At the end of September 2023, the Cyberspace Administration of China (CAC) released draft regulations (see the unofficial English translation) regulating the cross-border flow of personal information and important data out of the Peoples Republic of China (PRC). The comment period for these regulations concluded on October 15, 2023, and the regulations may change if the CAC incorporates responses to any comments; however, the current draft regulations provide valuable insight into how the CAC intends to regulate cross-border data flows. Overall, the regulations represent a loosening of the CAC’s requirements for data transfers and an easing of the compliance burden – a welcome sign for multi-national businesses with a presence in the PRC.
Current law in China outlines three adequate data transfer mechanisms under the Personal Information Protection Law (PIPL), as described in our April 2023 post. The currently permitted cross-border transfer mechanisms for sending personal information of Chinese individuals outside of China include: (1) passing a security assessment organized by the CAC, (2) obtaining a certificate from a CAC-recognized professional organization, or (3) entering into standard contractual clauses (PIPL SCCs). The required or permissible mechanism for a data transfer depends upon the type and volume of data being exported.
Notably, while the PIPL SCCs requirements remain unchanged, the standard for requiring a security assessment has been lowered. Currently, data controllers who export personal information associated with 100,000 or more individuals, or sensitive personal information for 10,000 or more individuals within one year outside China are required to pass a government-administered security assessment. The draft regulations reduce this burden as it relates to personal information (it does not appear that “sensitive personal information” is addressed; if the company transfers personal information of fewer than 1 million individuals within one year outside China, a security assessment is not required (whereas it is still required if over 1 million). If the company transfers personal information for more than 10,000 but less than 1 million individuals, companies may either enter into PIPL SCCs or undergo a security assessment. While this is a lowering of the standard, companies that export personal information for these volumes without a security assessment must still receive a waiver from the CAC. These changes come just prior to the conclusion of the grace period for compliance with the PIPL SCC requirements on November 30, 2023.
Proposed Exemptions. The draft regulations explicitly exempt the following cross-border data transfers of personal information from the three permitted transfer mechanisms requirements set out in PIPL:
- Where personal information must be provided overseas as needed to conclude or perform on a contract to which the individual is a party, such as for cross-border purchases, cross-border money transfers, air and hotel reservations, and handling visas;
- Where the personal information of internal staff must be provided overseas to carry out human resources management in accordance with lawfully drafted labor rules systems and lawfully concluded collective contracts (for HR purposes); and
- Where personal information must be provided overseas in urgent situations to protect natural persons’ security in their lives, health, and property.
Additionally, the regulations provide additional clarity for other cross-border data transfers exemptions, meaning that no transfer mechanism must be in place for the following circumstances: (a) the transfer of personal information that was not collected or generated within the PRC, (b) if no personal information or important data is being transferred outside of the PRC, (c) the transfer of less than 10,000 individuals’ personal information within one year, and (d) transfers of data not included on the “negative list” that will be made within the free trade zones.
Transfer of Important Data. Further loosening the cross border restrictions, under the draft regulations, unless a company is informed by a regulator or a public notice that it processes “important data” which is defined to mean “data that, once tampered with, destroyed, leaked, illegally obtained or illegally used, may endanger national security, economic operation, social stability, public health and safety, and so forth,” it is not necessary for the company to proactively assess its processing or undergo a security assessment prior to transferring important data outside of the PRC.
Key Takeaways. The draft regulations could materially reduce the burden of complying with the PIPL’s security assessment requirements and PIPL SCCs. We would, however, note that if “consent” is the legal basis for processing data, specific consent is still required under PIPL for cross-border transfers. It remains to be seen how these draft regulations will be finalized, but the current regulations are ultimately conducive for multi-national businesses.