Place: Insights / Perspectives / Detail
China's First Batch of Data Lists for Cross-Border Transfers
2024-07-05Jacky Li | Jenny Chen | Yuanlv Xu

Corporate Compliance News Alert: China's First Batch of Data Lists for Cross-Border Transfers Released by Tianjin FTZ and Shanghai FTZ

 

On March 22, 2024, the Cyberspace Administration of China (“CAC”) officially issued the Provisions on Promoting and Regulating Cross-border Data Flows (“New Provisions”), allowing free trade zones (“FTZs”) to independently establish negative lists of data that need to undergo security assessments conducted by the CAC (“CAC Security Assessments”), Standard Contracts Record Filing (“SCCs Record Filing”), or Personal Information Protection Certification by a professional institution (“Personal Information Protection Certification”) (collectively known as the “three compliance mechanisms”).  Data not included on the negative list will be exempt from regulatory restrictions on outbound data transfers. These FTZ-specific data lists were also referred to as China’s fourth compliance mechanism for data outbound transfers.

 

On May 9, 2024, the Administrative Committee of the China (Tianjin) Free Trade Zone (“Tianjin FTZ”) and the Tianjin Municipal Bureau of Commerce jointly released the China (Tianjin) Free Trade Zone Data Outbound Transfer Management List (Negative List) (2024 Edition) (“Tianjin Negative List”). This marked the first negative list for data outbound transfers in FTZs across China.

 

In contrast to the negative list approach adopted by the Tianjin FTZ, on May 17, 2024, the Lingang New Area of the China (Shanghai) Free Trade Zone (“Shanghai FTZ”) officially released the first batch of General Data Lists for Cross-border Scenarios (“Shanghai Data List”) and related guidelines using a positive list approach.  This includes the General Data List for Cross-border Scenarios in the Biomedical Field (Trial), the General Data List for Cross-border Scenarios in the Intelligent Connected Vehicle Field (Trial), and the General Data List for Cross-border Scenarios in the Public Fund Field (Trial) in the Lingang New Area of the Shanghai FTZ.

 

The following sections will compare the specific requirements of these two data lists to explore compliance models for cross-border data transfers under the two approaches.

 

1. Which are the applicable entities under these two data lists?

 

The Tianjin Negative List: This list only specifies requirements based on the location of entities, applying to enterprises within the Tianjin FTZ.

 

The Shanghai Data List: This list sets more detailed conditions from both positive and negative perspectives:

  • Data Processors: Entities registered in the Shanghai FTZ or Lingang New Area specifically in the biomedical, intelligent connected vehicle, or public fund sectors;
     
  • Cross-Border Data Flow Activities: These activities must occur in the Lingang New Area, meaning that the data processing, storage, and cross-border transfer (excluding collection) must happen within the Lingang New Area, not other parts of the Shanghai FTZ;

    (Note: this is the interpretation by the staff at the Lingang New Area Cross-border Data Service Center.)
     
  • Exclusions: The list does not apply to Critical information infrastructure operators (“CIIOs”).

2. What are the applicable data types under these two data lists?

 

The Tianjin Negative List categorizes data that needs to be transferred abroad by enterprises within the Tianjin FTZ into three levels:

 

图片

 

The Shanghai Data List includes data exempt from the three compliance mechanisms, whereas data not listed still requires identification to determine if it needs to comply with the three compliance mechanisms. Compared to the Tianjin Negative List, the Shanghai Data List provides a more detailed and scenario-based categorization of data to be transferred abroad:

 

图片

 

3. What responsibilities and obligations do enterprises have under the two data lists?

 

The Tianjin Negative List:

  • Requires data processors to conduct self-assessments.
     

  • Mandates compliance with the three compliance mechanisms if the data to be transferred abroad is listed.
     

  • No additional obligations are necessary if the data is not listed.

The Shanghai Data List:

  • Requires data processors to ensure compliance with data field requirements, processing scenarios, and usage conditions.

     

  • Requires completing filing with the Shanghai FTZ:

    (Note: Based on the interpretation by the staff at the Lingang New Area Cross-border Data Service Center, this applies specifically to data processors who have not encountered scenarios involving the transfer of sensitive information abroad from January 1, 2024 till now. If a data processor has already transferred sensitive information abroad in 2024 prior to submitting the application, then it shall still follow the original three compliance mechanisms as outlined in the New Provisions.)

    Submission of electronic materials, including the filing application form, description of intended outbound transfer scenarios and relevant data, and contracts with overseas recipients, to the Lingang New Area’s relevant online platform.

    Review of the legitimacy, legality, and necessity of data outbound transfer by the Lingang New Area Cross-border Data Service Center.

    Preservation and backup of data for a minimum of one year if filing is successful. Filing validity lasts for one year, with renewal required two months before expiration. Any changes to filing information during this period necessitate an amendment application.
     

  • Other management requirements include:

    Data processors transferring personal information abroad, after meeting the relevant management requirements of the Shanghai FTZ, can be exempt from the three compliance mechanisms but still need to fulfill obligations such as notification, obtaining individual consent, and conducting personal information protection impact assessments.

4. What significance do the two data lists hold for enterprises in China?

 

In terms of personal information, both the Tianjin Negative List and the Shanghai Data List maintain thresholds for data transfers, aligning with existing thresholds outlined in the New Provisions. This indicates a continuity in requirements without significant relaxation or refinement.

 

Nevertheless, in terms of important data, the two lists can provide essential guidance for understanding the criteria defining important data. Specifically, the Tianjin Negative List is likely to feature data classified as important data, whereas the Shanghai List is likely to exclude data considered as important data.

 

In essence, companies are still advised to strictly adhere to the New Provisions, following the three compliance mechanisms to fulfill their respective obligations.