China’s Cybersecurity Regulator Moves to Ease Cross-Border Data Transfer Rules

Posted by Written by Arendse Huld Reading Time: 9 minutes

China’s cybersecurity regulator has released a draft document that proposes to ease rules on the export of personal information and “important” data overseas. The draft document rolls back requirements for companies to undergo certain approval procedures to export data, allowing free cross-border data transfer in certain situations. If passed, these regulations will significantly ease aspects of the current China cross-border data transfer rules to the benefit of foreign companies and multinationals in particular.


The Cybersecurity Administration of China (CAC) has released a new set of draft regulations that, if passed, will considerably ease the restrictions on cross-border data transfer (CBDT) for foreign companies and multinationals. 

The Regulations on Standardizing and Promoting Cross-Border Data Flows (Draft for Comment) (the “draft regulations”) provide several allowances for the export of “important data” and personal information (PI) in certain scenarios, which, if passed, would alleviate uncertainties and compliance burdens for many companies. The CAC is soliciting public feedback on the draft regulations until October 15, 2023. 

China has been significantly expanding its PI protection and data security legislation in recent years. This has included the roll-out of strict regulations on the export of PI and important data, with companies being required to undergo various security assessment and certification mechanisms in order to gain approval to transfer data overseas. 

These requirements have caused significant disruption to both domestic and foreign companies that rely on the free flow of data for basic operations. The draft regulations can therefore be seen as a concerted effort to improve the business environment in China, in particular for foreign companies, as the country aims to boost economic recovery in the wake of the pandemic. 

What are the current CBDT rules? 

The regulations surrounding CBDT have been fleshed out over the last few years in a series of laws and regulatory documents. Chief among them is the Personal Information Protection Law (PIPL), which requires companies that need to export a certain volume of data to undergo various compliance processes. 

Article 38 of the PIPL stipulates that companies exporting the data collected from subjects in China must do one of the following depending on the volume and type of data being exported: 

  • A security assessment organized by the CAC;  
  • Personal information (PI) protection certification by a professional institution in accordance with the regulations of the CAC;
  • Sign a standard contract with a foreign party stipulating the rights and obligations of each party in accordance with standards set by the CAC; or 
  • Meet other conditions set by the CAC or relevant laws and regulations.  

The CAC has subsequently released separate measures for each of the above mechanisms, excluding the final item. These measures not only outline how the requirements will be implemented but also stipulate the conditions under which companies must be subject to one of these mechanisms.  

Under the measures for the implementation of the security assessment, the highest bar of compliance, a company must undergo a security assessment by the CAC in any of the following circumstances: 

  1. The company exports “important data” overseas;
  2. The company is a critical information infrastructure operator (CIIO) or is a company handling the personal information of more than one million people, and exports personal information overseas;
  3. The company has exported the personal information of 100,000 people or the “sensitive” personal information of 10,000 people since January 1 of the previous year and provides personal information overseas; and
  4. The company engages in any other situations stipulated by the CAC. 

Meanwhile, companies can choose to undergo PI protection certification by a third-party agency or sign a standard contract with the overseas recipient if they fall below the above thresholds; that is, they are not a CIIO, they process the PI of under one million people, and they have cumulatively exported the PI of less than 100,000 people and the “sensitive” data of under 10,000 people since January 1 of the previous year.

The relatively low threshold for the volume of data a company can handle before it must undergo a security assessment means that many companies are now subject to this requirement. 

In addition, the ambiguity over terms such as “important data” and “CIIO” has left many companies uncertain over whether their operations apply. 

“Important data” has been defined in the security assessment measures as “data that may endanger national security, economic operation, social stability, or public health and safety once tampered with, destroyed, leaked, or illegally obtained or used”. However, the authorities haven’t yet released a reference document for the type of data that would be deemed to fall under this definition, leaving the definition largely up to interpretation. 

Meanwhile, CIIOs have been defined in the Regulations on the Security and Protection of Critical Information Infrastructure as companies engaged in “important industries or fields”, including:  

  • Public communication and information services;  
  • Energy;  
  • Transport;  
  • Water;  
  • Finance;
  • Public services;  
  • E-government services;  
  • National defense; and  
  • Any other important network facilities or information systems that may seriously harm national security, the national economy and people’s livelihoods, or public interest in the event of incapacitation, damage, or data leaks.  

Whereas for some companies this classification will clearly apply—such as companies in fields such as power grids, public transport, military provision, and so on—for others it is more ambiguous. For instance, “any other important network facilities or information systems” could be interpreted to include major online service companies, such as Tencent’s WeChat or ride-hailing platform Didi.  

The requirements for CBDT have been a cause for significant concern among foreign companies, MNCs, and foreign business groups in China. Foreign companies and multinationals are also particularly affected, as the cross-border nature of their operations means that they often have to export data outside of China. 

Easing CBDT requirements for foreign companies: What’s in the new draft regulations? 

China’s authorities have hinted at easing regulations surrounding CBDT for foreign companies several times, in particular since China reopened following the pandemic, and have strived to attract more foreign investment in an effort to boost economic recovery. In August 2023, a set of measures for optimizing the foreign investment environment from the State Council, China’s cabinet, called for establishing “green channels” for qualified foreign companies to export data, and to pilot a list of “general data” that can be transferred freely across the border in Beijing, Tianjin, and Shanghai. 

The new draft regulations contain 11 proposals to ease the CBDT compliance burden for companies and “further standardize and promote the orderly and free flow of data in accordance with the law”. 

Easing requirements for export of “important data” and PI 

The draft regulations waive the requirement for companies to undergo any of the three compliance processes (security assessment, PI protection certification, or standard contract) to export data, if the data generated does not contain any PI or important data and is generated in activities, such as international trade, academic cooperation, transnational manufacturing, and marketing.

Whereas this still hinges upon the definition of “important data”, the draft regulations also stipulate that if the data in question has not already been declared as “important data” by relevant government departments, through a regional notice, or through public notice, then the company is not required to undergo a security assessment. In other words, if the data has not been officially specified as “important”, then it will not be treated as such for the purpose of CBDT. 

The draft regulations also clarify that companies do not need to undergo any of the three CBDT mechanisms in order to export PI that has not been collected or generated in China. 

Facilitating CBDT for necessary transactions 

The draft regulations go on to stipulate scenarios in which the export of PI is deemed necessary and therefore are not subject to the three CBDT mechanisms. These scenarios are also items under Article 13 of the PIPL, which stipulates the scenarios in which a company is permitted to process the PI of a subject. 

These scenarios are where: 

  1. PI must be exported for the purpose of entering into and performing a contract to which an individual is a party, such as cross-border e-commerce, cross-border remittances, air ticket and hotel reservations, visa processing, and so on;
  2. The PI of internal employees must be exported in order to implement human resources management in accordance with the labor rules and regulations and the collective contract signed with employees; or
  3. PI must be exported in order to protect the safety of life, health, and property of natural persons in emergencies. 

Waiver of CBDT mechanisms for export of low volume of PI 

The draft regulations slightly shift the thresholds of the volume of data that a company can export before they need to undergo a certain CBDT mechanism. 

The draft regulations state that if a company expects to export the PI of less than 10,000 people within a year, then they do not need to undergo any CBDT mechanisms. As mentioned above, current regulations state that any company that has cumulatively exported the normal PI of under 100,000 thousand people or sensitive PI of under 10,000 people since January 1 of the previous year must either undergo PI protection certification or sign a standard contract with the overseas recipient. 

Proposed Change in PI Export Volume* Thresholds for CBDT Mechanisms

Required CBDT mechanisms  Current regulations  Draft regulations 
No mechanism required  N/A  Expected within 1 year: 

 

< 10,000 

PI protection certification or standard contract signing  Cumulative since January 1 of previous year: 

 

≤ 100,000 (normal PI); or 

 

≤ 10,000 (sensitive PI) 

Expected within 1 year: 

 

≥10,000; and

<1,000,000

Security assessment by CAC  Cumulative since January 1 of previous year: 

 

≥ 100,000 (normal PI); or 

 

≥ 10,000 (sensitive PI) 

Expected within 1 year: 

 

≥ 1,000,000 

* The number of people whose PI a company has collected or expects to collect. 

Meanwhile, the draft regulations clarify that if a company expects to export the PI of between 10,000 and one million people within a year, then they can choose to undergo PI protection certification or enter into a standard contract (they will not need to undergo a security assessment). This raises the cap for this type of mechanism from the PI of just 100,000 people to one million. Finally, only when a company expects to export the data of over one million people in a year, will they be required to undergo a security assessment. 

The fact that the draft security regulations change the wording from “cumulative” to “expected” amounts also suggests that companies will be allowed to estimate the amount of data that they will process in a given year, rather than basing their status on past activity. However, the draft regulations do not say what will happen if a company exceeds the expected amount in a given year. 

Implementation of a data “negative list” in free trade zones 

The draft regulations propose for China’s free trade zones (FTZs) to formulate data “negative lists” of certain types of data for which a company must undergo one of the CBDT mechanisms and receive approval from the CAC to export. 

Under this system, any data types that are not included in the negative list could be freely exported through the FTZs, without the company needing to undergo any CBDT requirements. 

PI and data protection requirements 

The draft regulations make it clear that companies and other organizations are still required to comply with China’s data and PI protection regulations when exporting PI. For instance, they stipulate that companies “that provide important data and PI overseas must abide by the provisions of laws and administrative regulations, fulfill their data security protection obligations, and ensure the security of data export”. 

In addition, state agencies and CIIOs exporting PI and important data overseas must “comply with relevant laws, administrative regulations, and departmental rules”, and “providing sensitive information or sensitive PI involving the Party, government, military, or confidential units to overseas parties shall be carried out in accordance with relevant laws, administrative regulations, and departmental rules”. 

Potential impact on the business environment for foreign companies 

If passed in their current form, the draft regulations will make compliance with China’s CBDT regulations significantly easier for many foreign companies. For instance, the clause which allows companies to export potentially important data without undergoing the CBDT mechanisms—if the important data has not been specifically defined—addresses a key concern for foreign companies and business groups.

In its European Business in China Position Paper 2023/2024 released last month, the European Union Chamber of Commerce in China (EU Chamber) notes the lack of a clear definition for important data, and “urges for the scope of important data to be clearly and narrowly defined, with regulators providing a sufficient grace period between any future releases of guidelines related to the definition of ‘important data’ and catalogues, and their implementation”. 

While the draft regulations do not provide a definition for important data, they would allow companies whose applications for data export have been denied due to their inclusion of undefined important data to have these decisions potentially overturned, at least until the authorities provide a specific definition. This will help to alleviate uncertainty and greatly facilitate companies’ normal operations in the interim. 

The EU’s Position Paper also takes issue with the fact that the security assessment mechanism for CBDT “can be easily triggered by most large firms and consumer-facing firms” due to the low threshold of data volume for this mechanism. The draft regulations proposal to raise the thresholds for the various CBDT mechanisms (and security assessment mechanism in particular) will be beneficial, particularly to smaller companies dealing with smaller volumes of data, which perhaps do not have the staff or budget to handle the added administrative burden. 

Of course, companies that handle large volumes of data will in many cases still be subject to the CBDT mechanisms. However, the addition of specific scenarios for which they are not required will benefit these companies in handling specific tasks. 

 

It is also important to note that, even if these draft regulations pass in their current form, China will continue to develop its PI protection and CBDT regulations, meaning that requirements may become stricter in the future. As definitions and implementation guidelines become narrower and more targeted, the space for legitimate ignorance of the regulations also shrinks. Foreign companies should therefore continue to develop their PI and data protection compliance capabilities, and work on contingency plans for scenarios in which their data is designated as important. 

 

About Us

China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong.

Please contact the firm for assistance in China at china@dezshira.com. Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, Dubai (UAE), and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.