On 28 September 2023, the Cybersecurity Administration of China (CAC) released the Draft Provisions on Regulating and Promoting Cross Border Data Flow (规范和促进数据跨境流动规定) (Draft Provisions) for public consultation. The Draft Provisions, if passed, will ease the requirements around cross border data transfer under the Personal Information Protection Law (PIPL). The consultation closed on 15 October 2023.
Currently, the PIPL requires that organizations who wish to transfer personal information outside of China must rely on one of the following mechanisms (CBDT Mechanisms):
- Complete a security assessment (Note that the deadline to submit the Security Assessment to the CAC was 28 February 2023);
- Obtain security certification; or
- Enter into the China standard contractual clauses (SCC) (Note that the deadline to sign and file the SCC to the CAC is 30 November 2023).
Depending on an organisation’s industry sector and the volume and types of personal information that an organisation processes, it may be required to complete a security assessment and cannot rely on the other options. Please see our previous blog on details of the CBDT Mechanisms (Link: Draft standard contractual clauses provisions, final security assessment measures and final certification guidelines for cross border data transfer released | Data Protection Report)
These cross border data transfer rules have created significant hurdles for the China operations of many multinationals organisations. Organisations need to conduct internal assessments to determine whether they fall within the ambit of the CBDT Mechanisms, and if applicable, undergo approval procedures with the CAC. Organisations who are unable to comply with these rules may need to alter their data flow and data storage structure (e.g. reduce amount of exported data, relocate data centres, adjust China operations) to achieve compliance.
The Draft Provisions, if passed, will come as good news to many organizations as they relax the cross border data transfer requirements. We have summarised the key points of the Draft Provisions below:
- Data that is exported as part of international trade, academic cooperation, cross border manufacturing and marketing activities, and does not contain important data or personal information, is not subject to the CBDT.
- An organisation is not required to conduct a security assessment if the data exported has not been declared as “important data” by the Chinese authorities.
- An organisation is not subject to the CBDT Mechanisms if the data export falls into one of the following export cases:
- personal information necessary for the performance of a contract (e.g. cross border purchases, cross border payments, flight tickets and hotel reservations, visa applications etc);
- employee personal information necessary for the purposes of human resource management in accordance with legally established employment regulations and collective contracts; or
- personal information necessary to protect the life, health and property safety of a natural person in an emergency.
- Organisations which expect to export less than 10,000 individuals’ personal information within one year are not subject to the CBDT Mechanisms.
- Organisations which expect to export more than 10,000 but less than 1 million individuals’ personal information within one year and have entered into the SCC and filed with the relevant authorities are not required to complete a security assessment.
- Free trade zones may establish their own “negative list” on data export. Export of data that is under the negative list is not subject to the CBDT Mechanisms.
Although the Draft Provisions are still in draft form, they demonstrate the CAC’s intention to take a more business friendly approach to data exports. We anticipate that the final provisions will be implemented before 30th November 2023 (i.e. the proposed grace period for China SCCs filing). If the Draft Provisions are passed, we foresee that many organisations may no longer need to complete the security assessment or enter into the SCC and file with the CAC.
For organisations who have already filed their submissions, we anticipate that the CAC may issue an explanation on how to deal with the filed submissions. Organisations may also consider contacting the CAC to discuss the possibilities and methods to adjust the filed submissions.
For organisations who have not filed their submissions yet, we suggest organisations to take a wait and see approach and hold their submissions until further news from the CAC.