Regulations for Standardizing and Promoting Cross-Border Data Flow (Draft for Public Comment) (Mainland China)

October 2023

Joyce Wen and Teresa Huang

On September 28, 2023, the State Internet Information Office issued the Regulations for Standardizing and Promoting Cross-Border Data Flow for public comment, hereinafter referred to as the Draft for Public Comment.  This draft establishes a green channel for data exports while ensuring data security and protecting individual privacy rights.  The key points of this document are summarized below.

I. Clearly Define Situations Exempt from Data Export Security Assessment, Standard Contracts for the Export of Personal Information, and Personal Information Protection Certification.

The Draft for Public Comment provides clear guidelines on situations in which a security assessment for data export, the establishment of standard contracts for the export of personal information, and personal information protection certification are not required.  According to Articles 1 to 4 of the Draft for Public Comment, the following circumstances do not necessitate the mentioned requirements: Data generated in the course of international trade, academic cooperation, multinational manufacturing, and marketing activities that do not involve personal information or critical data Personal information collected outside of the country that is being provided to foreign entities.  Cross-border activities such as shopping, remittances, flight and hotel reservations, and visa processing, where the provision of personal information to foreign parties is essential for entering into and fulfilling contracts in which the individual is a party.  Situations where personal information of internal employees must be provided outside of the country for human resources management.  These provisions represent a significant highlight of the Draft for Public Comment and are expected to substantially enhance the efficiency of data exports.

II. Reiteration of Scenarios Requiring Data Export Security Assessment Declaration.

It is emphasized that certain scenarios necessitate the declaration of a data export security assessment.  According to Article 6 of the Draft for Public Comment, if the provision of personal information to entities outside of China involves more than one million individuals, a data export security assessment declaration is still required.  However, for specific entities such as government agencies and operators of critical information infrastructures, who provide personal information and important data abroad, or who provide sensitive information related to political, governmental, military, or classified entities, as well as sensitive personal information, the existing regulations will continue to be enforced.

III. Granting Free Trade Zones the Authority to Establish a “Negative List”.

According to Article 7 of the Draft for Public Comment, free trade zones are empowered to independently formulate a data Negative List.  For data that is not included in the Negative List, there is no requirement to declare a data export security assessment, establish standard contracts for the export of personal information, or obtain personal information protection certification.  This provision enhances the convenience of cross-border data flow for businesses within free trade zones.
Overall, this Draft for Public Comment has optimized the applicable standards for data export pre-approval supervision, exempting certain circumstances from the obligation of data export pre-approval supervision, and reducing the compliance costs for businesses.

The contents of all newsletters of Shanghai Lee, Tsai & Partners (Content) available on the webpage belong to and remain with Shanghai Lee, Tsai & Partners. All rights are reserved by Shanghai Lee, Tsai & Partners, and the Content may not be reproduced, downloaded, disseminated, published, or transferred in any form or by any means, except with the prior permission of Shanghai Lee, Tsai & Partners.

The Content is for informational purposes only and is not offered as legal or professional advice on any particular issue or case. The Content may not reflect the most current legal and regulatory developments. Shanghai Lee, Tsai & Partners and the editors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The contributing authors’ opinions do not represent the position of Shanghai Lee, Tsai & Partners. If the reader has any suggestions or questions, please do not hesitate to contact Shanghai Lee, Tsai & Partners.