On March 22, 2024, the Cyberspace Administration of China (CAC) officially issued the Regulations on Promoting and Regulating Data Cross-Border Flow (hereinafter referred to as the Regulations), which came into force upon announcement. Building upon the draft of Regulations on Regulating and Promoting Data Cross-Border Flow released on September 28, 2023, the Regulations introduce a series of enhancements aimed at refining the framework for data export security assessments, entering into standard contracts (SCCs), and obtaining personal information (PI) protection certification. The key points are as follows:
1. The Regulations underscore the criticality of identifying key data, creating a direct linkage with the Rules for Data Classification and Grading.
Under the Regulations, data processors are mandated to identify and report key data. Data not notified or designated as key data by relevant authorities or regions are not required to be declared for data export security assessment.
The process for identifying key is guided by the Data Security Technology - Rules for Data Classification and Grading (hereinafter referred to as the Rules for Data Classification and Grading), issued on March 21. Notably, Article 5's exemption for PI is not extended to sensitive PI, adhering to the data grading rules stipulated in the Rules for Data Classification and Grading.
Furthermore, differing from the draft, Article 6 of the Regulations specifies that Free Trade Zones are obligated to compile a negative list of data, which falls within the scope of the national data classification and grading protection framework. This list is to be enforced in accordance with the Rules for Data Classification and Grading.
2. The Regulations stipulate conditions that qualify data export activities for exemptions from security assessments, the execution of SCCs, and the acquisition of PI protection certification.
Outlined within the Regulations are distinct scenarios in which data export activities may bypass the need for security assessments, SCCs, and PI protection certification. These scenarios encompass: (1) data arising from international trade, cross-border transportation, academic collaboration, transnational production, and marketing that are shared overseas, provided they do not contain PI or key data; (2) PI gathered and created by data processors outside of China and then disseminated internationally after being processed domestically, as long as no domestic PI or key data are involved; (3) PI that is necessary to be shared overseas for the formation or fulfillment of a contract where the individual is a contracting party; (4) cross-border human resource management conducted in compliance with legal labor policies and collective agreements, requiring the transfer of employee PI; (5) instances where PI must be shared internationally in emergency situations to safeguard the life, health, and property of individuals; (6) data processors, other than critical information infrastructure operators (CIIOs), who cumulatively transfer the PI of fewer than 100,000 individuals overseas (sensitive PI excluded) starting from January 1 of the current year; (7) data processors in Free Trade Zones transferring data outside of the stipulated negative list to foreign entities.
It is worth noting that Article 5 in the Regulations revises the exemption criteria for data processors, aside from CIIOs, as compared to the draft. Firstly, it alters the timeframe from "within the estimated year" to "from January 1 of the current year," thereby increasing operational feasibility; secondly, the threshold for the volume of PI has been lowered from "fewer than 10,000 individuals" to "fewer than 100,000 individuals," while explicitly excluding sensitive PI, thus balancing the facilitation of cross-border data flow with the safeguarding of PI security.
3. The Regulations adjusted the conditions for mandatory data export security assessments, SCC execution, and PI protection certification.
Compared to the draft, the Regulations provide clearer and more explicit guidelines for mandatory data export security assessments, SCC execution, and PI protection certification. Specifically, the Regulations differentiate data processors based on whether they are CIIOs, and apply different standards accordingly. Meanwhile, the Regulations now focus on past retrospective time ranges instead of future predictions, and the quantity standard has been moderately relaxed, with a stronger emphasis on the exceptional protection of sensitive PI.
4. The validity period of data export security assessment has been extended.
Article 9 of the Regulations extends the validity period of data export security assessment to three years, starting from the date of issuance of the assessment result. It also allows data processors to apply for an extension before the expiration, further facilitating data processors in conducting data export activities.