Amanda Guo: Navigating CAC's New Rules Easing Cross-Border Data Flows

On 19th March 2024, the Chinese government announced the issuance of a notice titled "Circular of the General Office of the State Council on Issuing the Action Plan for Solidly Promoting High-level Opening-up and Increasing Efforts to Attract and Utilize Foreign Investment" (“Circular”). This Circular underscores the government's commitment to intensifying policy measures aimed at enhancing the attractiveness of foreign investment in China. The action plan, comprising twenty-four measures across five key areas, reflects a strategic move by the Chinese authorities to foster economic development and strengthen connections with international markets. Amongst others, the government supports the flow of data between foreign-invested enterprises and their headquarters, while also regulating cross-border data security management. Furthermore, the government aims to strengthen regulations for cross-border data flow and establish comprehensive rules, including scientifically defining the scope of important data.

In response to this Circular, the Cyberspace Administration of China (“CAC”) three days later, on 22 March 2024, released the final Provisions on Facilitating and Regulating Cross-Border Data Flow (促进和规范数据跨境流动规定 in Chinese, the “Provisions”), aiming to loosen data protection burdens faced by the country’s foreign investment environment and address compliance difficulties faced by businesses under the current legal regime. 

These Provisions introduce several significant changes to the existing regulatory framework for cross-border data transfers, aimed at easing restrictions and clarifying the requirements for businesses operating in and with China.

Key Highlights Include:

• Exemptions to existing cross-border data transfer compliance obligations: Several circumstances are identified where cross-border data transfers would not require going through any of the following data export procedures, i.e. Security Assessments, Personal Information Certification, or Standard Contracts Filing, which include:

• Data transfers related to international trade and transportation, academic cooperation, cross-border manufacturing or marketing that do not contain personal information or Important Data;

• Necessary transfers for performance of contracts involving natural persons;

• Transfer of employee data in line with labor policies and collective contracts;

• Transfer of personal information by non- Critical Information Infrastructure Operators (“CIIOs”) involving fewer than 100,000 individuals' personal information (excluding sensitive personal information) within a period calculated from 1 Jan of the same year till now;

• Transfer of personal information not collected or generated within the PRC;

• Transfers necessary for protecting health and safety in emergencies; and

• Data transfers by entities incorporated within Free Trade Zones (“FTZs”) that involve data not included on Negative Data Lists to be promulgated by such FTZs.

• Clarification on Important Data: The Provisions aim to clarify what constitutes "Important Data", indicating that data handlers are not required to treat data as "Important Data" unless it is specifically categorized as such by the Chinese government. This is a significant and much welcomed move towards reducing the ambiguity that has previously surrounded the identification and handling of Important Data. The Provisions also encourage data processors to identify and declare Important Data in accordance with relevant regulations.

• Heightened Security Assessment Threshold for Personal Information: The Provisions suggest that only CIIOs and companies expecting to export personal information of more than one million individuals or sensitive personal information of more than 10,000 individuals within a period calculated from 1 Jan of the same year till now would need to undergo a Security Assessment. This is a change from the existing regulations on data transfers, which has a much lower threshold for triggering a Security Assessment.

• Special Negative Data Lists within FTZs: The Provisions allow FTZs to formulate their own Negative Data Lists, determining what types of cross-border data transfers are subject to mandatory data export procedures. This could potentially offer more relaxed cross-border data transfer requirements for businesses operating within these zones and attract new multi-national companies (“MNCs”) to operate within these zones.

Implications for MNCs:

• The Provisions will substantially reduce the compliance burden for MNCs and their operations in China. Businesses engaged in less sensitive data transfers, or those transferring data under the outlined exemptions, could see streamlined procedures and lower compliance costs. 

• Furthermore, while these exemptions could relieve some of the operational burdens, they do not eliminate the need for compliance with the broader spectrum of PRC data protection laws. Companies must still ensure they have a lawful basis for data processing, provide necessary information notices, take technical measures and other necessary measures, and conduct impact assessments for cross-border data transfer activities.

• As suggested by the press release on the Provisions, these Provisions mark a significant step in China's efforts to balance data security with economic openness. Businesses operating in China or processing Chinese data should prepare for these changes, considering how they might impact their data transfer and protection strategies.