原标题:China Expects to Loosen Restrictions on Cross-Border Data Transfer
This article was first published by China Law & Practice on October 19, 2023, at www.chinalawandpractice.com.[1]
On September 28, 2023, just before the start of an 8-day public national holiday, the Cyberspace Administration of China (CAC) published a draft document titled the Provisions for Regulating and Promoting the Cross-Border Flow of Data (Draft for Comments), (“Draft Provisions”) for public feedback.
The release of this draft document indicates that the CAC and other data security regulators in China recognize the regulatory challenges posed by the current regime on cross-border data transfer and the difficulties faced by data/personal information handlers. The CAC aims to relax the restrictions on cross-border data transfer without altering the existing regulatory framework established by the PRC Cybersecurity Law, PRC Data Security Law, and PRC Personal Information Protection Law. It aims to facilitate and promote the orderly flow of data in daily business operations that do not impact national security. The 14th measure of the State Council’s Opinions on Further Improving the Foreign Investment Environment and Enhancing Foreign Investment Attraction issued by the State Council in August 2023, also reflects this intention. The Draft Provisions can therefore be seen as a document issued in order to implement the requirements stated in the State Council’s Opinions.
1
Main Changes Brought about by the Draft Provisions
Currently, companies in China must, in addition to other internal procedures, follow one of three paths for exporting important data or personal information: applying for a data export security assessment, signing a standard contract and filing for the record, or obtaining a personal information protection certification (together, the “Data Export Procedures”). The Draft Provisions aim to clarify and simplify the regulatory regime on cross-border data transfer in ordinary business operations. Significant changes include:
(1) Confirming that the cross-border transfer of data without important data or personal information does not require use of the Data Export Procedures.
Article 1 of the Draft Provisions provides that data export involving no important data or personal information relating to matters including international trade, academic cooperation, multinational manufacturing, marketing activities, need not undergo any Data Export Procedures.
Under current laws and regulations, the focus has always been on important data and personal information, and no special restrictions have been placed on cross-border transfers that do not include such data. However, the above clause in the Draft Provisions affirms the free flow of data in a positive sense, providing more certainty to companies engaged in relevant cross-border data transfers for their business operations.
However, it should be noted that the provision on free flow of data only pertains to Data Export Procedures required by the PRC Cybersecurity Law, PRC Data Security Law and PRC Personal Information Protection Law. If the exported data contains restricted information regulated by other laws and regulations (for example state secrets, or human genetic resource information), the cross-border transfer of such data must still meet the preconditions provided under those laws.
(2) Simplifying the determination standard for important data with respect to data export security assessment procedure.
Article 2 of the Draft Provisions provides that a data handler is not required to apply for a data export security assessment organized by the CAC for “exporting important data”, if the concerned data has not been notified or published as important data by the competent industry-specific regulator or regional government.
Although this one-sentence clause does not provide a clear scope of important data, it does alleviate burdens on companies to some extent. This means that, at this stage, companies do not need to worry whether the data they plan to transfer overseas constitutes important data, until the relevant authorities make their determination on the specific data or publish an important data catalog applicable to their industry or region.
Nevertheless, from a compliance perspective, it is advisable for companies to conduct an internal assessment in order to make their own determination on whether the data intended to be transferred overseas constitutes important data. This can be done by referencing published draft rules and standards such as Regulations for the Administration of Network Data Security (Draft for Comments), Information Security Technology - Rules for Identification of Key Data (Draft for Comments), and Information Security Technology - Requirements for Classification And Grading Of Network Data (Draft for Comments) and more.
(3) Providing certain scenarios exempted from Data Export Procedures when exporting personal information.
Article 4 of the Draft Provisions provides for three scenarios where the export of personal information is exempted from Data Export Procedures:
a. Personal information must be transferred overseas in order to conclude and fulfill a contract to which the individual is a party. The typical examples under this category include cross-border shopping, cross-border remittance of funds, air ticket and hotel booking, and visa applications.
b. When a company’s employees’ personal information must be provided to overseas recipients for human resource management purposes, in accordance with labor rules established and collective contracts signed in accordance with the law.
c. When the export of personal information is necessary to protect the life, health and property of natural persons in emergency situations.
Among these scenarios, scenario b. is more relevant to a multinational company’s daily operation. However, the applicable scope and the precondition of this scenario are narrow. Companies must base their HR management activities on “labor rules and regulations formulated in accordance with laws” and “collective contracts signed in accordance with the law” while proving that the export of employees’ personal information is necessary. In practice, most companies can meet the requirement that their HR management processes are implemented based on “labor rules and regulations formulated in accordance with laws”, but collective contracts are seldom signed. In addition, there is a great deal of uncertainty as to whether the export of a company’s personal information in most circumstances is a “must”. It is advisable to await further interpretation and clarification of this scenario by the CAC or other regulators before relying on it as the legal basis for exempting the export of employees’ personal information from Data Export Procedures.
(4) Simplifying the counting standards of exporting personal information triggering Data Export Procedures.
There are complex counting standards set forth by the Measures for the Security Assessment of Overseas Transfer of Data and the Measures for the Standard Contract for Overseas Transfer of Personal Information, which are based on the number of individuals whose personal information is processed by the data/personal information handler (1 million individuals or more), the number of individuals whose personal information - or whose sensitive personal information - has been cumulatively transferred overseas since January 1st of the previous year (100,000 individuals or more and 10,000 individuals or more, respectively). In comparison, the clauses under the Draft Provisions significantly simplify the counting standards for export of personal information that may trigger the different Data Export Procedures. The new counting standard is not only easier for companies to calculate, but also raises the threshold of triggering procedures, exempting smaller-volume export activities from the obligation of undergoing them.
Under Articles 5 and 6 of the Draft Provisions, the relationship between the volumes of exporting personal information being exported and the corresponding obligations is as follows:
点击图片可放大查看
Therefore, the good news for most companies is that they will be exempted from the obligation to undergo any Data Export Procedures if they export personal information of less than 10,000 individuals within a year. The amount of personal information processed in China, or whether the exported personal information includes sensitive personal information, is no longer taken into account.
(5) Companies in FTZs will be given greater freedom of cross-border data transfer.
Article 7 of the Draft Provisions authorizes Free Trade Zones (FTZs) to formulate a negative list for cross-border data transfer, and such list will come into effect after reporting to the Provincial Cybersecurity and Informatization Commission for approval and being filed for record with the CAC. Once the negative list becomes effective, companies operating in the FTZs can freely transfer data outside the list without undergoing any Data Export Procedures.
At this stage, it is difficult to anticipate how the administrative committees of different FTZs will formulate their negative lists, and there may be variations among the lists published by different FTZs.
The diagram attached at the end of this article sets out a process by which companies may identify the appropriate route for their data export activities.
It is important to note that while the Draft Provisions relax the restrictions on cross-border data transfer activities by ordinary companies and organizations, they maintain a strict regulatory stance on activities that may relate to national security. For instance, when government agencies and critical information infrastructure operators provide personal information and important data overseas, they must still comply with the requirements of existing laws, regulations, and rules, including applying for a data export security assessment by the CAC and fulfilling other applicable obligations. Furthermore, when sensitive information and personal information related to Chinese Communist Party institutions, government agencies, the military, and state secrets-related organs are provided overseas, the corresponding export obligations must still be fulfilled in accordance with the requirements of applicable laws, regulations, and departmental rules.
2
The Draft Provisions’ Impact on Ongoing Works Related to the Standard Contract
As analyzed above, the draft provisions make significant adjustments to the applicable scope of the Data Export Procedures under current regulations and rules. With the expiration date (i.e., November 30th, 2023) of the grace period for rectification provided in Article 13 of the Measures for the Standard Contract for Overseas Transfer of Personal Information approaching, the proposed adjustment raised questions and potential confusion for companies engaged in works related to standard contract in accordance with the current requirements of the Measures for the Standard Contract for Overseas Transfer of Personal Information.
If the Draft Provisions come into effect as currently set out, companies that expect to export the personal information of less than 10,000 persons within a year will be exempted from any Data Export Procedures. Hence, they will no longer be required to sign a standard contract with the overseas recipient and file for the record, reducing their compliance burden.
It should be noted, however, that the Draft Provisions only exempt companies from the obligation of signing and filing a standard contract or obtaining the certification of personal information protection for specific exporting scenarios. Other legal obligations related to the export of personal information as stipulated in the Personal Information Protection Law (the “PIPL”) remain unchanged. For example, the Draft Provisions emphasize the requirement under Article 39 of the PIPL to obtain consent from data subjects when transferring their personal information overseas. Article 9 of the Draft Provisions also mandates that data handlers must comply with provisions of laws and administrative regulations when providing personal information overseas, including the obligation to conduct a personal information protection impact assessment (the “PIA”) before exporting, as provided in Articles 55 and 56 of the PIPL. The Draft Provisions also require local cyberspace administrations to strengthen guidance and supervision on data handlers’ data export activities. Therefore, even if certain data export activities are exempted from Data Export Procedures, authorities may conduct random checks to ensure companies fulfill their statutory obligations regarding data export.
In addition, as the soliciting period for the draft provisions expired on October 15th, there is uncertainty as to the final contents and the effective date. Given the imminent expiration of the grace period stipulated in the Measures for the Standard Contract for Overseas Transfer of Personal Information, the authors consulted relevant provincial cyberspace administrations regarding ongoing works related to standard contracts before the finalization of the Draft Provisions. The attitudes of the administrations can be categorized into two: (i) cautious attitude — the administrations believe that the companies should continue to do what they are required to do by current rules; (ii) open and tolerant attitude — the administrations suggest that the companies may adopt a “wait and see” strategy, and choose the appropriate mechanism for their data export activities after the new rules are published.
3
Suggestions for Further Actions
Based on the analysis and the differing positions of the provincial cyberspace administrations, companies that may be exempted from standard contract related obligations under the Draft Provisions but are currently obligated to comply with them should consider the following actions:
(1) Continue to carry out PIA and prepare PIA reports.
Carrying out a PIA in relation to the export of personal information is a statutory obligation under the PIPL and has not been exempted by the Draft Provisions. Regardless of whether a company will be required to sign a standard contract and file for the record after the new rules come into effect, it must still conduct a PIA and prepare a PIA report.
(2) Estimate the volume of personal information to be transferred overseas within one year.
Based on a company’s business plan and daily management needs, it must carefully estimate the number of individuals whose personal information is to be transferred overseas in a calendar year; and determine whether it is expected to reach or exceed 10,000 individuals in order to decide if the intended export meets the exemption conditions stated in the new rules or if it is still necessary to sign a standard contract and file for the record.
(3) Stay updated on policy releases by local provincial cyberspace administrations.
The provincial cyberspace administrations are responsible for handling matters related to standard contract filings. They may issue operational guidelines during the transition period before the new rules come into effect based on their regulatory practices and local circumstances. Monitoring the policy trends of these organizations will help a company to respond flexibly to relevant initiatives.
(4) Be prepared to sign the standard contract.
Although there is a greater likelihood that, under the new rules, a company’s personal information export activities will no longer require the signing of a standard contract and filing for the record, it is still advisable to prepare the standard contract to be signed based on the conducted PIA and maintain communication with overseas recipients to ensure readiness. If the new rules are not as expected, or if they are published significantly later than the expiration of the grace period, and the competent provincial cyberspace administration requires a company to sign and file a standard contract according to current rules, it will be able to complete the procedure more quickly and avoid potential non-compliance consequences.
How to identify the appropriate data export route applicable to your company
点击图片可放大查看
注释
[1] This article was first published by China Law & Practice at https://www.chinalawandpractice.com/2023/10/19/china-expects-to-loosen-restrictions-on-cross-border-data-transfer/.
