On 28 September 2023, the Cyberspace Administration of China (“CAC”) released the draft of Provisions on Regulating and Facilitating Cross-Border Data Transfers. Having already received feedback from key experts and industry leaders, the draft is seeking public comments till 15 October 2023. On average, the comment collection period lasts one month, but in this case, it was reduced to approximately two weeks, reflecting CAC’s eagerness to expedite the implementation.
The released draft could be perceived as a clarification to the cross-border data transmission regulations published earlier this year that raised a lot of questions, and, as a result, many companies were left to self-regulate based on their own understanding subjecting themselves to the risks. Highlighting the complicated implementation, majority of Western media referred to the new regulations as China “creating information black box”. The draft regulations are aimed at clarifying and relaxing previously issued requirements.
The Draft
If the current version of the draft is enacted, it would grant full exemptions from the requirements to enter a Standard Contract, undergo a security assessment by The Cybersecurity Administration of China (CAC), or obtain Personal information (PI) protection certification for certain Cross-border Data Transfers (CBDTs), including, but not limited to:
Exemptions based on the nature of the exported data
- Personal data
These exemptions apply when the transfer is necessary for executing or fulfilling a contract involving the individual. Examples include cross-border shopping, cross-border remittances, air ticket and hotel reservations, and visa processing.
- Employee personal data
Exemptions are granted when the transfer is necessary for managing human resources in alignment with an organization’s internal policies or collective contracts.
Exemptions based on the annual volume of transfers
Additionally, the draft provisions propose exemptions for the transfer of personal data based on the annual volume of transfers:
- Standard contract/PI protection certification exemption:
Estimated transfers of personal data for fewer than 10,000 individuals per year.
- Security assessment exemption:
Estimated transfers of personal data for fewer than 10,000 individuals per year.
- Security assessment exemption for estimated transfers of personal data involving a range of individuals between 10,000 and 1 million per year:
An exemption from the security assessment requirement is granted if the organization has either entered a standard contract for Cross-border Data Transfer (CBDT) or has obtained the certification.
The transfers exceeding 1 million individuals annually will still be subject to a security assessment. While the counting period for this assessment is not explicitly stated, it is presumably on an annual basis, aligning with the overall context of these provisions.
The draft provisions maintain the requirement for obtaining individual consent for Cross-border Data Transfers (CBDTs) involving personal data.
The draft confirms the current practice that a security assessment is not mandatory for CBDTs involving potential “important data” unless that data has been officially classified as such by the relevant authorities. Now, only a few such classifications exist, such as for connected car data and aircraft operational data.
Additionally, the draft suggests that Free Trade Zones may have the authority to grant further exemptions from CBDTs but subject to obtaining approval from the Cyberspace Administration of China (CAC). The exact scope of these exemptions is not clearly defined in the draft.
In Conclusion
China data market is still developing, but it is evolving fast and in a multitude of directions. Regulations and guidelines are issued fast, and it’s obviously going to create a certain level of confusion before the practical application becomes clear.
Proposed changes are likely to be well-received by the international businesses operating in China, especially with the approaching end of the 6 months grace period. The complex procedures imposed by the new law are still burdensome, however this draft is an important step in creating balance between regulating and protecting data and facilitating cross-border exchanges.
Our experts will be happy to assist you in navigating the new Cross-Border Data Transfer regulations.
S.J. Grand is a full-service accounting firm focused on serving foreign-invested enterprises in Greater China since 2003. We help our clients improve performance, value creation and long-term growth.
Other Articles:
- Is Representative Office the Best Choice for China Expansion?
- Important Considerations: Accounting and Financial Reporting for Foreign NGOs in China
- How to: Sell to Chinese Companies (and Get Paid)
- How to Stay Compliant: China Compliance Checklist
- Criminal Law 2024 and Its Impact on Foreign-Invested Businesses
