China’s Proposed Measures to Ease Cross-Border Data Management for MNCs

Posted by Written by Yi Wu Reading Time: 5 minutes

We provide an overview of the current cross-border data transfer requirements in China and regulatory initiatives to facilitate cross-border data management for multinational corporations (MNCs) in order to improve the country’s overall foreign investment environment.

On August 13, 2023, China’s State Council issued the Opinions on Further Optimizing the Foreign Investment Environment and Enhancing the Attraction of Foreign Investment (the “Opinions”) (“国务院关于进一步优化外商投资环境加大吸引外商投资力度的意见”). Among the 24 measures proposed to improve business environment and attract foreign investment, there is one policy concerning cross-border data transfer.

Recognizing the challenges faced by foreign companies when exporting data, one of the 24 proposed measures recommends the creation of a more secure and efficient data export mechanism. This initiative aims to simplify the process, making it easier for foreign companies to export their data internationally.

In this article, we summarize the current requirements on cross-border data transfer and delve into the potential improvements introduced by the Opinion.

China’s current data transfer regulation framework

In the last five years, China has introduced significant data protection legislation, such as the Cybersecurity Law (CSL) on June 1, 2017, the Personal Information Protection Law (PIPL) on November 1, 2021, and the Data Security Law (DSL) on September 1, 2021. These laws are also accompanied by various implementation regulations and administrative guidance.

Find Business Support
De-Risk Your Business with Multi-disciplinary Review and Legal Advisory

While these regulations foster greater data protection, they have also created some barriers for business operations, especially global companies operating in China. Some have expressed frustration over unclear mandates and slow administrative processes. Foreign businesses have been paying special attention to the cross-border data transfer requirements, as data flow across borders could be necessary and of high frequency during their daily operations.

Under China’s current data regulations, personal information (PI) or important data collected from subjects in China must be stored domestically. Companies that wish to export over these data overseas are required to take certain steps to get approval. This may include a security assessment by the Cybersecurity Administration of China (CAC), PI protection certification by a professional institution, signing a standard contract with the overseas recipient of the PI, or meeting other unspecified requirements, depending on the volume and sensitivity of the data to be transferred.

Data export security assessment mechanism

According to the Measures of Security Assessment for Data Export, effective since September 1, 2022, companies must undergo a data export security assessment  by the CAC if they wish to export data under any of the following scenarios:

  • Data processors providing important data overseas.
  • Critical information infrastructure operators (CIIOs) and data processors that process PI of more than 1 million people providing PI overseas.
  • Data processors that have transferred the PI of over 100,000 people or the sensitive PI of over 10,000 people overseas since January 1 of the previous year.
  • Other situations required to declare data export security assessment as stipulated by the CAC.

Notably, data export security assessment presents a rigorous evaluation standard and a relatively time-consuming review process. Since the enactment of the Measures of Security Assessment for Data Export, the CAC and local cyberspace administrations, including those in Beijing, Shanghai, Jiangsu, and Zhejiang, have been actively engaging in clarifying and streamlining the security review process.

PI protection certification mechanism

The PI protection certification is a security mechanism for cross border data transfer as outlined in Article 38 of the PIPL. On November 8, 2022, the National Information Security Standardization Technical Committee introduced the Practice Guide for Cybersecurity Standards – Outbound Transfer Certification Specification V2.0 for Cross-border Processing of Personal Information (Exposure Draft)outlining the requisites and procedures for the PI protection certification.

Building on this, on March 16, 2023, the National Information Security Standardization Technical Committee released the national standard Information Security Technology – Certification Requirements for Cross-border Transmission of Personal Information (Exposure Draft) for public review. This initiative aims to further enhance the framework for establishing a certification system concerning cross-border transfer of personal information.

This method is only applicable to companies that engage in the cross-border data transfer of a relatively small volume of PI and are not involved in scenarios where a data export security assessment with the CAC is required.

Standard contract mechanism

Article 38 of the PIPL establishes the standard contract as a key tool for legal cross-border transfer of personal information. Effective from June 1, 2023, the Measures on the Standard Contract for Outbound Transfer of Personal Information outline essential terms, encompassing the scope, types, sensitivity, quantity, retention period, and storage location of exported personal information as well as measures to prevent data security risks.

On May 30, 2023, the CAC issued the Guidelines for Filing of Standard Contract for Outbound Transfer of Personal Information (First Edition), offering detailed procedures, timeframes, required materials, and outcome details for standard contract filing. Provincial cyberspace administrations also issued comprehensive guidelines to support local companies in fulfilling standard contract filing obligations, including Beijing, Zhejiang, and Liaoning.

Similar to the PI protection certification mechanism, this method is only applicable to companies that engage in the cross-border data transfer of a relatively small volume of PI and are not involved in scenarios where a data export security assessment with the CAC is required.

What are the proposed improvements?

The Opinions call for establishing “green channels” for qualified foreign invested enterprises (FIEs), which would presumably facilitate cross-border PI transfer procedures.

Find Business Support
Complete Cybersecurity and Data Compliance Solutions for your Asia Business ⟶

In addition, they require authorities to “efficiently carry out security assessments for the export of important data and personal information”.

Moreover, they propose to run a pilot program with looser data export restrictions and identify a list of “general data” that can be freely transferred in specific regions like Beijing, Tianjin, Shanghai, and the Guangdong-Hong Kong-Macao Greater Bay Area. This also entails creating a dedicated compliance service platform for cross-border data transfers and supporting regions with significant foreign investment.

What is the impact of the proposed improvements?

Although the current data regulations have laid out the framework for cross-border data transfers, the implementation of these laws has encountered challenges. For example, Shanghai’s cyberspace regulator has received over 400 assessment reports but approved only a mere 0.5 percent of them by the end of April 2023.

The approval process is slowed down by unclear review criteria, differences in understanding between regulators and companies regarding the necessity of data transfers, and concerns over compliance costs, communication with overseas recipients, and regulatory ambiguity.

This situation is affecting various businesses beyond just multinational corporations, including Chinese companies listed overseas and those in data-rich sectors, such as retail, internet, healthcare, automotive, civil aviation, and finance.  has a direct impact on the capital-raising efforts and international listings of Chinese companies. Additionally, the cautious approach adopted by domestic data providers, driven by regulatory concerns, hampers foreign investors’ capacity for thorough due diligence.

Although specific implementation details are yet to be disclosed, the provisions related to data export in the Opinions’ 24 measures offer encouraging signals for foreign investments and international stakeholders.

The streamlined process would not only optimize cross-border data flows but also potentially reduce administrative complexities and associated costs, thereby fostering a more conducive environment for foreign investment in China. As multinational corporations increasingly rely on cross-border data transfers for critical business functions, the Opinions’ focus on facilitating these transfers signifies a progressive approach that acknowledges the pivotal role data plays in modern business operations. This approach, if well-executed, could further position China as an attractive destination for foreign investment by offering a more seamless and predictable regulatory framework for cross-border data management.

How should businesses deal with uncertainties in China regarding cross-border data transfer?

Industries heavily reliant on extensive data analysis, such as artificial intelligence, stand to gain from the streamlined cross-border data transfer measures. Nevertheless, multinational companies should stay attentive to data export compliance within their daily operations and stay informed about legislative and regulatory advancements in China. Foreign investors and FIEs should monitor the progress of the respective systems and seek advice from their advisors and relevant authorities for compliance-related queries.

For multinational companies engaged in business with China, the following compliance measures are recommended to ensure smooth cross-border data transfers:

  • Assess whether proposed data transfers require mandatory CAC security assessment.
  • Engage professional help to prepare necessary documentation, like cross-border data transfer agreements and self-assessment reports.
  • Develop consent mechanisms, privacy notices, and consent forms for proper data collection and processing.
  • Designate a qualified data protection personnel in China and conduct internal training for compliance understanding.
  • Create strategies to mitigate and report data breaches and potential risks.

The evolving regulatory landscape also presents business opportunities, as compliance projects related to data privacy regulations in mainland China are gaining prominence. At China Briefing, we will monitor the implementation of the Opinions and provide analysis of subsequent updates.

About Us

China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong.

Please contact the firm for assistance in China at china@dezshira.com. Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, Dubai (UAE), and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.