May 2024
Lihui Jiang and Teresa Huang
To ensure data security, protect the rights and interests of personal information, and promote the lawful and orderly free flow of data, the Cyberspace Administration of China announced the “Regulations on Promoting and Regulating Cross-border Data Flows” on March 22, 2024 (hereinafter referred to as the “Regulations”), which came into effect upon publication. It consists of 14 articles, the main contents are as follows[1]:
I. Clarification of the criteria for important data outbound security assessment declaration
The “Regulations” specify that data handlers should identify and declare important data in accordance with relevant regulations. Data handlers do not need to declare data for outbound security assessment as important data if they have not been informed by relevant departments or regions or publicly announced as important data. The term “important data,” according to the “Measures for the Security Assessment of Data Outbound,” refers to data that, once tampered with, destroyed, leaked, or illegally obtained or utilized, may endanger national security, economic operations, social stability, public health and safety.
II. Specification of exemptions in certain circumstances
The “Regulations” also introduce some situations where exemptions apply, namely, under specific conditions, exemption from declaring data for outbound security assessment, executing personal information outbound standard contracts, and obtaining personal information protection certification. The applicable conditions mainly include: first, providing data to overseas without personal information or important data in activities such as international trade, cross-border transportation, academic cooperation, transnational production, and marketing; second, “processing abroad,” that is, transferring personal information collected and generated abroad to domestic processing and then providing it overseas without introducing domestic personal information or important data in the process; and third, providing personal information overseas for the purpose of entering into or performing contracts, involving human resource management, protecting the life, health, and property of natural persons in emergency situations, and providing non-sensitive personal information of fewer than 100,000 people accumulated by non-critical information infrastructure operators(hereinafter referred to as the “Non-CIIO”).
III. Establishment of a negative list system for free trade pilot zones
Article 6 of the “Regulations” specifies that under the framework of the national data classification and grading protection system, free trade pilot zones can independently formulate data lists, namely negative lists, that need to be included in the scope of data outbound security assessment, personal information outbound standard contracts, and personal information protection certification management within the zone. Exemption can be applied for providing data not on the negative list to overseas.
However, in practice, some regions had already begun related explorations before the promulgation of the “Regulations.” For instance, the Management Committee of the Lingang New Area of the China (Shanghai) Pilot Free Trade Zone issued the “Interim Measures for the Classification and Grading Management of Cross-border Data Flow in the China (Shanghai) Pilot Free Trade Zone Lingang New Area” on February 8, 2024[2].
IV. Refinement of the data outbound security assessment, personal information outbound standard contract, and certification system[3]
The “Regulations” clarify the conditions for data outbound security assessment declaration through relevant departments: critical information infrastructure operators providing personal information or important data overseas; Non-CIIO providing over 1 million non-sensitive personal information or over 10,000 sensitive personal information overseas cumulatively from January 1 of the current year.
In addition, Non-CIIO should, from January 1 of the current year, conclude personal information outbound standard contracts with overseas recipients or obtain personal information protection certification when providing over 100,000 but less than 1 million non-sensitive personal information or less than 10,000 sensitive personal information overseas cumulatively.
V. Extension of the validity period of data outbound security assessment results
Article 9 of the “Regulations” extends the validity period of security assessment results from the previous 2 years to 3 years. If the validity period expires and it is necessary to continue data outbound activities, an application for extending the validity period of the assessment results can be submitted within 60 working days before the expiration date. However, it should be noted that the application for extending the validity period is based on the premise that there is no need to re-declare data for outbound security assessment.
Finally, it is worth mentioning that if there is any inconsistency between the “Regulations” and previously published regulations such as the “Measures for the Security Assessment of Data Outbound” and the “Measures for Personal Information Outbound Standard Contracts,” the “Regulations” shall apply.
[1] Cyberspace Administration of China: Q&A on the Regulations on Promoting and Regulating Cross-border Data Flows : https://www.cac.gov.cn/2024-03/22/c_1712776611649184.htm
[2] Notice on Issuing the Interim Measures for the Classification and Grading Management of Cross-border Data Flow in the China (Shanghai) Pilot Free Trade Zone Lingang New Area : https://www.lingang.gov.cn/html/website/lg/index/government/file/1756018881550389249.html
[3] The Cyberspace Administration of China: Expert Interpretation | Key Provisions on Regulations on Promoting and Regulating Cross-border Data Flows : https://www.cac.gov.cn/2024-03/22/c_1712776625820516.htm
The contents of all newsletters of Shanghai Lee, Tsai & Partners (Content) available on the webpage belong to and remain with Shanghai Lee, Tsai & Partners. All rights are reserved by Shanghai Lee, Tsai & Partners, and the Content may not be reproduced, downloaded, disseminated, published, or transferred in any form or by any means, except with the prior permission of Shanghai Lee, Tsai & Partners.
The Content is for informational purposes only and is not offered as legal or professional advice on any particular issue or case. The Content may not reflect the most current legal and regulatory developments. Shanghai Lee, Tsai & Partners and the editors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The contributing authors’ opinions do not represent the position of Shanghai Lee, Tsai & Partners. If the reader has any suggestions or questions, please do not hesitate to contact Shanghai Lee, Tsai & Partners.