October 2023
Regulations for Standardizing and Promoting Cross-Border Data Flow (Draft for Public Comment) (Mainland China)
October 2023
Joyce Wen and Teresa Huang
On September 28, 2023, the State Internet Information Office issued the Regulations for Standardizing and Promoting Cross-Border Data Flow for public comment, hereinafter referred to as the Draft for Public Comment. This draft establishes a green channel for data exports while ensuring data security and protecting individual privacy rights. The key points of this document are summarized below.
I. Clearly Define Situations Exempt from Data Export Security Assessment, Standard Contracts for the Export of Personal Information, and Personal Information Protection Certification.
The Draft for Public Comment provides clear guidelines on situations in which a security assessment for data export, the establishment of standard contracts for the export of personal information, and personal information protection certification are not required. According to Articles 1 to 4 of the Draft for Public Comment, the following circumstances do not necessitate the mentioned requirements: Data generated in the course of international trade, academic cooperation, multinational manufacturing, and marketing activities that do not involve personal information or critical data Personal information collected outside of the country that is being provided to foreign entities. Cross-border activities such as shopping, remittances, flight and hotel reservations, and visa processing, where the provision of personal information to foreign parties is essential for entering into and fulfilling contracts in which the individual is a party. Situations where personal information of internal employees must be provided outside of the country for human resources management. These provisions represent a significant highlight of the Draft for Public Comment and are expected to substantially enhance the efficiency of data exports.
II. Reiteration of Scenarios Requiring Data Export Security Assessment Declaration.
It is emphasized that certain scenarios necessitate the declaration of a data export security assessment. According to Article 6 of the Draft for Public Comment, if the provision of personal information to entities outside of China involves more than one million individuals, a data export security assessment declaration is still required. However, for specific entities such as government agencies and operators of critical information infrastructures, who provide personal information and important data abroad, or who provide sensitive information related to political, governmental, military, or classified entities, as well as sensitive personal information, the existing regulations will continue to be enforced.
III. Granting Free Trade Zones the Authority to Establish a "Negative List".
According to Article 7 of the Draft for Public Comment, free trade zones are empowered to independently formulate a data Negative List. For data that is not included in the Negative List, there is no requirement to declare a data export security assessment, establish standard contracts for the export of personal information, or obtain personal information protection certification. This provision enhances the convenience of cross-border data flow for businesses within free trade zones.
Overall, this Draft for Public Comment has optimized the applicable standards for data export pre-approval supervision, exempting certain circumstances from the obligation of data export pre-approval supervision, and reducing the compliance costs for businesses.
Joyce Wen and Teresa Huang
On September 28, 2023, the State Internet Information Office issued the Regulations for Standardizing and Promoting Cross-Border Data Flow for public comment, hereinafter referred to as the Draft for Public Comment. This draft establishes a green channel for data exports while ensuring data security and protecting individual privacy rights. The key points of this document are summarized below.
I. Clearly Define Situations Exempt from Data Export Security Assessment, Standard Contracts for the Export of Personal Information, and Personal Information Protection Certification.
The Draft for Public Comment provides clear guidelines on situations in which a security assessment for data export, the establishment of standard contracts for the export of personal information, and personal information protection certification are not required. According to Articles 1 to 4 of the Draft for Public Comment, the following circumstances do not necessitate the mentioned requirements: Data generated in the course of international trade, academic cooperation, multinational manufacturing, and marketing activities that do not involve personal information or critical data Personal information collected outside of the country that is being provided to foreign entities. Cross-border activities such as shopping, remittances, flight and hotel reservations, and visa processing, where the provision of personal information to foreign parties is essential for entering into and fulfilling contracts in which the individual is a party. Situations where personal information of internal employees must be provided outside of the country for human resources management. These provisions represent a significant highlight of the Draft for Public Comment and are expected to substantially enhance the efficiency of data exports.
II. Reiteration of Scenarios Requiring Data Export Security Assessment Declaration.
It is emphasized that certain scenarios necessitate the declaration of a data export security assessment. According to Article 6 of the Draft for Public Comment, if the provision of personal information to entities outside of China involves more than one million individuals, a data export security assessment declaration is still required. However, for specific entities such as government agencies and operators of critical information infrastructures, who provide personal information and important data abroad, or who provide sensitive information related to political, governmental, military, or classified entities, as well as sensitive personal information, the existing regulations will continue to be enforced.
III. Granting Free Trade Zones the Authority to Establish a "Negative List".
According to Article 7 of the Draft for Public Comment, free trade zones are empowered to independently formulate a data Negative List. For data that is not included in the Negative List, there is no requirement to declare a data export security assessment, establish standard contracts for the export of personal information, or obtain personal information protection certification. This provision enhances the convenience of cross-border data flow for businesses within free trade zones.
Overall, this Draft for Public Comment has optimized the applicable standards for data export pre-approval supervision, exempting certain circumstances from the obligation of data export pre-approval supervision, and reducing the compliance costs for businesses.
