China Moves to Facilitate Cross-Border Data Flows, Hints at Regulatory Easing in 2024

Posted by Written by Arendse Huld Reading Time: 6 minutes

In recent months, the Chinese government has taken steps toward facilitating cross-border data flows for companies based in China. While many of these measures are yet to be implemented, recent remarks from the EU Commission President, as well as proposals made during the 2023 Central Economic Work Conference, suggest that facilitating cross-border data flows will be among the key tasks to improve the business and investment environment for foreign companies in 2024. We look at China’s latest efforts and commitments to provide clarity on cross-border data transfer regulations.

China has committed to providing further clarity on cross-border data transfer (CBDT) rules, according to a statement given by EU Commission President Ursula von der Leyen.

Speaking at a press conference following the 24th EU-China Summit in Beijing on December 7, von der Leyen stated that she “very much [welcomed] now China’s willingness to establish a mechanism to clarify the rules” on CBDT.

Under China’s cybersecurity and data protection regime, underpinned by the Personal Information Protection Law (PIPL) and related regulations, companies that wish to export important data and certain volumes of personal information (PI) must undergo additional compliance procedures. These may range from undergoing a security assessment by the Cyberspace Administration of China (CAC), undergoing third-party data protection certification, or signing a standard contract with the overseas recipient of the data.

China’s CBDT regulatory framework has been a major pain point for China-based companies with business activity overseas. Due to the international nature of their business operations, multinationals and foreign companies have found navigating these requirements particularly difficult, as they frequently need to export data.

The EU has been a strong advocate for foreign companies in China regarding the clarification of CBDT rules. In its Position Paper released in September, the EU Chamber of Commerce in China (“EU Chamber”) noted the lack of clear definitions in the legislation, in particular concerning the term “important data”.

In China’s data protection regulations, data that is classified as “important” is subject to stricter protection and CBDT requirements. However, it has not yet been clearly defined.

In its position paper, the EU Chamber “urges for the scope of important data to be clearly and narrowly defined, with regulators providing a sufficient grace period between any future releases of guidelines related to the definition of ‘important data’ and catalogues, and their implementation”.

Steps to facilitate cross-border data flows

With declining foreign direct investment flows into China in 2023, the Chinese government has sought to tackle some of these challenges and improve the business environment to attract foreign investment, particularly in major cities such as Shanghai and Beijing. A major component of this strategy is easing the regulations surrounding CBDT.

In October, the CAC took a major step easing the rules with the release of a set of draft regulations that propose several concessions to the current CBDT requirements.

They include waiving the requirement for companies to undergo the required processes to export data if the data generated does not contain any PI or important data and is generated through international trade, academic cooperation, transnational manufacturing, and marketing.

They also stipulate specific scenarios in which the export of PI is deemed necessary and therefore not subject to the CBDT processes. These include situations in which PI must be exported to fulfill a contract for cross-border business activities such as e-commerce, remittances, and flight and hotel reservations, to fulfill HR obligations in compliance with labor rules and regulations, or to protect the safety of life, health, and property of people in emergencies.

In addition, the draft regulations propose lowering the threshold of PI that can be exported without needing to undergo the CBDT procedures and implementing “negative lists” of certain types of data in China’s FTZs, which would allow companies to freely export data not included in the list in these areas.

Facilitating cross-border data flows in the Shanghai FTZ

In addition to the efforts made by the central government, some local governments have also begun to consider ways to make CBDT easier for companies.

On December 7, Shanghai released a new plan to more closely align the business and investment environment in the Shanghai Pilot Free Trade Zone (Shanghai FTZ) with international standards.

The plan contains 80 measures to improve economic, trade, and management regulations in the zone, as well as expand market access. It also introduces several measures that will hint at easing CBDT for companies operating in the Shanghai FTZ.

Facilitating cross-border data flows for financial institutions

First, the plan states that financial institutions will be allowed to “transmit data required for daily operations overseas”. However, it notes that this must be done “within the framework of the national cross-border data transmission security management system, ” indicating that the companies will not be exempt from undergoing the CBDT processes entirely.

Find Business Support
Learn how our virtual CIO service can help you accelerate connectivity between your China-based employees and global organization.

It also states that authorities will be able to take regulatory measures based on “national security and prudential principles” when regulating the export of financial data and will still need to ensure the security of “important data” and PI.

This wording somewhat limits the scope of CBDT easing, as it still seeks to work within the existing framework and continues to limit CBDT activity for PI and important data.

As mentioned above, “important data” is a term that is still not clearly defined in China’s data protection legislation, which has created uncertainty for companies. The draft regulations for easing CBDT released in October provide a stop-gap solution for this problem by proposing that if data has not been explicitly defined as “important” by relevant government departments, then a company is not required to undergo a security assessment (as is required under CBDT regulations) to export it.

Notably, the plan also calls for the Shanghai FTZ to “take the lead” in formulating an “important data catalog”, based on the data classification and hierarchical data protection system outlined in related regulations. If such a catalog is created, it will go a long way to providing clear parameters for companies to operate within. It will also reinforce the Shanghai FTZ’s position as a business-friendly destination for foreign investors.

CBDT “Single Window”

The plan proposes the construction of a so-called “Shanghai International Trade ‘Single Window’” system specifically for CBDT, a type of digital system for processing CBDT similar to the one that exists for handling international trade procedures.

The authorities will seek to ensure that the Single Window for CBDT is compatible and interoperable with other systems by adopting internationally recognized standards and accessible open standards. The plan also states that the data exchange systems will be developed with international cooperation and that the Shanghai FTZ will “jointly develop pilot projects for data exchange systems”.

The plan also notes that this must all be done “with the assurance of data security”.

The plan to develop a Single Window system for data flows may be an effort to align the Shanghai FTZ’s data regime with the requirements of the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) and Digital Economy Partnership Agreement (DEPA) – two trade agreements that China is seeking to join.

Assuring cross-border data flows for companies

The plan strives to assure companies that they are allowed to export data overseas within the Shanghai FTZ. However, the related clauses stopped short any tangible changes that would facilitate CBDT.

For instance, it states that “if companies and individuals really need to provide data overseas due to business needs, and they meet national CBDT security management requirements, they can provide it overseas”. This wording appears to uphold the current regulatory framework for CBDT, rather than make concessions.

On the other hand, the plan calls for supporting the Shanghai FTZ in creating an “important data catalog” in accordance with data classification and hierarchical protection systems.

The plan calls for “exploring the establishment of legal, safe and convenient cross-border data flow mechanisms” and “improving the convenience of cross-border data flow”, although it does not elaborate on what these mechanisms would be.

Finally, the plan proposes providing more assistance to companies to navigate CBDT rules and regulations, which include providing guidance for conducting self-assessments of data export risks, improving their data security management capabilities and levels through certification, and forming standards or best practices that meet PI protection requirements.

Further easing ahead in 2024

In addition to the statement reportedly given to von der Leyen during the EU-China Summit, the government also mentioned the need to facilitate cross-border data flows during the 2023 Central Economic Work Conference (CEWC), held on December 11 and 12 in Beijing.

Related Reading
China Cybersecurity and Data Protection Regulations – 2023 Recap and 2024 Outlook

The CEWC is an annual economic conference presided over by President Xi Jinping. It sets economic policy direction for the year to come, which is developed into more concrete policy measures during the Two Sessions meetings in March.

According to the readout of the CEWC, officials this year discussed a range of potential measures to attract more foreign investment in China in the coming year. It specifically states that efforts should be made to “actively respond to the demands of foreign-invested enterprises” which include “conscientiously resolving issues, such as cross-border data flows”.

Though it does not provide specific details, the mention of this as a key issue signals China’s commitment to provide clarity and improve the regulatory environment, potentially signaling further easing to come in 2024.

About Us

China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at china@dezshira.com.

Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, Dubai (UAE), and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.