China Announces New Regulations to Streamline Cross-Border Data Flows: What Businesses in China Need to Know
-
June 03, 2024
-
On March 22, 2024, the Cyberspace Administration of China (“CAC”) officially issued Provisions on Promoting and Regulating Cross-border Flow of Data (“New Provisions”). Since 2021, China has promulgated and implemented a series of laws and regulations regarding data export, including Data Security Law1 and Personal Information Protection Law2 in 2021, Measures for the Security Assessment of Outbound Data Transfer3 in 2022, and Measures for Standard Contract for Cross-border Transfer of Personal Information4 in 2023.
The New Provisions aim to optimise and improve the previous data export framework and procedures to reduce the compliance burden on businesses in China, and further facilitate cross-border data flows based on the practical needs of ensuring data security and high-quality development of the digital economy. They reflect the Chinese government’s desire to provide a welcoming atmosphere where it’s more favourable for MNCs in China and domestic companies with overseas business needs to enable smooth data flow.
Key takeaways from the New Provisions include:
The reporting standards for security assessments of important data exports are clarified. “Important data” is defined broadly to include “data that, once tampered with, destroyed, leaked, illegally obtained or illegally used, may endanger national security, economic operation, social stability, public health and safety, and so forth.” The New Provisions point out that data processors shall identify and declare important data in accordance with relevant provisions. However, if the data has not been notified or publicly released by relevant departments or regions as important data, data processors do not need to undergo an export security assessment for important data.
Data exports that do not contain domestic personal information or important data are exempt from declaration. According to the New Provisions, if data transferred overseas is collected and generated in activities such as international trade, cross-border transportation, academic cooperation, cross-border manufacturing and marketing but does not contain personal information or important data, or when personal information collected and generated by data processors abroad is transferred to China for processing and then returned abroad with no domestic personal information or important data obtained during processing, data processors are exempt from data export security assessment, filing of standard contracts for exporting personal information, and personal information protection certification.
The scope of application of the standard contracts for exporting personal information and personal information protection certification is expanded and clarified. The New Provisions highlight situations where the data processors will be exempted from data export security assessment, filing of standard contracts for exporting personal information, and personal information protection certification when they provide personal information across the border. This is specific to situations when it is necessary to provide personal information overseas for the purpose of entering into or performing contracts with individuals as one of the parties, implementing cross-border human resources management according to labor regulations and collective contracts legally formulated, protecting the life, health, and property safety of natural persons in emergencies, or if data processors other than critical information infrastructure operators have cumulatively provided non-sensitive personal information of under 100,000 individuals across the border since January 1 of the current year, as long as it excludes important data. (Note: critical information infrastructure is defined as any important network facilities and information systems in important sectors, such as public communication and information services, energy, transportation, water conservation, finance, public services, e-government affairs, and science and technology industries for national defense, as well as other important network facilities and information systems that may endanger national security, national welfare, people’s livelihoods, and the public interest in case of damage, loss of function, or data breach.)
Flexibility has been added to the free trade zones’ cross-border data flow system. The New Provisions stipulate that under the framework of the national data classification and grading protection system, the free trade zones may independently formulate their own data negative list – a list of data that requires data export security assessment, standard contracts for exporting personal information, and personal information protection certification. Upon approval by the provincial CAC and filing with the national CAC, data processors within free trade zones providing data outside the negative list may proceed without a data export security assessment, standard contracts for exporting personal information, and personal information protection certification.
The legal obligations of data processors in providing personal information and cross-border data are refined. The New Provisions stipulate that data export security assessment is required when critical information infrastructure operators transfer personal information or important data overseas, or when data processors other than critical information infrastructure operators transfer important data overseas, or have cumulatively provided non-sensitive personal information of over 1,000,000 individuals across the border or sensitive personal information of over 10,000 individuals since January 1 of the current year. The data processors (other than critical information infrastructure operators) must conclude standard contracts for exporting personal information or obtain personal information protection certification if they have cumulatively provided non-sensitive personal information of over 100,000 individuals but under 1,000,000 individuals across the border, or have provided sensitive personal information of under 10,000 individuals since January 1 of the current year.
In a nutshell, the Provisions on Promoting and Regulating Cross-border Flow of Data have clarified the framework of data security systems such as data export security assessment and standard contracts for exporting personal information, while streamlining the declaration process to achieve a balance between economic development and national security. Although the New Provisions could eliminate the requirements for some businesses in China to conduct security assessment or apply for personal information protection certification, which lowers compliance costs to a certain extent, it points out that once identifying significant risks in data cross-border activities or data security incidents, data processors are required to rectify and remove those perils, and for those who refuse to rectify or result in severe consequences, they shall be investigated for criminal responsibility according to law.
Consequently, ensuring substantive compliance is still a top priority for businesses engaging in cross-border activities in China, and businesses have to keep raising their data security awareness and assessing cyber crisis preparedness. However, the individuals responsible for the cyber and data security of their respective organisations are facing an uphill battle. A recent report from FTI Consulting found that many executives believe CISOs are not prepared to communicate with the most important internal and external stakeholders of their business. The report also cited a lack of preparedness to effectively communicate the issues at hand with law enforcement agencies and policymakers, which could lead to dramatic consequences for a business, including loss in customers, loss in revenue, legal action, and lasting harm to an organisation’s reputation. Given the current regulatory environment, relevant businesses need to prepare, review and update their cybersecurity crisis communication strategies to assist themselves in adeptly managing and addressing crises, safeguarding stakeholder connections, minimising legal liabilities, and mitigating both immediate and enduring business repercussions.
Implementing these strategies through customised and regular training sessions can enhance their ability to communicate effectively with team members who lack a clear understanding of their roles and obligations. This approach helps them navigate management expectations and translate technical language and KPIs into simpler language, thereby clearly articulating cybersecurity objectives, risks, and opportunities.
Published
June 03, 2024
Key Contacts
Managing Director
Director
Consultant
Senior Managing Director
Managing Director