On September 28, 2023, the Cyberspace Administration of China (the "CAC") released a notice seeking public comments on the Provisions on Regulating and Facilitating Cross-border Data Flow (Draft for Comment) (the "Draft"), which intends to make adjustments to China's current regulations on outbound data transfers to further regulate and facilitate the orderly and free flow of data.
Overall, the Draft releases important signals of structural adjustments and eases the current policy on cross-border data flow. While following the overall framework of the implementing regulations, including Measures for the Security Assessment of Outbound Data Transfers and Measures for the Standard Contract for Outbound Cross-Border Transfer of Personal Information, the Draft substantially exempts specific scenarios from obligations to apply one of the three fundamental transfer mechanisms under the Personal Information Protection Law, namely, undergoing a security assessment for outbound data transfer, entering into a standard contract for the outbound transfer of personal information, and obtaining the certification of personal information protection (hereinafter collectively referred to as the "Outbound Data Transfer Procedures"), and substantially adjusts the applicable standards for cross-border data transfers, thus providing more possibilities for cross-border flow of data. The following is a detailed summary of the key points of the Draft, together with some brief comments and advice.
1) Outbound transfer of data generated during international trade, academic cooperation, and transnational production, manufacturing, and marketing activities, excluding transfer of personal information or important data;
2) Outbound transfer of data that is not announced or published by relevant department or locality as important data;
3) Outbound transfer of any personal information that is not collected or generated within the territory of China;
4) Where it is necessary to transfer any personal information overseas to execute and perform a contract to which the individual is a party concerned, such as cross-border shopping, cross-border remittance, air ticket and hotel reservation, and visa application;
5) Where it is necessary to transfer any personal information of an internal staff member overseas for human resources management under lawfully established labor rules and regulations and a lawfully executed collective contract;
6) Where it is necessary to transfer personal information overseas in an emergency to protect a natural person's health, life, and property safety and for other purposes.
1) Where it is estimated that the personal information of less than 10,000 individuals will be transferred overseas within one year, the Outbound Data Transfer Procedures may be exempted;
2) Where it is estimated that the personal information of more than 10,000 individuals but less than one million individuals will be transferred overseas within one year, and a standard contract has been signed and has been submitted for record-filing, or the personal information protection certification has been passed, the declaration for the security assessment may be exempted;
3) Where the personal information of more than one million individuals will be transferred overseas, the declaration for the security assessment is required.
4) In all of the above cases, where the outbound transfer of personal information is subject to individual consent, such consent from the personal information subject shall be obtained.
1) A FTZ may independently formulate a list of data to be included in the management scope of the Outbound Data Transfer Procedures (the "negative list"), which shall be reported to the provincial-level cyberspace authorities for approval and then submitted to the CAC for record-filing;
2) Outbound data transfer beyond the "negative list" may be exempted from the Outbound Data Transfer Procedures.
1) Outbound data transfer still needs to be legally compliant. Data processors should fulfill their data security protection obligations to ensure the security of outbound data transfer and should adopt remedial measures and timely report in the event of a security incident or discovery of increased security risks;
2) Local cyberspace administration authorities should strengthen guidance and supervision and enhance the regulation before, during, and after outbound data transfers.
Firstly, the Draft reflects a relaxed regulatory attitude towards the necessity of the Outbound Data Transfer Procedures. The draft reduces the compliance costs associated with outbound data transfers by specifying scenarios where the Outbound Data Transfer Procedures are exempt and adjusting the volumes triggering such procedures. If the draft comes into effect, these provisions will have a substantial impact on promoting the orderly and free cross-border data flows while boosting confidence in the digital market.
Secondly, the Draft extends control of outbound data transfers from the central government's power to both central and local levels. By authorizing the implementation of a data "negative list" in FTZs, the Draft alters the original security regime for outbound data transfer, which was centrally controlled, and further relaxes policies on cross-border data flows within FTZs, providing FTZs full freedom of decision-making and pilot authority. These provisions, especially for foreign-invested enterprises and some specific companies, may further enhance the cross-border data flows.
Thirdly, the Draft embodies China's governance philosophy in the digital economy, balancing security and development. There has yet to be a global consensus on cross-border data flow rules, and China needs to actively participate in formulating international data flow regulations while accelerating the development of a unique Chinese framework for cross-border data flow rules. The fact that the Draft allows for a public comment period of less than 20 days (including 8 days of national holidays) indicates that the authorities are eager to implement the regulations efficiently and make them effective promptly.
If the Draft is finally formed into a formal text and comes into effect, it will significantly change the existing mechanisms for outbound data transfers. Although it can be speculated that the formal text is likely to retain the provisions mentioned and efficiently go through the implementation process, enterprises currently in the process of handling the Outbound Data Transfer Procedures or with needs are advised to re-evaluate the specific situations in light of the Draft to determine whether they fall within the exemption scenarios. After the evaluation, if an enterprise qualifies for exemption, it may consider, in consultation with relevant authorities, whether it needs to adjust the existing plans based on the specific situations. If an enterprise still needs to initiate the Outbound Data Transfer Procedures, it is recommended to closely monitor the legislative developments and act when the timing is appropriate.
Also, it is worth noting that while the Draft exempts specific scenarios, as data processors, companies must continue to fulfill their security obligations and ensure the security of outbound data transfers. In case of security incidents or increased security risks, they should take remedial measures and report promptly to avoid triggering other compliance issues.