Possible Simplifications to Data Transfers Outside of China - CAC proposes new draft Regulations: What Potential Impact for Companies?

In our previous articles, we analyzed numerous provisions (and restrictions) concerning the transfer of personal information outside the borders of the People’s Republic of China. These include the Measures for data export security assessment (available here), the Guidelines for the application of such Measures (available here), the implementation rules for personal information protection certification (available here) and the guidelines for the submission of the standard contract (available here).

To reduce the restrictions on cross-border data transfers, the Cyberspace Administration of China (“CAC”) recently published the draft regulations aimed at regulating and standardizing such transfers (the “Draft Regulations”). If passed, these regulations should ease the compliance burden imposed on international companies intending to engage in cross-border data transfer activities. The CAC requests for public comments, which can be submitted via email until 15^th October 2023.

In this article, we will briefly analyze the content of the Draft Regulations, its potential impact if adopted, and provide some tips for companies intending to transfer personal information outside the borders of the People’s Republic of China.

The Draft Regulations: content and exemptions

Currently, under the “Measures for data export security assessment” (the “Measures”, effective as of September 1, 2022), a controller of personal information that intends to transfer important data overseas must undergo a security assessment conducted by the CAC.

It is worth noting that, pursuant to Article 19 of these Measures, “important data” refers to data that, once tampered with, destroyed, leaked, or illegally obtained or used, may endanger national security, economic operation, social stability, public health and safety, etc.

As the definition of “important data” remains unclear, the Draft Regulations specify that companies will not need to self-identify its meaning; instead, the government will provide clarification through public announcements or specific notices.

Moreover, according to the Draft Regulations, a controller that intends to transfer personal information overseas is not subject to the mechanisms provided by the Personal Information Protection Law (“PIPL”), such as passing the security assessment conducted by the CAC, obtaining a certification from a specialized body, or entering into a contract (in accordance with the standard contract formulated by the CAC) with the foreign receiving party, when:

• The data to be transferred does not contain personal information or important data and is generated in activities such as international trade, academic cooperation, transnational manufacturing and marketing, and other similar activities;
• The personal information is not collected within the Chinese territory, but is provided overseas and is transferred in China for processing before being exported;
• The personal information must be transferred overseas for the establishment and performance of a contract with data subjects, such as online shopping, cross-border remittances, flight booking, hotel reservations, and visa applications;
• Personal information must be transferred overseas in emergency situations to protect the life, health, and safety of natural persons; and
• Employee personal information (including sensitive personal information) must be provided overseas for human resources management purposes, in conjunction with a collective contract signed in accordance with the law. It is worth noting that regarding this point, there are still some issues such as how to prove that exporting employees’ personal information is “necessary” for the implementation of human resources management, and what happens if the exemption is met but the amount of employees’ personal information to be exported exceeds 10,000 or 1 million.

The Draft Regulations also clarify that when personal information of less than 10,000 individuals is expected to be provided overseas within one year, the controller is exempt from the aforementioned mechanisms. However, the Draft Regulations specify that if personal information transfer is based on an individual consent, the controller must obtain separate consent from individuals.

Also in this case, there are still some issues, such as how to calculate the starting point of “within one year”, whether it is necessary to consider both the number of personal information transfers in the past year and the number of transfers in the next year, whether, when calculating the amount of personal information to be exported overseas, the controller should include employee personal information provided overseas for the purpose of human resources management.

Nonetheless, the Draft Regulations provide that when:

• the personal information of more than 10,000 but less than 1 million individuals is expected to be transferred overseas, the controller must enter into a standard contract for the export of personal information;
• the personal information of more than more than 1 million individuals is expected to be exported, the controller must pass the security assessment.

Even in case of an exemption, the controller must conduct a personal information protection impact assessment (“PIPIA”).

Finally, the Draft Regulations also specify that pilot free trade zones[1] will have the authority to independently formulate a data list, which is considered a negative list. If a controller transfers data falling outside the negative list, such cross-border data transfer is exempt from the abovementioned mechanisms.

The press release and the draft regulations are available here, only in Chinese.

Tips for companies

Considering that the Draft Regulations could have a significant impact on data transfer, companies should pay attention to the release of the official regulations and take some measures, such as:

• Evaluate the amount of the personal information that a company expects to transfer overseas within a year;
• Monitor the negative list to determine if the personal information to be exported falls outside the list, especially if the company is located within a free trade pilot zone;
• comply with other requirements (such as obtain the separate consent);
• verify if the company can export employee personal information according to the regulations;
• stay updated on the progress of these regulations;
• seek legal counsel for compliance.

[1] China’s Pilot Free Trade Zones are some designated areas within the country that implement innovative policies and reforms to promote international trade and investment, in order to attract foreign businesses, investors and companies.