China Adopts New Regulations to Facilitate Cross-Border Data Flows 

Posted by Written by Arendse Huld Reading Time: 8 minutes

China’s cybersecurity regulator has released new data export regulations that will significantly facilitate cross-border data transfer for companies in the country. Important changes in the new regulations include increasing the limits on the volume of personal information that a company can handle before it is required to undergo additional compliance procedures. In addition, they outline scenarios in which companies are exempt from compliance procedures and clarify the handling of “important” data. We explain the new China data export regulations and discuss their impact on foreign companies.

The Cybersecurity Administration of China (CAC) has released the final version of a set of regulations aimed at facilitating cross-border data transfer (CBDT) for companies based in China.

The new regulations, titled the Regulations to Promote and Standardize Cross-Border Data Flows, came into force on March 22, 2024.

In September 2023, the CAC released a draft version of the regulations for public comment. The final version has been altered only slightly from the draft, retaining the majority of the original proposals.

Find Business Support
Get help conducting compliance audits, penetration tests, and computer security and impact assessments for improved cybersecurity in China

The new regulations specifically deal with facilitating procedures required to export data from China. Under China’s Personal Information Protection Law (PIPL), companies that wish to export certain volumes and types of personal information (PI) outside of China must undergo one of three compliance procedures. These are applying for a data export security assessment conducted by the CAC, entering into a Standard Contract with the overseas recipient of the data, or undergoing PI protection certification by a third-party agency.

Which procedure a company must choose will depend on the amount of PI they handle, whether the data is considered “important”, and whether the company itself is considered to be a critical information infrastructure operator (CIIO).

The new regulations provide several measures that will facilitate cross-border data flows for companies in China, greatly easing compliance burdens and allowing for the free flow of data in certain scenarios.

Increased data volume thresholds for export compliance procedures

A major change in the new regulations is an increase in the data volume thresholds that trigger one of the compliance procedures from the ones stipulated in the PIPL and related regulations. This means that companies will be able to handle a higher volume of data than was previously allowed before they are required to undergo one of the compliance procedures.

Under the previous measures for the implementation of the security assessment, the highest bar of compliance, a company must undergo a security assessment by the CAC in any of the following circumstances:

  • The company exports “important data” overseas;
  • The company is a CIIO or is a company handling the PI of more than one million people, and exports PI overseas;
  • The company has exported the PI of more than 100,000 people or the “sensitive” PI of more than 10,000 people since January 1 of the previous year and provides PI overseas; and
  • The company engages in any other situations stipulated by the CAC.

Meanwhile, companies can choose to undergo PI protection certification by a third-party agency or sign a Standard Contract with the overseas recipient if they fall below the above thresholds.

However, the new regulations increase the data volume thresholds that trigger a compliance procedure. For the security assessment procedure, the threshold for accumulated non-sensitive PI has been increased from that of 100,000 people to that of one million people. For the Standard Contract and PI protection certification procedures, the threshold has been increased from the non-sensitive PI of less than 100,000 people to that of between 100,000 and one million people.

In addition, the time frame has also been shortened from the accumulated PI from January 1 of the previous year to January 1 of the current year. This effectively cuts the maximum period for accumulated PI that is considered for compliance procedures from two years to just one year and allows the company’s accumulated volume to be reset to zero at the start of every year, making it less likely they will exceed the limits.

Finally, if a company has processed the PI of less than 100,000 people since January 1 of the current year, it will not be required to undergo any compliance procedures. Previous regulations did not have any exemptions for lower volumes of PI.

The changes in data volume limits are summarized in the table below.

Change in PI Export Volume Thresholds for CBDT Compliance Procedures
Required compliance procedure Previous regulations New regulations
No procedures required N/A Cumulative since January 1 of the current year:

 

< 100,000 (normal PI)
PI protection certification or Standard Contract signing Cumulative since January 1 of the previous year:

 

< 100,000 (normal PI); or

 

< 10,000 (sensitive PI)

 Cumulative since January 1 of the current year:

 

≥ 100,000 (normal PI)

< 1,000,000 (normal PI); or

 

< 10,000 (sensitive PI)
Security assessment by CAC Cumulative since January 1 of the previous year:

 

≥ 100,000 (normal PI); or

 

≥ 10,000 (sensitive PI)

 Cumulative since January 1 of the current year:

 

≥ 1,000,000 (normal PI); or

 

≥ 10,000 (sensitive PI)

Note that the above changes do not apply to companies that are CIIOs, which will still be required to undergo a security assessment regardless of the volume or type of data they export, nor does it apply to companies that are exporting important data.

However, the new regulations also outline several additional circumstances in which a company may be exempt from undergoing compliance procedures even if they exceed the new thresholds. These exceptions are outlined in the section below.

Easing requirements for the export of “important data”

As mentioned above, companies that wish to export important data out of China must undergo a data export security assessment by the CAC, the most cumbersome of the three options.

Find Business Support
Unlock the power of simple, transparent, and intelligent accounting services in Asia with our cost-effective solutions.

However, what data is considered “important” has not been clearly defined in relevant regulations, leaving many companies uncertain of whether they must apply for the security assessment.

In the measures governing the security assessment procedures, important data is defined simply as “data that may endanger national security, economic operation, social stability, or public health and safety once tampered with, destroyed, leaked, or illegally obtained or used”. However, the authorities haven’t yet released a reference document for the type of data that would be deemed to fall under this definition, leaving it largely up to interpretation.

Despite this, the new regulations state that companies are required to identify and declare important data in accordance with relevant regulations. While the regulations do not provide any additional clarity on the definition, they do provide an important caveat that will help to reduce uncertainty in many cases. If relevant government departments or regions have not publicly identified certain data as “important”, then the company will not be required to apply for the data export security assessment to export the data.

This means that if the data has not explicitly been defined as important by national or local authorities, then it will be deemed not to be for the time being.

Exemptions for certain cross-border data transactions

Under the new regulations, there are several scenarios in which a company will be exempted from undergoing any of the three compliance procedures to export data out of China.

First, if a company collects and generates data through activities such as international trade, cross-border transportation, academic cooperation, transnational manufacturing, and marketing, and it wishes to provide this data overseas, then it is not required to undergo any of the three compliance procedures, provided the data does not contain any PI or important data.

Second, if the PI collected and generated by a company outside of China is transferred to China for processing and then retransferred abroad, then the company is exempted from the compliance procedures, provided no domestic PI or important data is introduced during the processing.

Finally, the regulations outline cases in which the company may be exempted from the compliance procedures, if it meets certain conditions. These conditions are as follows:

  1. It is necessary to export PI to enter into and perform a contract to which an individual is a party, such as cross-border e-commerce, postal services, remittances, and payments, opening accounts, air ticket and hotel booking, visa processing, and examination services;
  2. It is necessary to export the PI of employees must be exported in order to implement human resources management in accordance with the labor rules and regulations and the collective contract signed with employees;
  3. It is necessary to export PI overseas in order to protect the life, health, and property of natural persons in an emergency; and
  4. If a company other than a CIIO has provided PI of less than 100,000 people (excluding sensitive PI) overseas since January 1 of that year.

Note that important data is not included in the above scenarios, and a company will still need to undergo a security review to export it.

Facilitated data flows in free trade zones

The new regulations allow China’s free trade zones (FTZs) to independently implement their own negative list of data that must be subject to compliance procedures when exported. These lists will be applicable to companies established in the FTZs.

Find Business Support
Our multi-disciplinary advisory taskforce can guide you through the entire lifecycle of your China business.

Companies based in the FTZs exporting data that is not included in the negative lists will be exempted from undergoing the compliance procedures, thus greatly facilitating cross-border data flows in and out of the zone. The criteria for being considered to be based in the zone will presumably depend on the FTZs own standards for business presence, as is the case for qualifying for preferential tax treatment within the zones, although the regulations do not specify this.

Enabling the FTZs to implement their own data negative lists will greatly enhance the attractiveness and competitiveness of these zones, providing yet another benefit to establishing a business within these areas.

The FTZs are still in the process of developing these negative lists. In January 2024, the Lingang New Area of the Shanghai Pilot FTZ revealed a set of trial measures that will divide data for cross-border transfer into “core”, “important”, and “general” data categories, depending on their risk level. The local government also stated that it will release a “general data” catalogue, which will include types of data that can be transferred freely out of the area, and an “important data” catalogue, which will be subject to restrictions. The full trial measures have not yet been released to the public.

Extension of security assessment validity period

The new regulations extend the validity of a security assessment from two years to three years, from the date of issuance of the assessment result, thus decreasing the frequency with which a company will be required to undergo assessments.

The new regulations also simplify the procedures for the extension of a security assessment. If a company needs to continue its data export activities after its assessment has expired, it can apply for an extension through the local provincial cybersecurity and informatization department within 60 working days of the assessment’s expiration date. In this instance, the company won’t need to conduct another data export security assessment. If the application is successful, the assessment can be extended for another three years.

Implications of the new regulations for foreign companies in China

The new regulations are a major step forward in reducing barriers to cross-border data flows and clarify issues that impede the normal business operations of foreign companies in China.

The increase in the data volume thresholds for the compliance procedures will make it easier particularly for smaller companies, which have fewer resources to handle the additional compliance burden, to follow with data transfer rules. The various exemptions given will also greatly facilitate business operations in fields such as cross-border trade, e-commerce, and HR.

Related Reading
How to Conduct a Personal Information Protection Impact Assessment in China

Meanwhile, the new regulation on important data removes a considerable regulatory headache for companies by acknowledging that the current regulations are insufficiently clear for companies to follow and places the onus on government authorities to specify which data is considered important. It may also allow companies whose applications for data export have been denied due to their inclusion of undefined important data to have these decisions overturned, at least until the authorities provide a clear definition. This will help to alleviate uncertainty and greatly facilitate companies’ normal operations in the interim.

It’s nonetheless important to note that the compliance procedures remain in place for larger volumes of data, as well as for all important data and CIIOs. Larger multinationals, in particular in consumer-facing industries, are still likely to reach the thresholds for compliance procedures on a regular basis and will have to continue to allocate time and resources toward compliance.

Large companies in particular are advised to closely monitor the regulatory bodies of their respective industries for news on the definition of important data to ensure that they remain compliant. Companies located in FTZs are also advised to carefully monitor news from local authorities regarding the release of data negative lists and to maintain open lines of communication with local authorities to ensure the correct understanding and implementation of the regulations.

INVESTING IN CHINA ONLINE BUSINESS GUIDE
Explore economic, geographic & regulatory insights, expert guidance, news, and videos featuring on-the-ground advisors that contribute to the Doing Business in China knowledge for investors, managers, or expats to understand India, and chart their path to a healthy business. Access here

About Us

China Briefing is one of five regional Asia Briefing publications, supported by Dezan Shira & Associates. For a complimentary subscription to China Briefing’s content products, please click here.

Dezan Shira & Associates assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Haikou, Zhongshan, Shenzhen, and Hong Kong. We also have offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Dubai (UAE) and partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh, and Australia. For assistance in China, please contact the firm at china@dezshira.com or visit our website at www.dezshira.com.