On 28 September 2023, the Cyberspace Administration of China (“CAC”) released the Draft Provisions on Regulating and Facilitating Cross-Border Data Transfer (“Draft Regulation”), open for public comments until 15 October 2023. The Draft Regulation, if ultimately issued substantially in its present form, would benefit many multinational companies as they transfer various kinds of data out of China. The substance of the Draft Regulation consists in exceptions to the requirements, such as security assessments and standard contracts, set out by existing laws and regulations for outbound cross-border data transfers (“Data Export”).
Existing Requirements for Data Export
Under the existing data protection regime, Data Export is subject to the following requirements (collectively, “Data Export Requirements”):
Security Assessment. The following parties must carry out so-called “security assessments”[1] before transferring data offshore:
- Critical information infrastructure operators seeking to transfer personal information (“PI”) offshore;
- Data handlers seeking to transfer so-called “important data”[2] offshore;
- Data handlers who process the PI of more than one million individuals and seek to transfer any PI offshore;
- Data handlers who transfer offshore, on a cumulative basis, the PI of more than 100,000 individuals in the period since January 1 of the preceding year; and
- Data handlers who transfer offshore, on a cumulative basis, the “sensitive personal information” of more than 10,000 individuals in the period since January 1 of the preceding year.
Standard Contract or PI Protection Certification. If none of the thresholds for the security assessment listed above is triggered, a party wishing to transfer any PI out of China must nevertheless carry out one of the following procedures:[3]
- executing a standard contract issued by the CAC with the relevant overseas recipient of the PI; or
- passing “PI protection certification” from a specialized institution designated by the CAC;
Proposed Exceptions to Data Export Requirements
Under the Draft Regulation, none of the Data Export Requirements would apply in the following circumstances:
- PI exporting that is necessary for the conclusion or performance of a contract to which the PI subject is a party, such as cross-border shopping, payments, ticket and hotel bookings, visa applications, etc.;
- Exporting PI of employees for purposes of implementing HR management according to employment policies and collective labor contracts;
- Exporting PI of no more than 10,000 individuals within one year;
- Exporting PI for purposes of protecting individuals’ life, health, or property security in emergency situations;
- Exporting of PI that is not collected or generated within mainland China; and
- Exporting non-PI data that is collected or generated during international trade, academic cooperation, cross-border manufacturing and marketing, and certain other as-yet unspecified activities, unless such data is recognized as “important data”.