Data Export Relaxation Provisions), which came into effect on the same date. This long-awaited regulation aims to address common questions from market players and alleviate the burden on Chinese data exporters in certain scenarios. 

Below, we outline the key takeaways for your reference. 

A. Important Data

Under the Data Export Relaxation Provisions, data processors do not need to initiate security assessment procedures unless notified by the relevant regulatory authority or unless a specific category of data processed by them is published and identified as important data. 

This clarification tackles the confusion among market players regarding the processing of important data during business operations. Previously, the concept of “important data” was considered as broad and vague, and the existing catalogues of important data are limited. Now, the process of identifying important data appears to align with identifying critical information infrastructure operators (CIIOs). 

As a matter of practice, a data processor may still need to proactively approach the CAC for clarifying the identification process of important data in due course.

B. Negative List in Pilot Free Trade Zone (PFTZ)

PFTZs in China may issue a catalogue (the Negative List) detailing specific categories of data respectively subject to the administrative management of Security Assessment, personal information export standard contract (China SCC), and Personal Information Protection Certification. 

The Negative List requires approval from the provincial counterpart of the CAC and registration with the CAC and the National Data Administration. It remains to be seen whether there will be a unified Negative List applicable across the various PFTZs or if each PFTZ will issue its own.  

C. Triggers for Security Assessment

Security assessment procedures administered by the CAC are triggered by any of the following circumstances:

(a) A CIIO exports personal information or important data; or

(b) A data processor other than CIIO exports (i) important data, or (ii) personal information (excluding sensitive personal information) of more than one million (1,000,000) individuals cumulatively since 1 January of the current year, or (iii) sensitive personal information of more than ten thousand (10,000) individuals cumulatively since 1 January of the current year. 

D. Triggers for China SCC

A data processor other than CIIO exports (i) personal information (excluding sensitive personal information) of more than one hundred thousand (100,000) and less than one million (1,000,000) individuals cumulatively since 1 January of the current year, or (ii) sensitive personal information of less than ten thousand (10,000) individuals cumulatively since 1 January of the current year.  

E. Triggers for Personal Information Protection Certification

Same as for China SCC. 

F. Exemptions

According to the Data Export Relaxation Provisions, Security Assessment, China SCC and Personal Information Protection Certification are no longer mandatory in any of the following circumstances:

(a) The data export does not concern personal information or important data, and the data is generated and collected in activities such as international trade, cross-border transportation, academic cooperation, transnational manufacturing, and marketing.

(b) The personal information being exported was originally collected and generated outside of China and later processed in China and does not contain personal information or important data from within China.

(c) Any of the following conditions are met:

(i). The export of personal information is indeed necessary for the formation and performance of a contract to which the individual is a party, such as cross-border shopping, shipping, funds remittance, payment, account opening, air tickets and hotel booking, visa processing, and testing services;

(ii). The export of personal information of employees is indeed necessary for implementing cross-border human resources management in accordance with the labour rules and regulations formulated pursuant to applicable laws and the collective contracts entered into pursuant to applicable laws;#

(iii). The export of personal information is indeed necessary in order to protect the safety of life, health, and property of a natural person in an emergency; or

(iv). A data processor other than CIIO exports personal information (excluding sensitive personal information) of less than one hundred thousand (100,000) individuals cumulatively since 1 January of the current year.

(d) A data processor located in the PFTZ exports certain data falling outside the ambit of the Negative List.

G. Remaining Obligations

Despite the relaxed measures granted by the Data Export Relaxation Provisions, the other regulatory requirements prescribed in the Personal Information Protection Law still apply to data export activities in China. Specifically, personal information handlers must notify the personal data subject and obtain separate consent. In addition, a personal information protection impact assessment shall be undertaken accordingly. 

*Please be aware that this article is for informational purpose only and does not constitute legal advice. For specific legal advice tailored to your circumstances, please consult with a qualified legal professional. 

Author

Johnny Liu
Johnny Liu
Senior Associate, Corporate and M&A
Email
@