Corporate Compliance News Alert: The CAC Finalized the New Provisions for Cross-Border Data Transfer
On March 22, 2024, the Cyberspace Administration of China (“CAC”) issued the Provisions on Promoting and Regulating Cross-Border Data Flow (“New Provisions”) effective immediately. Compared with its draft version for public comments (“Draft Provisions”) released in September last year, there are substantial changes, necessitating an in-depth examination and analysis.
The New Provisions outline explicit exemptions for scenarios that no longer require security assessments conducted by the CAC (“CAC Security Assessments”)[1], Standard Contracts Record Filing (“SCCs Record Filing”)[2] or Personal Information Protection Certification by a professional institution (“Personal Information Protection Certification”)[3] under the current legal framework for cross-border data transfer. Additionally, the New Provisions clarified the thresholds for undergoing these processes.
Please find below a quick summary of the exemptions and major changes:
Exemptions for Specific Scenarios
1. (Art. 3) Exemption One: Data transfers for international trade, cross-border transportation, academic cooperation, cross-border production and manufacturing, marketing activities, and similar purposes, without the transfer of personal information or important data.
2. (Art. 4) Exemption Two: Outbound transfers of personal information collected and generated overseas and processed within China, excluding the transfer of personal information or important data incorporated during the data processing in China.
3. (Art. 5) Exemption Three – Special Exemptions for Personal Information: The New Provisions provide special exemptions for cross-border transfer of personal information (not involving important data) as follows:
-
Contractual necessity: Where it is necessary to provide personal information overseas for the conclusion and performance of contracts to which such individual is a party, such as cross-border purchase, shipping, remittances, payments, and account openings, as well as flight and hotel reservations, visa applications, and examination services.
-
HR management necessity: Where it is necessary to provide the personal information of employees overseas to implement human resources management in accordance with the employer’s lawfully enacted labor rules and policies and lawfully executed collective contracts.
-
Emergency necessity: Outbound transfer of personal information overseas in cases of emergency to protect the life, health, and property safety of an individual.
- Data volume of less than 100,000 individuals: Where a data processor other than a critical information infrastructure operator (“CIIO”) has provided personal information (not involving sensitive personal information) of less than 100,000 individuals to locations outside China since January 1 of the current year.
4. (Art. 6) Exemption Four – Special Exemptions for FTZs: The New Provisions allow the pilot free trade zones (“FTZs”) in China to establish negative lists for cross-border data transfer within the national protection framework for data categorization and classification. Those data that are not designated on negative lists approved by the provincial cyberspace administration and filed with the CAC and National Data Bureau, can be freely transferred outside of China.
Key Changes Regarding the Thresholds for Regulatory Processes
1. (Arts. 5&7) Timeframes for Calculating Data Volume: Previously, the timeframes for calculating data volume were defined as “from January 1 of last year”, as specified in the Measures for the Security Assessment of Outbound Data Transfer, and “is expected to transfer within one year”, as outlined in the Draft Provisions. Presently, the New Provisions introduce shorter timeframes for calculating data volume, commencing from “January 1 of the current year till now”. This adjustment generally implies a reduced timeframe for calculation.
2. (Arts. 7&8) Revised Thresholds for Triggering the Cross-Border Data Transfer Routes: Although the New Provisions raised the thresholds concerning the transfer of non-sensitive personal information for both CAC Security Assessments and SCCs Record Filing/Personal Information Protection Certification, it is crucial to note that any transfer involving sensitive personal information will automatically activate the prerequisites for these regulatory procedures.
Frequently Asked Questions
1. What is the timeline for companies to complete those processes?
The answer is as soon as possible. The New Provisions do not offer any grace period. Therefore, it is advisable for companies to take immediate actions, which include conducting evaluations to determine the applicable processes and preparing the necessary materials to complete the work in a timely manner.
2. If the personal information of an individual is transferred abroad in different scenarios or projects, how should the volume of such outbound transfers be calculated?
The data volume of outbound transfers should be calculated after deduplication based on the number of individuals involved.
3. Is it still necessary to estimate the data volume of outbound transfers for the next year?
Yes. Based on our recent consultations with CAC and other cyberspace administrations at the provincial level, a common understanding is that it is still necessary to estimate the data volume of outbound transfers. This estimation should encompass both the number of individuals involved and the volume of data (measured in KB, MB, GB, etc.) from January 1 till the end of the current year. The estimated data volume should be included in both the SCCs and the Protection Information Protection Assessment Report.
4. What is the validity of CAC Security Assessments and SCCs Record Filing?
The New Provisions extend the validity of a CAC Cybersecurity Assessment from two[5] to three years, starting from the date of issuance of the assessment result. Data processors could apply for an extension for three years provided that no circumstances necessitating a re-application of the CAC Security Assessment have occurred, such as changes in the purpose, method, or categorization of the data transferred outbound.[6]
For SCCs Record Filing, it does not include a predefined validity period. While it should be noted that certain situations may necessitate supplemental or revised standard contracts. Should any modifications arise, the data processor should re-file accordingly.
5. For two exempted scenarios (contractual necessity and HR management necessity), how to demonstrate such “necessity”?
So far, the CAC has not yet provided clarification on such standards.
In terms of HR management necessity, based on the prevailing trend of promoting operation environments for multinational companies, a common understanding is that companies have discretion in determining the HR management matters based on the actual business needs while adhering to the principles of relevance, reasonableness, and necessity. It is worth noting that the companies should revisit their labor policies (especially the labor contracts and employee handbooks) to evaluate the adequacy of such a foundation.
Compared with HR management necessity, the standards for defining contractual necessity may potentially be more stringent. A common understanding is that data processors must meticulously assess both the purpose and nature of data involved in outbound transfers. For example, if a service or product provider operates from outside China (such as an overseas bank or e-commerce platform), then outbound data transfers become imperative for fulfilling the primary objectives of these commercial activities. Conversely, if the entire business process is conducted within China and data is transferred abroad solely due to the utilization of servers on foreign-based cloud platforms, the justification for such transfers may not be readily apparent. In any event, it remains imperative for companies to conduct thorough evaluations regarding the necessity for such business arrangements.
6. If a company has transferred sensitive personal information of less than 10,000 individuals outside China since January 1, 2024, and it has also transferred other non-sensitive personal information of less than 100, 000 individuals outside China, does it need to include the transfer of non-sensitive personal information into the SCCs Record Filing as well?
Based on our recent consultations with the with the CAC and other cyberspace administrations at the provincial level, it appears that no definitive consensus has been reached on this matter. When it comes to scenarios involving both sensitive personal information and non-sensitive personal information, there is a general agreement that non-sensitive personal information should also be included in the scope of SCCs Record Filing. However, opinions are divided on scenarios purely involving non-sensitive personal information. Some believe such scenarios should be included in the scope of SCCs Record Filing along with those scenarios involving sensitive information, while others hold different opinions. Furthermore, the method or standard for delineating a “scenario” remains unclear. Therefore, further clarifications from the CAC are necessary to provide guidance for companies.
7. How to identify important data?
The Data Security Law stipulates that each region and department, in accordance with the categorical and graded protection system for data, shall determine a specific catalog of important data for the respective region, department, or relevant industry, and engage in special protection of data listed in the catalog. And so far, the majority of the regions, departments, and industries have not yet published such catalogs. The New Provisions explicitly state that for data that has not been officially notified or publicly released as important data by relevant authorities or regions, data processors are not obligated to undergo mandatory CAC Security Assessments, which substantially alleviates uncertainty for data processors.
Notably, the national standard Data Security Technology – Rules on Data Categorization and Classification (GB/T 43697-2024) was recently released by the National Information Security Standardization Technical Committee (also known as “TC260”), providing that data related to healthcare resource, genetic information, mineral resource, export control items, financial activities status, etc., could be potentially identified as important data. However, it is important to note that these standards are not mandatory and do not hold the same weight as official data catalogs. They serve merely as a potential reference for relevant departments during the formulation of such catalogs for important data. Therefore, it remains advisable for companies to monitor the developments regarding important data catalogs within their respective regions and industries.
8. If all scenarios of a company for cross-border transfer of personal information are exempted from those regulatory processes under the New Provisions, what else to do?
Even if the company is not required to undergo those regulatory processes, it remains obligated to ensure that sufficient notification has been provided and specific consent has been obtained (where consent serves as the legal basis), to conduct a personal information protection impact assessment and to implement necessary data security measures.
Notably, in the context of standard contracts, while the New Provisions explicitly state that data processors are exempted from concluding standard contracts in certain scenarios, there exists a variance in interpretation. Some practical opinions construe this exemption as allowing data processors to forego the SCCs Record Filing requirement while still requiring them to conclude standard contracts. The prevailing viewpoint suggests that the act of signing standard contracts is no longer obligatory. However, data processors retain the option to sign such standard contracts as a demonstration of good practice.
[1] See the Security Assessment Measures for Outbound Data Transfers, issued by the CAC, effective as of September 1, 2022.
[2] See the Measures on the Standard Contract for Outbound Transfer of Personal Information, issued by the CAC, effective as of June 1, 2023.
[3] See the Personal Information Protection Law of the People’s Republic of China, issued by the Standing Committee of the National People’s Congress, effective as of November 1, 2021.
[4] See Article 4 of the Security Assessment Measures for Outbound Data Transfers.
[5] See Article 14 of the Security Assessment Measures for Outbound Data Transfers.
[6] Id.