I. Regulatory Framework for the Outbound Transfer of Personal Information and Data

Before delving into the details of the Draft New Regulation, this article will first briefly summarize the current regulatory regime governing the outbound transfer of data and personal information. Currently, entities seeking to transmit personal information to locations outside China, whether for business purposes or for other reasons, are required to follow certain administrative procedures and meet certain requirements. These procedures, collectively referred to as “Data Outbound Transfer Procedures”, include the following:

1. Security Assessment: undergoing a security assessment for outbound data transfer organized by the CAC prior to the cross-border transferring;
    
2. Certification for Personal Information Protection: obtaining certification for personal information protection from professional organizations in accordance with CAC regulations;
    
3. Standard Contract: entering into a contract with the overseas recipient pursuant to the standard contract template formulated by the CAC, which outlines the rights and obligations of both parties; or
    
4. Other Requirements: fulfilling other conditions specified by laws, administrative regulations, or the CAC.

As to security assessment set out in point 1 above, the Security Assessment Measures for Outbound Data Transfers require certain regulated enterprises to conduct a security assessment for the outbound transfer of data.[1] This regime has been in place for over a year,[2] and public records indicate successful cases of enterprises passing such assessments in various regions in China.

In cases where security assessment is not required, personal information processors are required to either obtain certification for personal information protection or enter into a standard contract for the outbound transfer of personal information.

There has been no public information reporting cases where organizations have passed certification for personal information protection (cross-border processing). In contrast, a good number of enterprises in various regions have already successfully utilized the standard contract as means for the outbound transfer of data since the Measures on the Standard Contract for Outbound Transfer of Personal Information became effective on June 1, 2023.

The current regulations do not provide specific guidance on several aspects of the implementation of such regulations, resulting in uncertainties for many enterprises that stem from the nature of such enterprises either only handling a small volume of data for transmission or facing challenges in avoiding the need for outbound transfer. To address these concerns, the Draft New Regulation further introduces provisions that aim to resolve (at least partially) such issues, such as exempting enterprises from performing Data Outbound Transfer Procedures under certain specific circumstances.

II. Exemptions to Data Outbound Transfer Procedures

In response to the uncertainties faced by certain enterprises, the Draft New Regulation explicitly lists several scenarios where Data Outbound Transfer Procedures are not required:

1. Exemption One: Data outbound transfer arising from international trade, academic cooperation, cross-border production and manufacturing, marketing activities and others, excluding transfer of personal information or important data.

The Draft New Regulation recognizes the daily operational activities of enterprises in fields such as international trade, cross-border production and manufacturing, and marketing, in which ordinary data outbound transfer is inevitable due to business or industrial chain division needs. To ease the compliance burden, these enterprises are exempted from fulfilling Data Outbound Transfer Procedures as long as personal information or important data is not involved.

An example is international academic activities, such as conferences organized by Chinese and foreign academic institutions, that involve the cross-border transfer of data. Without this exemption provided by the Draft New Regulation, some institutions would have concerns that they might need to comply with Data Outbound Transfer Procedures based on the literal interpretation of current regulations, which could potentially drag the efficiency of academic activities.

However, even if personal information or important data is not involved, if a critical information infrastructure operator (the “CIIO”) engages in data outbound transfer in the above-mentioned scenarios, the Draft New Regulation still mandates the CIIO to comply with relevant legal and regulatory compliance obligations. This reiterates the requirement that CIIOs are required to pass security assessment for outbound data transfer when transferring data overseas as specified in the Measures for the Security Assessment of Outbound Data Transfer.

2. Exemption Two: Providing personal information not collected in China to locations outside China.

This exemption addresses a common scenario where personal information is generated outside China, processed within China, and subsequently transferred to locations outside China. An illustrative example of this scenario is seen in international trade, where an entity located in China may function solely as an intermediary for information or data processing. In such cases, personal information initially collected from overseas sources is transmitted through servers located in China or processed within China before being transferred overseas once again.

In 2017, prior to the implementation of the current data outbound transfer regime, two types of data transfer activities were excluded by Section 3.7 of the Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment (Draft for Public Comments) from being considered as data outbound transfer activities. The first type is the overseas transmission of personal information and important data that have not been collected and generated from operations within China but have been transmitted through China without any modification or processing. The second type pertains to the overseas transmission of personal information and important data that have not been collected or generated from the operations within China but have been stored and processed within China prior to being transferred overseas. This type of transfer would not considered an “outbound transfer” if it does not involve personal information and important data collected and generated from operations within China.

It is believed that the abovementioned scenarios are exempted from the Data Outbound Transfer Procedures because the transmitted data generally do not directly affect, or only have a minor impact on, the rights and interests of Chinese individuals.

However, certain other aspects of this exemption are not fully clear. For instance, for a foreign financial service company with no physical presence in China providing service to a Chinese individual not residing in China at the time of service: if the Chinese individual provides personal information related to his or her activities in China to the foreign financial service enterprise, would this qualify for the exemption? Would the Data Outbound Transfer Procedures become unapplicable if the data was never transmitted within China throughout the entire process and thus does not fall within the definition of data outbound transfer?

3. Exemption Three: Where it is necessary to provide personal information overseas for the conclusion and performance of contracts to which such individual is a party, such as overseas purchase, remittances, flight and hotel reservations, and visa applications.

The Draft New Regulation enumerates several high-frequency scenarios under which it is “necessary for the conclusion and performance of contracts to which such individual is a party.” Our clients frequently inquire about these scenarios during discussions regarding the necessity of fulfilling the Data Outbound Transfer Procedures for their business. This exemption recognizes the practical needs for outbound transfer of data in such scenarios and indicates a relaxation of oversight for situations with a strong demand for outbound transfer of data but have only a limited impact on the rights and interests of Chinese individuals’ personal information. This undoubtedly sends a positive signal to multinational enterprises involved in such business. However, further guidance from the CAC remains to be seen regarding the specifics of the “necessary (must)” standard to address similar scenarios that are not explicitly covered by this exemption.

4. Exemption Four: Where the personal information of employees must be provided to locations outside China to implement human resources management in accordance with the employer’s lawfully enacted labor rules and regulations and lawfully executed collective contracts.

In the global management system of multinational enterprises, a unified human resource management system is often in place. Personal information of Chinese employees may need to be transferred to the employer’s headquarters or to servers located overseas for storage. Such transfers are routine operations necessary for the daily management of multinational enterprises. Generally, multinational enterprises only retain such information for the purpose of human resources management. Therefore, if Draft New Regulation is enacted, enterprises that transfer personal information of employees overseas solely for the reason of human resource management may argue that they are not required to comply with relevant Data Outbound Transfer Procedures. However, it is important to note that enterprises still need to explicitly incorporate such data transfer arrangements into their lawfully enacted labor rules and regulations.

5. Exemption Five: Where personal information must be provided to locations outside of China to protect the life, health, and property safety of a natural person in an emergency.

Article 13 of the Personal Information Protection Law already includes an “emergency-based” exemption, stating that personal information processors are allowed to process personal information without the consent of the individual in response to a public health emergency or for the protection of the life, health and property safety of a natural person in an emergency. The Draft New Regulation extends this emergency exemption to cross-border transfer of data. In practical terms, when the life, health, and property safety of a person is threatened, there probably is not sufficient time to execute a standard contract or obtain certification for personal information protection in advance.

6. Exemption Six: Where the entity is expected to provide personal information of less than 10,000 individuals to locations outside China within one year.

Please refer to Part IV “Changes in the Quantitative Threshold of Outbound Transfers of Personal Information” for more detailed information.

Most of the scenarios mentioned above are exempted due to their minor impact on the rights and interests of personal information of individuals. These scenarios typically only involve the company’s daily operations, do not involve important data, or only entail the outbound transfer of a small amount of personal information. The implementation of Draft New Regulation will further reduce the compliance costs of data outbound transfers for enterprises, particularly considering the current economic situation.

It is worth noting that the General Data Protection Regulation (“GDPR”) implemented by the European Union also includes derogations for special situations in Article 49 of its Chapter V “Transfers of Personal Data to Third Countries or International Organizations”. These derogations allow the transfer of personal data to a third country or international organization in the absence of an adequacy decision or appropriate safeguards, under specific conditions. These conditions include explicit consent from the data subject; necessity for the performance of a contract; necessity for important reasons of public interest; necessity for the establishment, exercise, or defense of legal claims; or necessity to protect the vital interests of the data subject or of other persons.

The GDPR also provides an ultimate exemption, known as “limited transfers”, which applies even when none of the conditions for derogations for specific situations are met. Limited transfers are applicable when the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data.[3] It is worth noting that some of the exemptions listed in the Draft New Regulation resemble GDPR’s derogations for special situations, possibly reflecting the CAC’s incorporation of legislative insights from overseas data regulations such as GDPR.

III. Clarification re Whether Security Assessment is Necessary for the Outbound Transfer of Important Data

According to the Data Security Law, all regions and departments shall, under the data classification and hierarchical protection system, determine the specific catalogue of important data for their respective regions and departments and for relevant industries and fields.[4] The Security Assessment Measures for Outbound Data Transfers further stipulates that Data Outbound Transfer Procedures must be followed for the outbound transfer of important data. Article 19 of the Security Assessment Measures for Outbound Data Transfers defines important data as data that, once tampered with, destroyed, leaked, illegally obtained or illegally used, may endanger national security, economic operation, social stability, public health and security, among others. Furthermore, the Information Security Technology - Guideline for Identification of Critical Data (Draft for Public Comments), completed on January 7, 2022, provides guidance on the identification of important data. However, uncertainties persist regarding the identification of important data in different industries.

Prior to the Draft New Regulation, there is no public information indicating that any local governments or departments have published catalogues of important data for any specific industries/fields. Therefore, certain enterprises are uncertain as to whether their data falls within the definition of important data.  The Draft New Regulation explicitly states that data processors are not required to conduct security assessment for outbound data transfer for data that has not been notified or published as important data by relevant departments or regions. This specification, provided by the Draft New Regulation, enables enterprises to determine whether their data counts as important data, serving as a valuable resource for enterprises in identifying their data effectively.

IV. Changes re the Quantitative Threshold of Outbound Transfers of Personal Information

The Draft New Regulation sets the following three thresholds regarding the quantity of outbound transfer of personal information. The quantitative thresholds are no longer based on the cumulative calculation from January 1 of the previous year as stipulated in the Measures for the Security Assessment of Outbound Data Transfer. The details are shown in the table below:

The abovementioned provisions only take into account the quantity of outbound transfer of personal information that is expected to be processed in a year by a data processor and no longer use the aggregate total amount of personal information processed by such data processor. This simplifies the transfer process for enterprises that have processed a large quantity of personal information in the past but transfer a small amount of personal information during a specific year.

As summarized in the table above, where it is estimated that the personal information of less than 10,000 individuals will be transferred overseas within one year, the Draft New Regulation clearly states that the Data Outbound Transfer Procedures will be exempted (however, where the outbound transfer of personal information is subject to individual consent, such consent from the personal information subject shall be obtained). This provision clarifies the confusion of many enterprises: i.e., according to the literal understanding of the current regulations for outbound transfer of data, even if the quantity of outbound transfer of data is limited, do they still need to fulfill the legal procedures such as signing and filing a standard contract for outbound transfer of personal information? Some of our clients have previously raised such questions. Under the GDPR and other regulations implemented in the EU, there are provisions regulating rules such as “limited transfer”, which exempt processors who transfer a small quantity of data (upon fulfillment of the relevant conditions) from their legal obligations. Under a strict literal interpretation of the current data outbound transfer regulations in China, enterprises would need to fulfill the relevant statutory procedures for the outbound transfer of data, which may increase the compliance costs of their existing small quantity of data outbound transfer-related businesses.

In addition, the Draft New Regulation revises the threshold regarding the total quantity of outbound transfer of personal information, i.e., to calculate the total quantity of the personal information estimated to be outbound transferred within 1 year, rather than to calculate on the basis of “since January 1 of the previous year” (also referred to as “within 2 years” in the industry), as stipulated in the Measures for the Security Assessment of Outbound Data Transfers and the Measures on the Standard Contract for Outbound Transfer of Personal Information. The Draft New Regulation further stipulates that, in the event of any inconsistency between the Draft New Regulation and the relevant provisions of the Measures for the Security Assessment of Outbound Data Transfers and the Measures on the Standard Contract for Outbound Transfer of Personal Information, the Draft New Regulation shall prevail.

Notwithstanding the abovementioned three scenarios, certain provisions still need further clarifications: for example, when does the term “estimated…within one year” begin? Is it necessary to distinguish between general personal information and sensitive personal information in terms of the quantitative thresholds of outbound transfer of personal information? The Draft New Regulation does not stipulate separately on the quantity and duration of the transfer of sensitive personal information, but it does emphasize that the outbound transfer of sensitive personal information shall be subject to relevant laws and regulations,[5] such as the requirement for conducting a prior personal information protection impact assessment stipulated in the Personal Information Protection Law.

Furthermore, some provisions need further clarification with respect to the correlation between the new and the old data-related regulations. For example, under the Measures for the Security Assessment of Outbound Data Transfers, if a processor has outbound transferred sensitive personal information of more than 10,000 people since 1 January of the previous year, the processor is required to apply for the security assessment for outbound data transfer. Assuming that the Draft New Regulation comes into effect, if such processor is eligible for exemption from security assessment for outbound data transfer under the Draft New Regulation (i.e., the scenario 2 and scenario 3 of the above table), the application of the new and old regulations may conflict. The Draft New Regulation stipulates that, in the event of any inconsistency between the Draft New Regulation and the relevant provisions of the Measures for the Security Assessment of Outbound Data Transfers and the Measures on the Standard Contract for Outbound Transfer of Personal Information, the Draft New Regulation shall prevail. Since the Draft New Regulation does not explicitly stipulate the threshold on the quantity of sensitive personal information, does it mean that the Draft New Regulation no longer applies any provisions regarding the calculation of the quantity of sensitive personal information? We will follow up closely to see whether the quantitative threshold regarding sensitive personal information under the Measures for the Security Assessment of Outbound Data Transfer will be explicitly loosened in the future.

We also note that even if an enterprise, as a data processor, is exempted from the Data Outbound Transfer Procedures (or is required to conduct a different Data Outbound Transfer Procedure due to the changes of the threshold under the Draft New Regulation), it shall still abide by the compliance requirements of other currently effective regulations. For example, where the outbound transfer of personal information is subject to individual consent, such consent shall be obtained; the personal information impact assessment shall be completed before the outbound transfer of personal information. Of course, appropriate “alleviation of burdens” does not mean total deregulation, and the cyberspace authorities will continue execute administration before, during and after the outbound transfer of personal information and data.

V. Negative List Regime for Pilot Free Trade Zones (“FTZs”)

Another breakthrough of the Draft New Regulation is that it further provides a negative list concept for FTZs. Specifically, a FTZ may formulate a list of data to be included in the management scope of the security assessment, the standard contract, and the personal information protection certification (the “negative list”) for itself, which shall be reported to the provincial-level cyberspace affairs commission for approval and then submitted to the CAC for record-filing. For any outbound transfer of data not under the negative list, the Data Outbound Transfer Procedures may not be required.

The negative list regime has yet to be further detailed after the implementation of the Draft New Regulation. For example, is a FTZ’s negative list applicable to situations where the place of registration of the processor is not the same as the place of its actual operation/data processing/servers (which is quite common)?

VI. Conclusion

Overall, we gladly note that the Draft New Regulation has addressed the concerns and confusions of some enterprises in practice regarding the existing data outbound transfer regulations, and further provided a more efficient systemic foundation for outbound data flows. Based on our past experiences in interpreting the regulations and our understanding of the current Sino-foreign cooperation and investment environment, we are inclined to believe that there is a high probability that most of the provisions of the Draft New Regulation will be passed and implemented soon.

In addition, we note that the Draft New Regulation has not yet fully responded to certain queries in practice. For example, the Data Security Law and the Personal Information Protection Law require that the provision of personal information or data stored within the territory of China (the PRC) to any foreign judicial body or law enforcement body shall be subject to the approval of the competent Chinese authorities.[6] The Draft New Regulation does not include provisions regarding this mechanism. Therefore, the aforementioned requirement to obtain approval from the competent Chinese authorities shall remain in force. In the future, in international dispute resolutions, based on the implementation of the Draft New Regulation, how the provision of personal information and data stored within the territory of China (the PRC) to any foreign judicial body/law enforcement body will be carried out in a compliant manner remains to be answered by future legislations.

If the Draft New Regulation comes into force, there will be positive changes to the existing regulation of data and personal information outbound transfer procedures. Enterprises that have not yet carried out/completed Data Outbound Transfer Procedures can assess their current status under the Draft New Regulation and decide whether and how to carry out their Data Outbound Transfer Procedures. Enterprises that are in the process of conducting Data Outbound Transfer Procedures may assess and consult with the cyberspace authorities and choose the appropriate Data Outbound Transfer Procedure or assess whether they need to change or withdraw the relevant materials based on such consultations. Enterprises that have already completed the Data Outbound Transfer Procedures should also pay attention to their data outbound transfer and determine whether a change to the existing reporting mechanism or more appropriate reporting mechanism is needed in the future.

It is important to note that regardless of the situations of the enterprises, they shall continue to comply with the other requirements of data and personal information processing under the existing regulations. For example, as long as an enterprise is involved in the outbound transfer of personal information, as a personal information processor, it shall conduct prior personal information protection impact assessment and other formalities in accordance with the provisions of the Personal Information Protection Law.

[1] For an outbound data transfer by a data processor that falls under any of the following circumstances, the data processor shall apply to the CAC for the security assessment via the local provincial-level cyberspace administration authority:

(1) outbound transfer of important data by a data processor;

(2) outbound transfer of personal information by a CIIO or a personal information processor who has processed the personal information of more than 1,000,000 people;

(3) outbound transfer of personal information by a personal information processor who has made outbound transfers of the personal information of 100,000 people cumulatively or the sensitive personal information of 10,000 people cumulatively since 1 January of the previous year; or

(4) other circumstances where an application for the security assessment of an outbound data transfer is required as prescribed by the CAC.

[2] Measures for the Security Assessment of Outbound Data Transfers came into effect on September 1, 2022.

[3] Article 49 of GDPR.

[4] Article 21 of the Data Security Law: each region and department shall, in accordance with the classified and graded data protection system, determine the specific catalogue for important data for the respective region and department, and in relevant industries and areas, and undertake special protection for the data included in the catalogue.

[5] Article 8 of the Draft New Regulation.

[6] In practice, a review mechanism is found in some cases, which is carried out by the Judicial Assistance Exchange Center of the Ministry of Justice together with the Supreme People’s Court, the CAC and/or relevant competent authorities.