By: Lester Ross, Kenneth Zhou, and Tingting Liu
On March 22, 2024, the Cyberspace Administration of China (“CAC”) promulgated the final version of the Provisions on the Promotion and Regulation of Cross-Border Data Flows (the “Final Provisions”),1 bringing to conclusion the consultative process initiated with the release of the draft version on September 28, 2023.2 A discernible shift in nomenclature—from “Regulation and Promotion” to “Promotion and Regulation”—within the Final Provisions signifies, at least nominally, a strategic pivot toward prioritizing the facilitation of international data flows over stringent control and restrictions. This would be consistent with the old and new State Council’s 24-article liberalizations.3
Notably, the preface in the Final Provisions states that the CAC formally approved the Provisions on November 28, 2023. The rationale for the subsequent four-month delay in publication remains unclear, despite widespread anticipation since the draft fueled an expectation that the Final Provisions would substantially alleviate the compliance burdens confronting countless enterprises engaged in cross-border data transactions. The promulgation of the Final Provisions appears to coincide strategically with the date of the high-profile China Development Forum, sending a positive signal to multinationals (“MNCs”), CEOs and international investors that China is committed to foster a more hospitable environment to attract foreign investment, as indicated in various policy documents.
The Final Provisions significantly soften the existing data export compliance rules by 1) carving out certain common data export scenarios from all filing requirements; 2) raising the thresholds for triggering filing obligations; 3) narrowing down the scope of Important Data; and 4) establishing a more flexible policy space for exercising negative-list management in free trade zones (“FTZ”) where many foreign-invested enterprises are registered.
Compliance Requirements Predate the Final Provisions:
To look back, the current data export security compliance regime is underpinned by three alternative pillars: a (i) mandatory CAC-led data export security assessment when certain thresholds are crossed (initial reviews to be conducted by CACs at the provincial level and final review to be conducted by CAC at central level), (ii) PI standard contract clauses (“SCC”) filing with CACs at the provincial level, or (iii) PI protection certification (“PIPC”) by third party professional PI protection certification firms designated by CAC.
Under the rules predating the Final Provisions, the mandatory data security assessment applies to (a) critical information infrastructure operators (“CIIOs”); (b) Important Data; (c) when PI of more than 1 million individuals is processed; and (d) when cumulative PI of 100,000 individuals or Sensitive PI of 10,000 individuals has been exported since January 1st of the previous year.
When a non-CIIO data processor processes and exports PI under the “1 million/100,000/10,000” thresholds, it is still subject to a SCC filing or PIPC. As a practical matter, MNCs are unlikely to be designated as CIIOs, and they are unlikely to process Important Data except in the instance where the number of individuals whose PI is processed exceeds 1 million, in which case the PI is deemed to constitute Important Data.
The previous rules did not provide for any exemptions, which means that a large number of MNCs would at least need to file for a SCC or conduct PIPC when they exchange information that contains PI with their overseas parent, affiliates or counterparts.
Exemptions to Filing Requirements:
The Final Provisions provide for specific conditions under which cross-border data transfers are exempted from the three regulatory compliance obligations altogether. There are two types of exemptions, namely, exemptions based on scenario and exemptions based on volume.
Exemption based on scenario: Data that falls under the following scenarios is no longer subject to the aforementioned regulatory requirements when it crosses borders, regardless of the volume of the transfer:
- Data collected and generated in international trade, cross-border transportation, academic cooperation, multinational production manufacturing, and marketing activities provided to overseas entities that do not contain PI or Important Data. This means that the export of production, business, financial and operational data of MNCs in China to their overseas affiliates is not subject to any filing requirement unless such data contains PI or Important Data;
- Re-exported PI generated or collected from overseas after processing in China, provided that such re-exported PI does not integrate PI from China or Important Data;
- PI transferred overseas necessary for the execution or performance of a contract with an individual party, such as cross-border shopping, cross-border mailing, cross-border remittance, cross-border payment, cross-border account opening, air ticket and hotel booking, visa application, examination services, etc.;
- Cross-border human resource (“HR”) management necessary for implementing legally established labor rules and legally signed collective contracts requiring the provision of employees’ PI overseas;
- In emergencies, PI necessary for protecting the life, health, or security of property of natural persons;
Exemption based on volume:
- Data processors, other than CIIOs, providing non-Sensitive PI of fewer than 100,000 individuals overseas from January 1st of the current year.
Thresholds for Filing Requirements:
Outside the above mentioned exempted scenarios, the Final Provisions specify the conditions for mandatory security assessment, and they are applicable to:
- CIIOs exporting PI or Important Data;
- Data processors, other than CIIOs, exporting Important Data; or
- Data processors, other than CIIOs, exporting non-Sensitive PI of more than 1 million individuals or Sensitive PI of more than 10,000 individuals from January 1st of the current year.
The Final Provisions also clarify conditions under which an SCC or PIPC still apply, and they are:
- Data processors, other than CIIOs, exporting non-Sensitive PI of more than 100,000 individuals but fewer than 1 million individuals; or
- Data processors, other than CIIOs, exporting Sensitive PI of fewer than 10,000 individuals from January 1st of the current year.
It should be noted that while the SCC and PIPC volume thresholds have been raised for non-CIIO companies—to encompass the export of non-Sensitive PI involving 100,000 individuals or more—no such volume thresholds have been established for the export of Sensitive PI. This means that any export of Sensitive PI would at least mandate an SCC or PIPC, if not security assessment when the volume reaches 10,000 individuals, unless it qualifies for a specific exemption based on a specified scenario, such as necessary for fulfilling or performing cross-border contractual obligations or necessary for managing cross-border HR, as indicated above. MNCs are thus compelled to rigorously justify the necessity of each cross-border transfer of Sensitive PI, or else face the original burdensome regulatory filing requirements predate the Final Provisions. Sensitive PI generally includes such data as an individual’s ID/passport information, bank account and personal property information, biometric information (such as photo, fingerprints, etc.), medical records and similar items. This adjustment will likely lead to fewer transfers of Sensitive PI overseas by MNCs unless absolutely necessary.
Important Data
A positive development is that the Final Provisions for the first time clarify that unless data processors are informed by relevant industry regulators or local governments that relevant data constitutes Important Data or is defined as Important Data in the published rules, data processors do not need to treat any data as Important Data or conduct a data export security assessment.
Negative List in Free Trade Zones
Critically, Pilot FTZs will be authorized to establish a “Negative List” regime and all future data export activities not covered in such Negative Lists would no longer be subject to data export security assessment, SCC filings or PIPC requirements. Pilot FTZs may strive to compete by offering a broader “Negative List”.
Conclusion
The Final Provisions are poised to significantly alleviate the compliance burdens facing MNCs in navigating the complexities of data export regulations. The Provisions have streamlined the requirements and introduced pragmatic exemptions based on scenario and volume. This will significantly ease the burden facing a typical MNC operating in China, and will be welcomed by the business community domestically and internationally.
This article was first published here by WilmerHale. WilmerHale is a leading, full-service international law firm with more than 1,000 lawyers located throughout 13 offices in the United States, Europe, and Asia.