Place: Insights / Perspectives / Detail
China's Data Export Compliance in Law and Practice
2023-10-09Maggie Meng | Xingchen Qian

Translators: Kok Shen Xu | Zheng Pan

 

Preamble

 

On September 28, 2023, the Cyberspace Administration of China (the "CAC") promulgated the Provisions on Regulating and Promoting Cross-border Data Flow (Draft for Comments) (the "Draft Provisions"). The department receiving the public comments is the Online Data Administration Department of the CAC, and the deadline for comments is October 15, 2023. Given that the Mid-Autumn Festival and the National Day holidays fall before the deadline, the period for soliciting public comments is actually very short. It should also be noted that the Measures for the Security Assessment of Cross-border Data Transfer (the "Security Assessment Measures") and the Measures for the Standard Contract for Cross-border Transfer of Personal Information (the "Standard Contract Measures") have been in effect for some time. The deadline for rectification stipulated in the Standard Contract Measures will be due in less than two months. The promulgation of the Draft Provisions resolves the challenges faced by many enterprises, which are subject to security assessment or standard contract (the "SCC") record-filing for cross-border data transfer and find compliance challenging due to complicated procedures and high compliance costs. It also reflects a framework for the cross-border data flow according to local conditions constructed by China, taking into account the latest situation at home and abroad. On the basis of ensuring national security, China aims to eliminate high-cost "barriers" that may hinder economic circulation, fully open up the development pattern of digital trade, improve the level of opening up, realize the digital globalization strategy and global allocation of data resources, and promote national economic development.

 

The Draft Provisions has a significant impact on enterprises' compliance requirements and selection of protection measures for cross-border data transfer. This article provides our views on some of the key issues relating to these new provisions and their practice.

 

1. Background

 

Openness and cooperation are appearing as the new global trends for cross-border data flow. In particular, in June and July this year, the US and the UK reached a cooperation agreement on the cross-border data flow using a "Data Bridge," and the US and the EU also reached a new data privacy framework based on "Privacy Shield 2.0", allowing international digital trade activities to be further supported by new frameworks for cross-border data transfer. The world's major trade powers have progressed from a stagnant phase for data flow and now seek to accelerate the development of global digital trade rules, and actively build a cross-border data ecosystem. Therefore, the Draft Provisions, by optimizing China’s rules on cross-border data flow, is conducive to China's further integration into the DEPA (Digital Economy Partnership Agreement), the CPTPP (Comprehensive and Progressive Agreement for Trans-Pacific Partnership), and other international digital trade agreements and plays a positive role in the significant growth of China's digital trade in the future.

 

In addition, on the basis of the principles of the 14th Five-Year Plan for Development of Trade and Services, the Draft Provisions reflects China's belief in and emphasis on digital trade as a new driver of opportunity for many industries through the facilitation of offshore data processing and offshore data service outsourcing as well as other new forms of data trade, which promotes the facilitation of cross-border flow of service elements, explores new models of data trade and promotes the digitalization process of service trade. For example, where overseas data is transferred abroad after entry, Article 3 of the Draft Provisions provides that where the personal information that is not collected or generated within the territory of the PRC is transferred abroad, security assessment, SCC, or a certification for personal information security protection (the "Certification") will not be required for the cross-border data transfer. Secondly, the Draft Provisions further provide that the free trade zone may adopt a data "negative list" policy. This allows the relevant regulator in the free trade zone to explore and relax data export policies so as to satisfy the diversified data export needs of enterprises in the free trade zone to have an advantage in digital trade and position such free trade zones as important channels for digital trade and cross-border data activities. Article 7 of the Draft Provisions provides that "pilot free trade zones may, at their own discretion, do the following: (i) formulate lists of data (i.e., negative lists) that need to be included in the scope of security assessment for cross-border data transfer, engagement of SCC, and Certification; and (ii) require that the above be reported to the cyberspace administration authority at the provincial level for approval and filed with the national level CAC for record keeping. For the data not included in the negative lists, the parties concerned are not required to apply for a security assessment, conclude the SCC, or obtain Certification.

 

2. Logic and formula for the changes

 

Under the current regulatory framework relating to data export compliance, an enterprise, when transferring data abroad, shall consider its subject category and the type and quantity of the data to be transferred to determine whether it needs to additionally: (a) file a security assessment; (b) conclude the SCC for personal information protection; or (c) obtain a Certification (the above three requirements are collectively referred to as "Protective Measures for Cross-border Data Transfer"). Specifically:

  • Where a critical information infrastructure operator (the "CIIO") needs to transfer abroad personal information and important data generated or collected in the course of business operations in China due to genuine business needs, it shall conduct a security assessment of cross-border data transfer in accordance with the measures formulated by the CAC and relevant departments under the State Council. If other laws or administrative regulations are applicable to the cross-border transfer of personal information, their requirements shall also be fulfilled.
     

  • If the data to be transferred abroad is important data, a general network operator shall apply for and pass the security assessment by CAC.
     

  • If the data to be transferred abroad is personal information, a general network operator shall apply for and pass the security assessment by CAC if any of the following thresholds is met:

    (i) processing the personal information of more than one million individuals;
    (ii) providing abroad the personal information of more than 100,000 individuals cumulatively since January 1 of the previous year; or
    (iii) transferring abroad the sensitive personal information of more than 10,000 individuals cumulatively since January 1 of the previous year.

    If the data to be transferred abroad is personal information but does not meet any of the above thresholds, the operator may either (a) enter into and file a SCC, or (b) obtain Certification before transferring the personal information abroad.

    However, on the basis of the second half of Paragraph 2(4), Article 38 of the Personal Information Protection Law of the People's Republic of China (the "PIPL"), the personal information processor shall abide by other conditions and provisions of the CAC if it genuinely needs to transfer personal information abroad. Since the Draft Provisions is promulgated by the CAC, the relevant provisions of the Draft Provisions conform to the other conditions prescribed by the CAC. Moreover, Article 11 of the Draft Provisions explicitly provides that in the event of any inconsistency between the Security Assessment Measures, the Standard Contracts Measures, and the Draft Provisions, the Draft Provisions shall prevail. If the Draft Provisions is to be adopted as the final draft which reflects major adjustments to the logic of the protective measures for transferring data abroad, the formula for choosing the compliance path for transferring data abroad shall be reformulated in accordance with the final draft as follows:

  • Firstly, enterprises should determine whether the data to be transferred abroad constitutes important data. According to the Draft Provisions, the enterprise only needs to pay attention to whether the relevant authority or local authority has notified the enterprise or published the list of the important data processed by it. However, the enterprise should still take the initiative to conduct internal checks and self-assessments based on the relevant laws and regulations, publicized cases, and the national standard Information Security Technology - Guideline for identification of important data.

  • If the data to be transferred abroad is personal information, the focus should be shifted from sensitive personal information to personal information, from the cumulative quantity of the previous year to the quantity of personal information that it now intends to transfer abroad within one year. The relevant thresholds and requirements are as follows:

    1. an enterprise expecting to transfer abroad the personal information of fewer than 10,000 individuals within one year is exempt from security assessment, SCC record-filing, or Certification;

    2. an enterprise expecting to transfer abroad the personal information of between 10,000 to one million individuals within one year is required to conduct SCC filing or Certification but may be exempt from security assessment;

    3. an enterprise expecting to transfer abroad the personal information of more than one million individuals within one year is required to apply for security assessment of cross-border data transfer.

Moreover, the Draft Provisions also provides exemption from the security measures for cross-border data transfer in ten key scenarios, the specific mechanisms of which will be explained in Section III of this article. If an enterprise's data to be transferred abroad is included in the exemption scenarios, the above thresholds for the estimated number of individuals in relation to cross-border data transfer will take precedence. In particular, it provides a more relaxed environment for all multinational enterprises and domestic enterprises to deal with the issue of cross-border transfer of employees' personal information, hence greatly simplifying the internal procedures of multinational enterprises and improving the ease of internal cross-border data transfers. If an enterprise can prove that it will transfer abroad its employees' personal information in accordance with labor laws and regulations or collective contracts signed in accordance with the law, it will be exempted from the data export protection measures.

 

As mentioned above, the Draft Provisions also contains a classic exemption scenario for data export protection measures, which is the "negative list" of free trade zones for certain types of data. In the event that the enterprise's domicile is located in a free trade zone and the type of data to be exported is not included in the "negative list" published by the free trade zone, the enterprise can freely transfer the data abroad. It should be noted and discerned that the Draft Provisions also provides for the establishment of such "blacklist" shall be approved by the provincial-level cyberspace administration in advance, and filed with the national level CAC for record-filing. Currently, it remains unknown in practice to what extent the blacklist established by different free trade zones will vary, who will be in charge of the review of whether all the blacklisted data to be transferred abroad is affected, and whether enterprises that are not located in a free trade zone or who already allow their data to transferred abroad from other provinces may set up "connecting points" with different free trade zones to enjoy the advantages offered by such zones.

 

It should also be emphasized that although China allows the regulation of data export risks in certain scenarios to take the form of self-assessments conducted by enterprises on their own in the case of cross-border transfer of personal information or important data by CIIOs due to genuine business needs, this does not exempt the relevant regulators from post-examinations or third-party audits. In addition, it should be noted that China has not loosened the bottom line of safeguarding national security, strictly controlling risks with respect to cross-border transfer of CIIO data and requiring mandatory pre-examination. For example, according to Article 8 of the Draft Provisions, regardless of any exemption that may apply, CIIOs are still required to apply for a security assessment to the CAC for their cross-border transfer of personal information or important data.

 

3. Interpretations of specific provisions

 

A. New rules on cross-border transfer of "important data"

 

To ensure data security and protect national interests, cross-border transfer of important data has become a regulatory focus of various countries and various jurisdictions. Chinese regulators have similarly explicitly required enterprises to apply for a security assessment with the CAC before conducting a security risk assessment for the cross-border transfer of "important data." This is so as to strengthen the level of supervision over data exports and ensure the security and confidentiality of the data. However, in practice, although there are definitions of the term "important data" in the relevant laws and regulations, the scope of "important data" so far remains vague. This poses certain compliance challenges and risks for enterprises that have to determine on their own whether the data to be transferred abroad constitutes important data.

 

The Draft Provisions proposes a clear guidance that a notification from local and industry authorities shall be the standard for determining important data, same as the identification of whether an enterprise is a "CIIO." While this provides certainty to such an enterprise, it also strengthens the enforceability of the Security Assessment Measures.

 

Current regulations and policies have reflected the requirements of protecting data security and at the same time, resolved some of the operation difficulties for enterprises, which is commendable. However, many industries are still concerned about the specific time by which the catalogs of "important data" will be made available. Therefore, it is suggested that the relevant industries, regions, and departments accelerate the formulation and circulation of the catalogs of "important data" and that enterprises, prior to the formulation of a definite "important data" list, should remain prudent by carefully reviewing the cross-border transfer of their data, communicating actively and transparently with the relevant authorities, and adjusting their data export strategies and processes in a timely manner so as to avoid compliance risks. Furthermore, it should be noted that the catalogs and the lists of "important data" may also be adjusted from time to time and from province to province. Therefore, enterprises need to continue to pay attention to any adjustments to the scope of important data and make timely adjustments to remain compliant.

 

B. New regulatory rules on cross-border transfer of "personal information"

 

As mentioned in Section 2 of this article, there are reconstructions of the provisions for cross-border transfer of personal information from different perspectives. Article 3 to Article 6 of the Draft Provisions also proposes to re-construct the logic and standards for calculating the number of individuals with respect to data export, as well as innovatively provide the exemption scenarios. This subsection only elaborates the former, i.e., Article 5 and Article 6 of the Draft Provisions. The exemption scenarios prescribed by Article 3 and Article 4 will be introduced in the following subsection, together with other exemption scenarios.

 

Article 5 of the Draft Provisions clarifies that if it is estimated that fewer than 10,000 individuals’ personal information is to be transferred abroad in one year, the data export security measures may be exempted. For most enterprises that handle cross-border transfer of personal information, the number of personal information subjects is usually not large. Take, for example, the scenario of a multinational pharmaceutical company that has many subsidiaries in China, and each subsidiary has a certain number of employees and suppliers. If this company requires that the personal information of the employees and suppliers of these subsidiaries be stored in the head office's overseas system for centralized management and procurement, where less than 10,000 individuals’ personal information is to be transferred abroad within one year, then according to Article 5 of the Draft Provisions, the company may be exempted from the Protective Measures for Cross-border Data Transfer, i.e. the company does not need to file its SCC with the CAC, conduct security assessment, or obtain Certification.

 

However, it should be noted that exempting a company from the Protective Measures for Cross-border Data Transfer does not exempt it from all personal information protection obligations under the PIPL. The company still has to perform the "notify-consent" obligation with respect to the cross-border transfer of personal information of its employees and suppliers, and in accordance with Article 55 of the PIPL, it must conduct a personal information protection impact assessment prior to the cross-border transfer of personal information. Therefore, if a company has already carried out part of the data export compliance work before the introduction of the Draft Provisions, such as identification of the data assets to be transferred abroad and personal information protection impact assessment, it is advised to proceed with such compliance work and retain the assessment report for at least three years to ensure compliance.

 

In addition, there are a few important issues with the Draft Provisions in relation to the export of personal information that remains subject to different interpretations and needs to be clarified:

 

The Draft Provisions uses the words "estimated number of individuals with respect to cross-border data transfer in the following year" as the benchmark for the exemption of the data export security measures, and if more than 10,000 individuals’ personal information is to be exported in the coming year, it then determines whether the application for security assessment, record-filing of SCC, or Certification is required based on the fulfillment of the condition of processing personal information of more than one million individuals. This proposed wording raises several issues. Firstly, it does not expressly state whether this fully replaces the standards set out in the Security Assessment Measures and the Standard Contract Measures. While, as a general rule it is understood that if statutes are in conflict, the later statute prevails over the earlier statute, unless the earlier statute is clearer and more explicit, in light of the significance of the subject matter, we believe it will be prudent for the CAC to provide more specific guidance in the formal draft or official explanations.

 

The CAC should further and currently address the following grey areas:

  • Whether it is no longer necessary to consider cross-border transfer of stock data? Is the status of the cross-border transfer of sensitive personal information no longer a factor for consideration? For example, if a company has already transferred sensitive personal information of more than 10,000 individuals overseas, but it is expected that fewer than 10,000 individuals will be transferred abroad in one year, or if a company has already transferred sensitive personal information of more than 100,000 individuals overseas but it is expected that less than 10,000 individuals will be transferred abroad within a year, can the company be exempted from the data export security assessment according to the new provisions?

  • Will the standard of personal information processors processing the personal information of over one million people in total be completely abolished? For example, if a company is a personal information processor processing the personal information of more than one million individuals, according to the previous provisions, it still has to apply for the security assessment even if it only transfers personal information of one natural person. Therefore, according to the Draft Provisions, if the company anticipates that the personal information of fewer than 10,000 individuals will be transferred abroad within one year, can the company be exempted from the security assessment?

  • How should we calculate the starting point of “the following year,” “the coming year”, "expected in one year"? Should the calculation start from 1st January of the current calendar year, or the date it plans to export the personal information? If the latter applies, does it need to consider the number of individuals whose personal information was transferred abroad in the past one-year period? The Security Assessment Measures and the Standard Contract Measures both calculate the cumulative quantity of personal information exported starting from 1st January of the previous year.

  • When calculating the quantity of personal information to be transferred abroad within the coming year, does it need to include the quantity of personal information of the employees exempted in Article 4(2) of the Draft Provisions into the quantity of data to be transferred abroad in the coming year after the data export?  Please refer to the next subsection for analysis on this issue.

  • Should we understand that the calculation cycle for "personal information of more than one million people" as mentioned in Article 6 of the Draft Provisions "it is expected that the personal information of more than 10,000 but fewer than one million individuals will be transferred abroad within one year, …" and "it is expected that the personal information of more than one million people will be transferred abroad within one year, …" must follow the time frame of "within the coming year"?

C. Ten scenarios related to the exemption from data export protection measures

  • Scenario 1: personal information transit

According to Article 3 of the Draft Provisions, no protective measures are required for the personal information generated outside the territory of China. For example, a domestic e-commerce platform has logistic warehouses outside the territory of China and cooperates with logistics companies and airlines outside the territory of China. After overseas consumers purchase products on the international section of the platform, the products will be delivered by the merchants on the platform via overseas logistics companies, and finally carried by the airlines and delivered to the consumers. During this process, the participants such as domestic platforms, merchants on the platforms, logistics companies and airlines will all be involved in the processing of consumers' personal information. As the personal information is generated outside the territory of China (i.e., in the above examples, the personal information is collected by the overseas website of the domestic e-commerce platforms and subsequently transferred to China, and the online platform accounts registered by the consumers are also operated and managed by the overseas websites), the e-commerce platforms are not required to take protective measures for the data export in order to improve the efficiency of cross-border e-commerce services.

 

However, in practice, the scenarios of data export are relatively complex. For example, it is necessary to further clarify the meaning and applicable boundaries of the data transit activities described in this Article and determine whether it also covers other circumstances. Hence, it is necessary to clarify the specific definition and the scope of application of the concept of "data transit." In particular, it is important to consider whether the personal information that is aggregated, fused, or otherwise processed within the territory of China conforms to the concept of "data transit."

  • Scenario 2: personal information of employees to be transferred abroad for the necessity of human resource management

According to Article 4(2) of the Draft Provisions, where human resource management is conducted in accordance with labor regulations and collective contracts concluded in accordance with the law, and it is necessary to provide the personal information of internal employees to overseas entities, no Protective Measures for Cross-border Data Transfer are required. With regards to such exemption in this scenario, the following issues need to be further clarified:

 

(1) how should data processors determine whether the personal information of employees to be transferred abroad is "necessary" for the implementation of human resource management;

 

(2) how should data processors determine whether the export of specific fields is "necessary" for the implementation of human resources management and whether individual consent from the employees can be dispensed with;

 

(3) how should data processors interpret the relationship between Article 4(2) and Article 6, i.e., if the exemption conditions specified in Article 4(2) are met, but the quantity of employees whose personal information is to be transferred abroad exceeds 10,000 but falls short of one million? In such a situation, is it still necessary to conduct record-filing of the SCC or Certification in accordance with Article 6, and is it still necessary to apply for security assessment when more than one million individuals’ personal information is transferred abroad;

 

(4) for enterprises that are still required to conduct security assessment or record-filing of the SCC or Certification, is it necessary for such enterprises to include this exemption scenario in the self-assessment report for analysis?

  • Scenario 3: transfer of personal information abroad is necessary for the conclusion or performance of a contract to which the individual is a party

According to Article 4(1) of the Draft Provisions, where it is necessary to transfer personal information abroad for the purpose of "concluding or performing a contract to which the individual is a party," no Protective Measures for Cross-border Data Transfer are required. This Article lists several scenarios for the purpose "necessary for the performance of the contract", such as cross-border shopping, cross-border remittance, airline ticketing and hotel booking, visa processing, and other situations in which personal information needs to be transferred abroad. For example, where consumers invest in international financial products, it is necessary to transfer abroad their personal information, such as names, ID information, contact information, and financial information of investors for the purposes of contract performance and fulfillment of legal requirements. However, what information falls into the scope of "necessary" remains to be clarified and precisely identified in practice.

  • Scenario 4: data export in an emergency to protect the life, health, and property security of natural persons

According to Article 4(3) of the Draft Provisions, where it is necessary to transfer personal information abroad in an emergency to protect the life, health and property security of natural persons, no Protective Measures for Cross-border Data Transfer are required. The scenario where data needs to be transferred abroad in an emergency may not be common in the daily management and operation of enterprises. For instance, where there is a pandemic in one country, healthcare institutions may transfer personal information of patients to international organizations for identification of plausible causes, analysis of medication supply and implementation of necessary rescue measures intended for the reasonable allocation of emergency resources and the protection of people’s lives. However, the specific application and understanding of what amounts to an emergency situation will remain subject to the regulatory interpretation.

  • Scenario 5: international trade

According to Article 1 of the Draft Provisions, where the data to be transferred abroad generated in international trade activities does not contain personal information or important data, no protective measures are required for the data export. For instance, where a domestic trading enterprise exports goods to other countries, information such as the quantity, specifications, weight, value, and transportation method of the goods need to be sent to the importing party, which can help the customs, logistics companies and trading partners in various countries better manage and monitor the secure transportation and delivery process of the goods, ensure timely arrival of the goods and trade compliance. However, the meaning of the term "international trade" may be relatively broad. Further clarification is needed to determine what types of trade activities fall within the scope of "international trade," what processes in practice fall within the scope of "international trade" and whether overseas data recipients are limited to the trading counterparties, etc.

  • Scenario 6: academic cooperation

According to Article 1 of the Draft Provisions, no Protective Measures for Cross-border Data Transfer are required for the general data generated in academic cooperation activities. When a domestic research institute collaborates with researchers or institutions from other countries to conduct academic research, it may need to share some data that does not contain personal information or important data, such as experimental results, survey results, statistical data, etc. Through the export of these data, researchers can better share knowledge, experience, and research results, promote international academic cooperation and exchanges, and promote the development of global scientific research. However, similar to Scenario 5, when considering the broad scope of data used by different industries and fields whether sensitive data that is not personal information or important data may still constitute restricted intelligence remains to be seen. In addition, it is, for the reasons mentioned above, technically challenging to determine whether academic data will also be deemed to be important data or state secrets. Therefore, the application of exemption provisions in such scenarios requires special attention and caution.

  • Scenario 7: multinational production and manufacturing

According to Article 1 of the Draft Provisions, no Protective Measures for Cross-border Data Transfer are required for the general data generated in multinational production and manufacturing activities not containing personal information or important data. For example, a state-owned manufacturing enterprise has production centers in many countries around the world. When manufacturing and assembling products, some data may need to be exported abroad to support effective supply chain management of the production center, such as material composition inventory management information, production plans of components and parts, logistics and transportation information, etc., so that enterprises can better coordinate and manage their global supply chain, ensure the timely supply of materials, standardize local production, improve the efficiency and quality of production, and ensure on-time delivery to international customers. However, the concept of "multinational production and manufacturing" is relatively wide, which involves complex processes and various stakeholders, and the data export chain required to support this process is relatively complex. Further implementation and compliance guidance and explanations from the regulatory authorities, will help multinational enterprises implement their compliance reviews with greater accuracy.

  • Scenario 8: multinational marketing

According to Article 1 of the Draft Provisions, no Protective Measures for Cross-border Data Transfer are required for the general data generated in multinational marketing activities. For example, when a consumer goods company intends to enter new international markets or expand its business in international markets, market research in each country is crucial. During this process, the company will need to execute their marketing strategies to collect and analyze market data, produce market research reports, conduct data analysis, and accumulate consumer behavior and preference data, etc., to understand consumer needs, competition, improve product design, and predict market trends, etc. By allowing companies to export such data, companies will better understand the characteristics and opportunities of the target market, formulate corresponding marketing strategies to help support the company's marketing decisions and promotion activities, and improve market competitiveness and business growth.

 

In practice, marketing activities often use "personal information", including precision marketing that targets specific personal information subjects, and targeted marketing to specific groups using data obtained through de-identification and other methods of processing. In accordance with the PIPL, the personal information that has been anonymized will not fall within the scope of personal information. Enterprises need to determine whether the personal information used in marketing has fully met the anonymization requirements in order for the exemption mechanism to apply. However, where various parties may be involved in data collection or generation, the parties should carefully evaluate and determine who is responsible for conducting the assessment and determine that the exported data does not contain personal information.

  • Scenario 9: other general data

Apart from Scenario 5 to Scenario 8, Article 1 of the Draft Provisions uses a catch-all description when describing the general data that does not contain personal information or important data. When general data not containing personal information or important data is to be transferred abroad during certain activities, no Protective Measures for Cross-border Data Transfer are required to be taken. However, further determination in practice and supplementary explanations are still required on whether general data in all types of activities can be exported or if there are limitations on how activities are defined. If so, how does one determine the scope of activities, and how different types of activities in practice can be categorized as the activities eligible for the exemptions under Article 1 must be carefully determined. 

  • Scenario 10: data included in the negative lists of free trade zones

In addition to the above scenarios, the Draft Provisions also includes the special mechanism of “negative lists” for free trade zones, which we will cover in subsection D below.

 

Nonetheless, for the export of general data generated in non-routine business activities such as overseas litigation and overseas law enforcement (such as case-related evidence), the Draft Provisions does not provide answers. Based on experience, data in such scenarios are usually provided to comply with the evidence disclosure process of overseas courts or arbitral tribunals, and the opinions of the Judicial Assistance and Exchange Center of the Ministry of Justice must be obtained before provision to the overseas courts. However, it is unclear whether it is necessary to submit a data export security assessment to the CAC at the same time, and if the regulatory approval duration for the export is long, the plaintiff may run the risk of failing to comply with the time limits for presenting evidence. Therefore, these issues still require further regulatory attention and clarification.

 

It should be noted that although the Draft Provisions specifies many circumstances that allow enterprises to conduct self-assessment for low-risk data export scenarios at their own discretion, this does not mean that enterprises are simultaneously exempted from the ex ante data security protection and data administration obligations and the obligations to report security incidents. Therefore, before acting on such obligations, enterprises should first confirm the examination and approval procedures and requirements for data that needs to be exported under the above circumstances so as to reduce their potential compliance risks.

 

D.   Exemption mechanism in relation to exclusion from the "negative list of free trade zones"

 

As stated in Section 2 of this article, the Draft Provisions allows free trade zones to formulate their own negative lists and file the negative lists with provincial-level cyberspace administration for approval and with the national-level CAC for record-keeping, so as to simplify the mechanism for data export. This is of positive significance in promoting the cross-border flow of data of enterprises in the free trade zones. Below are some examples of similar negative lists that have been implemented, or are expected to be implemented in relevant free trade zones:

  • Shanghai Free Trade Zone: The Shanghai Free Trade Zone is the first free trade zone established in China and has been taking a pioneering role in cross-border data circulation. According to the Regulations on the Lingang New Area of China (Shanghai) Pilot Free Trade Zone, the free trade zone will explore the development of a data catalog for low-risk cross-border flow, and certain data export activities may be exempted from the following requirements: application for security assessment, the conclusion of SCC and Certification. The Special Plan for the International Data Industry in Lingang New Area (2023-2025) proposes to "accelerate the cross-border flow of data in the financial area and create a cross-border asset management demonstration zone on the condition of legal compliance and controllable risks. The plan looks to elevate Shanghai as an international financial center and aims to coordinate with key enterprises in the industry to accelerate the research on the negative list system for financial data flows".

  • Guangdong Pilot Free Trade Zone: The Guangdong Pilot Free Trade Zone has also planned to adopt a negative list mechanism similar to that of the Shanghai Free Trade Zone with respect to cross-border data circulation. According to this planned Negative List, certain data export activities may be exempted from the pre-approval procedures, such as security assessment, conclusion of SCC, and Certification. These requirements provide a more convenient channel for cross-border data circulation for enterprises in this free trade zone.

  • Hengqin Guangdong-Macao In-depth Cooperation Zone: The Hengqin Guangdong-Hong Kong-Macao free trade zone proposes to promote the orderly cross-border flow of international internet data through a variety of methods. Starting with a pilot program for security management of cross-border data transfers. Other objectives include simplifying the procedures for data export by formulating a negative list mechanism, and providing a safe transmission channel for enterprises in the free trade zone to enhance the security of data export.

  • Hainan Free Trade Zone: The Law of the People's Republic of China on Hainan Free Trade Port and the Overall Plan for the Construction of Hainan Free Trade Port both propose that the State supports the Hainan Free Trade Port to explore and implement a regional institutional arrangement for the cross-border flow of international data such as establishing a safe, orderly, free and convenient data flow management system in accordance with the law, expanding the opening of the data field, and promoting the development of a digital economy with data as a key element. Given the unique advantage of having a green channel for data export in the Hainan free trade zone, the Hainan free trade zone is also expected to facilitate the supervision of data circulation by establishing a negative list.

  • Hetao Shenzhen-Hong Kong Science and Technology Innovation and Cooperation Zone: The Hetao Shenzhen-Hong Kong Science and Technology Innovation and Cooperation Zone proposes to establish, under the framework of the national security management system for cross-border data transfer, a mechanism that may facilitate data flow and ensure security which may include the establishment of a negative list.

As shown in these examples, the negative list policy in the free trade zone has, to some extent, promoted the cross-border flow of enterprises' data in the free trade zone. By simplifying the administrative procedures and providing a safe environment for data export, enterprises will find more flexibility in carrying out data export activities. In addition, the power to formulate these negative lists is mainly vested at the provincial level, and CAC at the national level only performs a record-filing role. This provides more room for the free trade zones to formulate their negative lists based on unique and more relevant criteria.

 

Similarly, certain provincial or municipal governments have also taken the lead in formulating “white lists” for promoting cross-border data flow. On September 20, the Beijing Municipal Commerce Bureau drafted and released the Regulations of Beijing on Foreign Investment (Draft for Comments) which aims to promote foreign investment in Beijing, regulate foreign investment administration, protect the legitimate rights and interests of foreign investors, and promote high-quality development of open economy in the capital city. Chapter 6 of the Regulations clarifies the relevant facilitation measures for the cross-border data transfer. The municipal cyberspace administration authority shall, in concert with relevant authorities and in the form of municipal regulations, formulate specific measures under the central arrangements, establish green channels for qualified foreign-invested enterprises, efficiently conduct a security assessment of important data and personal information to be transferred overseas, and formulate a list of general data to promote the safe, orderly and free transfer of data.

 

In addition, on June 29, 2017, the CAC and the Innovation, Technology and Industry Bureau of the Hong Kong SAR Government signed a memorandum of understanding on promoting the cross-border flow of data in the Guangdong-Hong Kong-Macao Greater Bay Area. By expanding the geographical scope for the application of the negative list policy, this will help establish the security rules for the cross-border flow of data in the Guangdong-Hong Kong-Macao Greater Bay Area under the national data cross-border security management framework, and promote high-quality development in the Guangdong-Hong Kong-Macao Greater Bay Area. This is highly consistent with the background and key aspects of the Draft Provisions.

 

However, there are still certain issues that need to be further clarified. For example, which free trade zones are eligible to draw up the negative list and whether enterprises that are registered in the free trade zone but whose data processing activities take place outside the free trade zone will be governed by this Article of the Draft Provisions. Also, will the same effect be achieved if the provincial government, rather than the free trade zone, establishes the "white list" through issuing local regulations? Will provinces or municipalities competitively issue "white lists" or "black lists" in various names to attract enterprises, while causing confusion for the enterprises with the influx of various policies?

 

Clarification of these issues will help better promote the cross-border flow of data by enterprises in the Guangdong-Hong Kong-Macao Greater Bay Area and provide clearer operational guidelines for relevant enterprises. Therefore, we expect the CAC and the respective free trade zones to issue more detailed rules in good time and provide further implementation guidance for enterprises.

 

E. Provision of important data or personal information abroad by a CIIO

 

Article 37 of the Cybersecurity Law of the People's Republic of China (the " CSL ") provides that the personal information and important data collected and generated by a CIIO in the course of its operation within the territory of China shall be stored within the territory of China. Where there is a genuine business need to transfer such data overseas, a security assessment shall be conducted in accordance with the measures formulated by the CAC and the relevant departments of the State Council. If there are provisions in other laws or administrative regulations, such provisions shall also be followed. Article 8 of the Draft Provisions provides that if CIIOs transfer personal information and important data to overseas entities, they shall be subject to regulation in accordance with the relevant laws and regulations.

 

It should be noted that even if the Draft Provisions is finalized, it does not qualify as "laws or administrative regulations" from the perspective of the legislative hierarchy. Therefore, where a CIIO transfers personal information or important data overseas, the exemption from data cross-border protection provided in the Draft Provisions does not apply. Article 37 of the CSL, Article 40 of the PIPL and the Security Assessment Measures will continue to apply to the CIIO. This is because the leakage, destruction, and loss of CIIO data may cause a significant impact on national security, social stability, and personal privacy.

 

As such, the emphasis of Article 8 of the Draft Provision coincides with the above objectives, which is strengthening the regulation of provision of personal information and important data abroad by state organs and CIIOs, so as to protect national security, social stability and personal privacy. Specifically:

  • Cross-border transfer of personal information and important data by government agencies: When transferring personal information and important data overseas by government agencies or when handling sensitive information, government agencies need to ensure that such information will not be misused or disclosed to external parties. For example, national security agencies may be involved in the processing of classified information, including state secrets, military information, and important data related to national security. By strictly regulating the cross-border transfer of personal information and important data by government agencies, national security interests can be more effectively protected.

  • Provision of personal information and important data abroad by CIIOs: CIIOs include telecommunications operators, financial institutions, and energy suppliers, etc., and they possess large amounts of personal information and important data. The security of such data is very important to both the country and the individual. For example, financial institutions process customers' financial information, telecommunication operators process user's communication data, and energy suppliers hold key data on energy supply and distribution. By regulating the cross-border transfer of such personal information and important data by CIIOs, this will help ensure that such data will not be misused or disclosed for illegal purposes.

  • Sensitive information and sensitive personal information related to the Chinese Communist Party, the government, the military and state secret entities: China pays special attention to sensitive information and sensitive personal information of the Party, the government, the military and state secret entities. The disclosure of such information may pose serious threats to national security and social stability. For example, state secret entities may involve important information such as state secrets, military secrets, trade secrets and so on. By strictly regulating the cross-border transfer of sensitive information and sensitive personal information related to the Party, the government, the military and state secret entities, national security and personal privacy can be protected.

Currently, while most enterprises may not be regarded as CIIOs, the direct impact of the above restrictions is relatively insignificant. However, if a client or partner of the enterprise conducting data export is a CIIO, it is necessary to pay special attention to the compliance restrictions of such client or partner prior to conducting any cross-border data transfers.

 

4. Suggestions for enterprises

 

Firstly, enterprises should pay close attention to the release of the final draft of the Draft Provisions and new legislation, to assess their impact on existing data export in a timely manner. Enterprises should determine whether they can be exempted from certain compliance restrictions or consider alternate paths based on the quantity of their personal information to be transferred abroad. Enterprises that do not need to implement any of the three compliance measures of security assessment, record-filing of SCC or Certification for their data export should continue to fulfill other compliance requirements in accordance with the PIPL and other laws and regulations such as obtaining the consent of personal information subjects and conducting personal information protection impact assessment. Enterprises that need to implement any of the three compliance measures should familiarize with and confirm to the specific requirements and procedures for data export security measures in order to ensure compliance with the regulatory requirements.

 

Secondly, enterprises should pay close attention to the regulatory authorities' interpretations and application of the Draft Provisions, especially on the issues and aspects to be clarified by regulatory authorities such as quantitative criteria for outbound personal information and the interpretations on the most frequently applied exemption scenarios. Meanwhile, enterprises should in parallel determine whether the enterprise's data export meets the proposed exemption conditions under the Draft Provisions, so that it can promptly make adjustments if and when the Draft Provisions come into effect. In addition, enterprises should also actively fulfill other obligations in terms of data security and personal information protection.

 

Finally, enterprises in free trade zones should pay particular attention to the latest regulations on the negative list for data export in the free trade zones. Enterprises will benefit by proactively monitoring whether free trade zones can provide convenient channels for the cross-border flow of data, which will enable enterprises to ensure compliance of data export activities, carry out cross-border flow of data in the free trade zone more smoothly and reduce the compliance cost for data export.

 

5. Suggestions on the improvement of the Draft Provisions

 

Firstly, with regard to the necessity of security assessments induced by the setting up of various exemption scenarios, it is suggested that security assessment requirements for the different scenarios be clarified in the final draft. In determining whether a security assessment is required, factors such as the sensitivity and use of the data, apart from the estimated data quantity within the coming year, could be considered. As for the issue of an excessively long security assessment cycle, it is suggested that measures to shorten the assessment cycle should be clarified in the final draft. It is suggested to simplify the assessment process and optimize the assessment mechanism to improve assessment efficiency. At the same time, it is suggested that human resources and technical support from the regulatory authorities should be strengthened to avoid any bottlenecks and ensure the timely implementation of assessments and timely feedback on results.

 

Secondly, with regard to solving the problem of data statistics and data prediction, it is suggested that statistical methods and requirements should be clarified in the final draft, and a sound data management and monitoring mechanism should be established, including how to conduct statistical analysis on the domestic data and the data which has been exported, etc. In addition, a data prediction model can be established to predict the quantity of data to be exported based on industrial trends and enterprises' needs so as to better plan and manage cross-border data flow and self-assessment of enterprises.

 

Thirdly, as for the application and transition between the new provisions and the old provisions, it is suggested that transitional measures and specific operating steps should be clarified in the final draft. For example, for security assessment or record-filing procedures that have already been started, it may be decided whether to continue to proceed in accordance with the old provisions or how to switch to the new ones. At the same time, it is suggested that measures to deal with issued assessment results or record-filing notices should be clarified to ensure that results which are subject to different systems can be properly dealt with.

 

Finally, it is suggested that it is important for the regulator at both national and provincial levels to strengthen interim and ex post supervision. Despite the delegation of power proposed by the Draft Provisions, it is suggested that the duties and requirements of the regulatory authorities should be clarified in the final draft, including the improvement in the capabilities of regulatory authorities in risk identification, data security control and prevention and data traceability. At the same time, it is suggested that a data risk monitoring and reporting mechanism should be established to identify and handle security risks in data export activities in a timely manner to ensure the overall compliance and security of data.

 

6. Conclusion

 

From the interpretation and analysis of the Draft Provisions, it can be seen that it basically reduces the burden on enterprises to a reasonable extent and creates a more conducive and collaborative approach on the whole.

 

The Draft Provisions also provides policy space for the pilot implementation of the negative list system in the free trade zones. Further, penalties stipulated in Article 10 and Article 11 of the Draft Provisions are also more lenient compared with the Security Assessment Measures and the Standard Contract Measures, which will allow data processors with more proactively accept supervision, make timely rectifications, and eliminate risks. Meanwhile, it despite the issue raised in this article, we view the Draft Provisions as a positive step in providing clearer guidance on data export compliance that will have a significant impact on enterprises that need to export data.

 

Although the Draft Provisions requires improvements as suggested, we look forward to the introduction of the final draft, which will bring clearer guidelines to enterprises regarding their data export activities, resolve the unresolved issues that many enterprises face with respect to the cross-border flow of their data, provide enterprises with a more stable and reliable environment for the cross-border data flow, further assist enterprises in complying with data export requirements, and promote the regulation and facilitation of the cross-border data flow.