Various Beijing authorities, including the Beijing branch of Cyberspace Administration of China, have jointly issued a negative list for outbound transfers of ‘important data’ applicable to organisations registered in the Beijing pilot free trade zone (Beijing FTZ).
The Beijing FTZ negative list identifies specific examples of ‘important data’ in 23 specific scenarios within five different industry sectors: automotives, pharmaceuticals, civil aviation, and artificial intelligence, retail and the so-called ‘modern service sector’[1]. Within four of these five sectors (excluding the automotive sector, which is governed by a different regime[2]), the usual thresholds for security assessment and standard contract filings for transfer of personal data have also been relaxed.
In addition, the Beijing FTZ authorities have also published ‘reference rules’ for classifying ‘important data’ in 12 general industrial sectors and areas (some of which overlap with the sectors covered by the negative list)[3].
The ‘reference rules’ themselves comprise relatively tight rules for certain categories of data within each sector (ie, sector-specific rules), alongside general rules that apply universally across all sectors.
The scheme of the rules is highly complex, therefore. The Beijing FTZ has confirmed to us that:
- the negative list only applies to the 23 scenarios explicitly regulated within the first five sectors
- the ‘reference rules’ also apply in those first five sectors (ie, in scenarios that are not already addressed by the negative list)
- the general ‘reference rules’ always need to be taken account of in every industry sector
- within the specified categories/ sub-categories in the second 12 industry sectors the more specific references rules should be applied in addition to the general rules.
What data is included on the negative list?
Summary:
| Sector | ‘Important data’ |
| Auto |
Items 1 - 4 above are generally consistent with the categories of ‘important data’ identified in the Several Provisions on Vehicle Data Security Management. |
| Pharma | Diagnosis, treatment and other health and physiological information; clinical trial data; biometric data for specific groups “above a certain scale”. (The illustrative examples given suggest that ‘above a certain scale’ involves data related to more than 100,000 individuals, but this requires clarification.) |
| AI | Any of the following kinds of data transferred for the purposes of training AI:
|
No specific kinds of data are included for the retail and modern service sector. The negative list for civil aviation concerns aircraft accidents and isn’t relevant to list out here.
It can be seen, the descriptions of several of the data types are ambiguous (eg, “information inappropriate to be published”; data that can reflect the operation status of the vehicle charging grid “in certain areas”, etc.), while other data types are described using unmeasurable qualifiers such as “above a certain scale”, “high-value sensitive data related to industrial competitiveness” and “important” medical/ pharmaceutical information.
Further consultation with the Beijing FTZ management office will be needed to clarify the scope of the negative list where such ambiguities remain.
The ‘reference rules’
As mentioned above, the ‘reference rules’ comprise (i) three general and overarching rules on non-personal data that apply to all industrial sectors, and (ii) sector-specific rules for 12 industry sectors. The sector-specific rules are additional to the general rules within those 12 industry sectors.
The general rules
These are:
- high-value, sensitive data related to the competitiveness or safety standards in the relevant industry collected and generated in the course of R&D design, manufacturing or business management processes
- data related to supply chains that may impact national security
- the parameters of automatic control systems in ‘strategically-important’ sectors, and data related to the control, operation, maintenance and testing of any of those systems.
The sector-specific rules
The specific rules provide brief descriptions of data types that could be classified as ‘important data’ in 12 industry sectors.
For example, for banks and insurance companies, ‘important data’ could include data related to business operations, system operations and security management of companies that handle transactions, accounts or policies of “important” enterprises or public institutions (including national defence concerns), or information about such customers themselves.
For internet platform services, ‘important data’ could include all types of data platform data, to the extent the data should be used to achieve social mobilisation, profile sensitive groups such as veterans, and data recorded and tracked for military and other government customers, etc.
The full list of specific rules in Chinese is available here.
Application and approval process
In contrast to earlier classifications of ‘important data’ issued by the free-trade one authorities in Shanghai and Tianjin, the Beijing FTZ rules lay down a more detailed process for security assessment and approval.
Applications should be reviewed within no longer than ten working days, which includes a pre-step for an organisation to establish its eligibility to utilise the Beijing FTZ review mechanism (ie, its establishment in the Beijing FTZ in an eligible sector, etc.). Both stages of the application process are intended to be completed within five working days. In the second stage, detailed information will need to be provided about the type and amount of data to be transferred and the data transfer scenario, etc.
Within the 23 prescribed scenarios in the five sectors for which the Beijing FTZ has issued a negative list (ie, automotives, pharmaceuticals and AI), no security assessment (and no approval) is needed to transfer non-personal data that is not recorded on the negative list in the relevant prescribed scenarios. Only a filing would need to be made with the Beijing FTZ management office instead.
On the other hand, when organisations self-classify ‘important data’ based on the ‘reference rules’ they will need to submit to a full security assessment with provincial-level CAC.
The Beijing negative list confirms that human genetic resource data constitutes ‘important data’ (which had been anticipated). However, the process for transfer of human genetic resource data will instead be governed by the Administrative Provisions on Human Genetic Resources (HGRAC) and its implementing rules (see earlier briefing here).
A general reservation is also made for data that is subject to export controls under the Technology Import Export Regulation.
Personal data as ‘important data’
The Beijing FTZ has also relaxed the national-level volume thresholds for cross-border transfers of personal data for certain activities in the pharmaceutical, civil aviation, AI, and retail and modern services sectors. For all other activities/ transfer scenarios within those sectors, the existing national-level thresholds will continue to apply (see earlier briefing here).
The rules do not provide for any relaxation in the automotive sector.
Sector | Threshold for security assessment | Threshold for standard contract and certification |
| Pharma | Transfer in a single calendar year:
| Transfer in a single calendar year:
|
Civil Aviation | Transfer in a single calendar year related to aviation services (including ticketing and loyalty programs):
| Transfer in a single calendar year related to aviation services (including ticketing and loyalty programs):
|
Retail | Transfer in a single calendar year related to loyalty programs:
| Transfer in a single calendar year related to loyalty programs:
|
AI | The transfer in a single calendar year in the scenarios of model training, algorithmic development and product testing:
| The transfer in a single calendar year in the scenarios of model training, algorithmic development and product testing:
|
Conversely, large sets of personal data in any of the 12 industry sectors covered by the sector-specific ‘reference rules’ are classified as ‘important data’. With the one exception noted below, overseas transfers of these data sets will generally need to pass a security assessment in any case, but will presumably be treated to stricter standards of review (and perhaps can no longer be exported at all?).
- the non-sensitive personal data of more than 10 million individuals
- the sensitive personal data of more than one million individuals
- the personal bank account, personal insurance account, other accounts registered by individuals or diagnosis and treatment data of more than 100,000 individuals (this threshold is lower than the national-level threshold for security assessment)
- personal data of more than 100,000 individuals held by an operator of Critical Information Infrastructure (as designated by the relevant sectoral regulator).
[1] eg, retail-related consumer services, hospitality (accommodation and catering), software and information technology services, internet information services and “other related enterprises”.
[2] Several Provisions on Vehicle Data Security Management (in force since October 2021).
[3] Strategic materials and bulk commodities; natural resources and environmental industries; heavy industry; the national defence sector; telecommunications; radio, television and online entertainment; financial services; transportation; hygiene, food and drugs; public security; internet services and e-commerce; science and technology.
