China Released New Regulations to Ease Requirements for Outbound Cross-Border Data Transfers

On March 22, 2024, the Cyberspace Administration of China (the "CAC") issued the highly anticipated final Regulations on Promoting and Regulating Cross-Border Data Flows (the "Regulations on Cross-Border Data Flows"), effective immediately. The CAC issued a Q&A along with the new regulations that addresses and clarifies certain questions.

The Regulations on Cross-Border Data Flows are built upon the previous draft Regulations on Regulating and Promoting Cross-Border Data Flows (Draft for Comment) issued by the CAC on September 28, 2023 (the "September 2023 Draft"). Aiming to ease compliance burdens and facilitate cross-border data flows, the Regulations on Cross-Border Data Flows introduce substantial changes to the current rules over filings and security assessments of cross-border data transfers, including exemptions from and higher thresholds for filing standard contracts for outbound cross-border data transfers (the "Standard Contract"), applying for personal information protection certifications and conducting the mandatory data security assessment.

This client alert discusses the key changes introduced by the Regulations on Cross-Border Data Flows and the potential impact on companies' cross-border data transfers and compliance practices.

Key Changes Introduced by the Regulations on Cross-Border Data Flows

The Regulations on Cross-Border Data Flows introduce the following key changes to ease compliance requirements for outbound cross-border data transfers:

Exemptions for outbound transfers of specific types of data

According to the Regulations on Cross-Border Data Flows, outbound transfers of data in the following six circumstances are not required to go through a Standard Contract, a personal information protection certification or a data security assessment:

1. Fewer than 100,000 individuals: The outbound transfer of personal information (excluding sensitive personal information) of fewer than 100,000 individuals to overseas recipients cumulatively since January 1 of the current year by data processors other than critical information infrastructure operators (the "CIIO") is exempted.¹ Compared to the September 2023 Draft, the threshold triggering a Standard Contract/personal information protection certification is raised from exporting personal information of 10,000 individuals to 100,000 individuals.
2. Necessary for contracts: The outbound transfer of personal information of individuals necessary for executing and performing contracts to which such individuals are parties, including contracts for cross-border shopping, cross-border mailing and delivery, cross-border remittance, cross-border payment, cross-border account opening, flight and hotel reservations, visa processing, and examination services, is exempted.²
3. Necessary for human resource management: The outbound transfer of employees' personal information necessary for implementation of cross-border human resource management in accordance with labor rules and regulations developed, and collective contracts executed, in accordance with the law is exempted.³ It is important to note that the scope of personal information falling within this category should still comply with the principle of "minimum and necessary" as mandated by the Personal Information Protection Law of the People's Republic China.
4. Emergency situations: The outbound transfer of personal information necessary to protect the life, health and property of a natural person in an emergency situation is exempted.⁴
5. Data that do not include personal information or important data: The outbound transfer of data collected and generated during international trade, cross-border transportation, academic cooperation, transnational production and manufacturing, and marketing activities that do not include personal information or important data, is exempted.⁵
6. Personal information collected and generated outside of China: Personal information collected and generated abroad by data processors, which is then transmitted to domestic locations for processing before being transferred outbound and does not involve the introduction of domestic personal information or important data during the processing, is exempted.⁶

Exemption based on "negative lists" established by pilot free trade zones

Under the Regulations on Cross-Border Data Flows, pilot free trade zones have the authority to create their own lists of data that require data security assessment, Standard Contract or personal information protection certification (the "Negative List"). The outbound transfer of data that are not included on the Negative List is exempted from these requirements.⁷

No significant relaxation for cross-border transfer of sensitive personal information

Notably, there has been no significant relaxation in the regulatory requirements concerning the cross-border transfer of sensitive personal information. For data processors other than CIIOs, a Standard Contract or a personal information protection certification is needed for the outbound transfer of any sensitive personal information unless the transfer falls under one of the enumerated exemptions mentioned above. If data processors other than CIIOs transfer sensitive personal information of more than 10,000 people out of China, or a CIIO transfers any personal information (including sensitive personal information) out of China, a data security assessment is required.

Overall, we summarize in the following table the thresholds and circumstances for the Standard Contract filing, personal information protection certification and data security assessment.

This new regulation extends the validity period of the data security assessment from two years to three years, starting from the date of issuance of the assessment results. Data processors can apply for an additional three-year extension of the assessment results.¹²

The Regulations on Cross-Border Data Flows clarify that these new regulations shall apply if they are inconsistent with the Measures for the Security Assessment of Outbound Data Transfer (July 7, 2022) and the Standard Contract Measures for Outbound Transfer of Personal Information (February 22, 2023) or other relevant provisions.¹³ The CAC's Q&A for the Regulations on Cross-Border Data Flows clarifies that data processors who have already applied for a data security assessment, or filed the Standard Contract but are not required to undergo these processes according to these new regulations, can either continue with the processes or withdraw their applications or filings from the provincial-level CAC.¹⁴

The Regulations on Cross-Border Data Flows are intended to ease the burden of compliance requirements for cross-border data transfers and are considered part of China's efforts to stimulate economic growth and attract foreign investments. It is expected that there will be significantly fewer companies that will need to go through either the Standard Contract filing, personal information protection certification or data security assessment under these new regulations. However, with fewer resources needed for handling the filings and approvals of cross-border data transfers, it is possible that the regulatory authorities may spare more resources on enforcement of the regulations. Therefore, it is important for data processors to conduct data mapping and implement data tracking mechanisms to effectively monitor and assess the volume of personal information and important data (if any) transferred out of China for compliance with these new regulations.

_{1 The Regulations on Cross-Border Data Flows, Article 5(4).
2 The Regulations on Cross-Border Data Flows, Article 5(1).
3 The Regulations on Cross-Border Data Flows, Article 5(2).
4 The Regulations on Cross-Border Data Flows, Article 5(3).
5 The Regulations on Cross-Border Data Flows, Article 3.
6 The Regulations on Cross-Border Data Flows, Article 4.
7 The Regulations on Cross-Border Data Flows, Article 6.
8 The Regulations on Cross-Border Data Flows, Article 7(1).
9 The Regulations on Cross-Border Data Flows, Article 7(2).
10 The Regulations on Cross-Border Data Flows, Article 8.
11 The CAC's Q&A regarding the Regulations on Cross-Border Data Flows, answer to Question 11.
12 The Regulations on Cross-Border Data Flows, Article 9.
13 The Regulations on Cross-Border Data Flows, Article 13.
14 The CAC's Q&A regarding the Regulations on Cross-Border Data Flows, answer to Question 14.}

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2024 White & Case LLP}