China introduces revised cross-border data transfer rules

In an order dated 22 March 2024, the Cyberspace Administration of China (CAC) brought in revised cross-border data transfer rules with immediate effect. The Provisions on Promoting and Regulating Cross-Border Data Flows supplement both the Measures for Security Assessment of Cross Border Data Transfer (July 2022) and the Measures on Standard Contracts for the Export of Personal Information (February 2023).

The CAC also issued at the same time:

• a press release entitled “Answers to Reporters’ Questions” containing additional explanation of the new rules
• the second edition of guidelines for filing standard contracts and for filing applications for security assessment with the CAC.

In contrast to the previous draft announcement on 28 September 2023, that appeared to modify the existing rules by introducing several exemptions to the existing rules, the Provisions supersede the previous measures to the extent of any inconsistency. The proposed exemptions based on data-type have, however, been preserved.

Key changes

The key changes in the new rules compared to the previous rules are:

• Scrapping the previous threshold for security assessment of an organisation holding/ processing the personal data of more than one million individuals in China.
• The new thresholds for security assessment are:
  • the transfer of the personal data of more than one million individuals in a single calendar year
  • the transfer of the sensitive personal data of more than 10,000 individuals in a single calendar year.
• The introduction of a complete exemption from the security assessment requirement, the need to enter into a standard contract or to obtain certification under the Implementation Rules on Personal Information Protection Certification for annual data transfers of fewer than 100,000 individuals (not including sensitive personal data). This increases the exemption of the personal data of 10,000 individuals that had been proposed in the September draft.
• The introduction of complete exemptions for overseas transfers that are necessary:
  • for human resources management under a published employment policy or a collective contract 
  • for the conclusion or performance of a contract with the relevant individual
  • in emergencies, to protect health, life or property.
• All overseas transfers of ‘important data’ (regulated under the Data Security Law) will need to undergo a security assessment. However, organisations will not need to apply for security assessment unless the data has already been formally classified as ‘important data’ (only very few examples of important data have been officially classified so far).
• The application requirements for security assessment and self-assessment reports have been simplified and made less onerous in general. We will summarise these changes in a separate client briefing shortly.

Summary of new position on cross-border data transfers

Overseas transfers of any amount of personal data or ‘important data’ by an operator of critical information infrastructure continue to require CAC approval after undergoing a security assessment. 

The Provisions confirm that personal data that was first collected overseas and then imported into China for further processing without any domestic Chinese personal data or ‘important data’ will be exempted from any cross-border data transfer requirements. This is the converse of the generally understood position under the GDPR, as is a welcome clarification for international businesses.

New thresholds for security assessment

The one-million threshold for personal data held/ process (alone) is abolished

In our experience, many foreign companies operating in China have by now implemented some form of local storage for sensitive materials or other data that does not need to be accessible across the group.

As a result, many foreign-invested entities don’t actually transfer very much of their data out of China, or what they do transfer is internal data, such as HR data. Aside from consumer-facing companies - many international organisations had been required to undergo security assessment solely by reason of having surpassed the one-million threshold, i.e., for merely holding/ processing the personal data of more than one million individuals in China. 

The scrapping of this rule is therefore a very welcome development.

Security assessment remains required for transfers of:

• personal data of more than one million individuals in a calendar year
• sensitive personal data of more than 10,000 individuals in a calendar year.

The security assessment approved by the CAC will now be valid for three years (up from two years under the previous rules).

The final rules further provide that organisations will be able to apply for a renewal/ extension of previously approved data transfers within 60 days before the end of the current period of validity. Further three-year extensions of the same data transfers can thus be sought without undergoing a further security assessment application.

Exemptions based on data type, including:

• First: where overseas transfers are necessary for human resources management.
• Second: where the overseas transfer is necessary for the conclusion or the performance of a contract with the relevant individual. 

Data transfers for these purposes will not be counted towards the volume thresholds either.

These exemptions will relieve an organisation from the obligation to undergo CAC security assessment, enter into a standard contract or obtain certification even if the cumulative volume in a year exceeds the one million (security assessment), 10,000 sensitive personal data (security assessment) or 100,000 (standard contract) volume exemptions, provided that the only data being transferred is within any of the exempted categories.

The HR management exemption will be very helpful in many day-to-day scenarios within an international group - and potentially may also apply to processes such as internal investigations as well.

The examples given of the second exemption for ‘individual cross-border commerce’ are: cross-border shopping, cross-border payment and remittances, cross-border account opening air ticket and hotel reservations, visa processing, and for overseas tests and examinations (e.g., tests for TOEFL and CFA (Chartered Financial Analyst) qualifications, etc.)

But notably no exemption has been proposed for transfers of CRM data (i.e., contact information). Anecdotally, the CAC is also understood to have rejected most security assessment applications for overseas transfers of customer relationship management data to date. 

New thresholds for standard contract

Standard contract or certification required for transfers of:

• the personal data of more than 100,000 individuals but fewer than one million individuals (excluding sensitive personal data) in a calendar year
• the sensitive personal data of fewer than 10,000 individuals in a calendar year. 

Transfers of the personal data of fewer than 100,000 individuals in a calendar year will not require a standard contract until that threshold has been exceeded. 

As explained above, the same exemptions based on data-type will apply to the standard contract as well. 

Decision tree flow chart

The wider context

In a keynote address at the China Development Forum in Beijing on Sunday 24 March 2024, Premier Li Qiang explained that in addition to these relaxations on cross-border data flows, the Chinese government is studying other issues frequently raised by international businesses in China, including market access and public tendering. 

On 19 March 2024, the State Council had also published a new circular entitled “Action Plan for Solidly Promoting High-Level Opening Up and Attracting and Utilizing Foreign Investment More Aggressively” (that had been issued internally to provincial-level government and departments of the State Council three weeks earlier, and may have informed the final thinking on the new cross-border data transfer rules). 

In this Action Plan, the State Council put forward 24 measures to better promote foreign investment. These included support for data flows between foreign invested companies and their overseas headquarters, in particular with respect to research and development, production and sales. Data transfers within the Guangdong-Hong Kong-Macao Greater Bay Area will specifically be facilitated via a future white-list mechanism.

Other proposed measures include implementing tax support policies, enhancing financial support, facilitating foreign exchange transactions, simplifying business and work visa processes for foreigners, increasing international flights, and strengthening intellectual property protection, etc..

The Provisions also state that pilot free trade zones will be permitted to introduced negative lists exempting data from any of the cross border data transfer mechanisms. This may take the form of complete exemptions or modified requirements such as those recently proposed for transfers personal data between organisations registered in nine cities in Guangdong province and organisations registered in Hong Kong under a simplified form of standard contract (known as the GBA Standard Contract) and without an obligation to file an impact assessment. See our briefing on this new mechanism here.