Overview of Updated Guidelines for Cross-Border Data Flow Regulations in China

CHANG TSI
Insights

March28
2024

On March 22, 2024, the Cyberspace Administration of China (CAC) released the Regulations on Promoting and Regulating the Cross-Border Flow of Data (hereinafter referred to as “the Regulations”), along with the updated Guidelines for the Application of Data Export Security Assessment (Second Edition)” (hereinafter referred to as “the Guidelines for the SA (Ver. 2)”) and “Guidelines for the Filing of Standard Contracts for the Transfer of Personal Information (Ver.2)” (hereinafter referred to as “the Guidelines for SCC Filing (Ver.2)”). These documents provide detailed guidance for data processors undertaking data export activities in accordance with the Regulations. Both the Guidelines for the SA (Ver. 2) and the Guidelines for SCC Filing (Ver.2) have been revised based on their initial editions to align with the formally enacted Regulations, thereby enhancing the processes of security assessment and SCC filing for greater efficiency and compliance. Below is a brief explanation of the core content of the two guidelines:

1. Update on Applicable Scope

Both the Guidelines for the SA (Ver. 2) and the Guidelines for SCC Filing (Ver.2) have updated their scope of application to reflect the scope of the Regulations.

It is imperative for overseas data processors to recognize that instances adhering to Article 3, Section 2 of the Personal Information Protection Law (PIPL)—specifically, the processing of PI of individuals located within China's territory—are now classified as data export activities. Consequently, overseas entities processing such PI are now subject to the supervision of cross-border data transfer (CBDT) and must pay heightened attention to the relevant policies and legal requirements.

2. Improvement of Declaration/Filing Process

The newly updated guidelines have introduced dedicated online platforms for data processors, specifically launching the data export declaration system (https://sjcj.cac.gov.cn), to streamline the submission process. Nonetheless, for critical information infrastructure operators (CIIOs) or entities for whom online declaration is not feasible, the procedure of submitting hard copies along with their digital versions in an offline mode remains in place.

Furthermore, the Guidelines for the SA (Ver. 2) specifies a more transparent and open assessment process by stipulating that when the provincial-level CAC notifies data processors of the results of the completeness check, it is also required to provide explicit reasons for any non-compliance, thereby enhancing clarity and accountability in the assessment procedure. 

3. Improvement of Declaration/Filing Documentation

The updated guidelines significantly enhanced the efficiency of the review process providing explicit instructions on the formatting of declaration documents and assessment reports. These instructions cover detailed requirements regarding language use, typography, and page layout, ensuring that submissions are both standardized and accessible.

Moreover, the Guidelines for the SA (Ver. 2) has refined the content of the declaration form to focus only on essential information. Meanwhile, it simplifies responses to a checkbox format for the majority of queries. For data processors engaged in CBDT across multiple scenarios, the revised process necessitates only a single declaration form, wherein specific details relevant to each scenario can be outlined separately. These adjustments can significantly improve the efficiency of the review process.

On March 22, 2024, the Cyberspace Administration of China (CAC) released the Regulations on Promoting and Regulating the Cross-Border Flow of Data (hereinafter referred to as “the Regulations”), along with the updated Guidelines for the Application of Data Export Security Assessment (Second Edition)” (hereinafter referred to as “the Guidelines for the SA (Ver. 2)”) and “Guidelines for the Filing of Standard Contracts for the Transfer of Personal Information (Ver.2)” (hereinafter referred to as “the Guidelines for SCC Filing (Ver.2)”). These documents provide detailed guidance for data processors undertaking data export activities in accordance with the Regulations. Both the Guidelines for the SA (Ver. 2) and the Guidelines for SCC Filing (Ver.2) have been revised based on their initial editions to align with the formally enacted Regulations, thereby enhancing the processes of security assessment and SCC filing for greater efficiency and compliance. Below is a brief explanation of the core content of the two guidelines:

1.    Update on Applicable Scope

Both the Guidelines for the SA (Ver. 2) and the Guidelines for SCC Filing (Ver.2) have updated their scope of application to reflect the scope of the Regulations.

It is imperative for overseas data processors to recognize that instances adhering to Article 3, Section 2 of the Personal Information Protection Law (PIPL)—specifically, the processing of PI of individuals located within China's territory—are now classified as data export activities. Consequently, overseas entities processing such PI are now subject to the supervision of cross-border data transfer (CBDT) and must pay heightened attention to the relevant policies and legal requirements.

2.    Improvement of Declaration/Filing Process

The newly updated guidelines have introduced dedicated online platforms for data processors, specifically launching the data export declaration system (https://sjcj.cac.gov.cn), to streamline the submission process. Nonetheless, for critical information infrastructure operators (CIIOs) or entities for whom online declaration is not feasible, the procedure of submitting hard copies along with their digital versions in an offline mode remains in place.

Furthermore, the Guidelines for the SA (Ver. 2) specifies a more transparent and open assessment process by stipulating that when the provincial-level CAC notifies data processors of the results of the completeness check, it is also required to provide explicit reasons for any non-compliance, thereby enhancing clarity and accountability in the assessment procedure. 

3.    Improvement of Declaration/Filing Documentation

The updated guidelines significantly enhanced the efficiency of the review process providing explicit instructions on the formatting of declaration documents and assessment reports. These instructions cover detailed requirements regarding language use, typography, and page layout, ensuring that submissions are both standardized and accessible.

Moreover, the Guidelines for the SA (Ver. 2) has refined the content of the declaration form to focus only on essential information. Meanwhile, it simplifies responses to a checkbox format for the majority of queries. For data processors engaged in CBDT across multiple scenarios, the revised process necessitates only a single declaration form, wherein specific details relevant to each scenario can be outlined separately. These adjustments can significantly improve the efficiency of the review process.

Related News