Asia Corporate Alert
China is seeking to take a significant step to relax the compliance burden on multinational corporations (MNCs) regarding data export from China by allowing: (i) certain routine data exports for daily business operation or internal human resource management; and (ii) the export of a small volume of unimportant data, to be exempt from three primary data export compliance mechanisms. On 28 September 2023, the Cyberspace Administration of China (the CAC) released a draft of the Provisions on Regulating and Facilitating Cross-Border Data Flow (the Draft Provisions, Chinese version only) to seek public comments for a period ending on 15 October 2023.
Currently, MNCs are required under the Personal Information Protection Law (PIPL) (effective since 1 November 2021), to go through one of the three primary data export compliance mechanisms described below (the Three Mechanisms) in order to transfer personal data out of China, unless otherwise permitted by the laws, administrative regulations, or the CAC.
The first one of the Three Mechanisms is a “security assessment” conducted by the CAC. Under such regime, certain types of personal data controller must only engage in a cross-border data transfer if they can pass a CAC security assessment (the CAC Assessment) (See our CAC Assessment Series: Part 1, Part 2, and Part 3 for more details).
The second mechanism involves receiving a certification for personal data protection from a licensed organization under the CAC regulations (the Licensed Certification). For more details, see our client alert on the licensed certification.1
The third mechanism is for the data controller who wishes to export personal data from China and the overseas data recipient to enter into a standardized contract formulated by the CAC (the China SCC) and file the executed China SCC and the relevant personal data protection impact assessment (PIA) report with the CAC. For more details, see our client alert on the China SCC.
Each of the three mechanisms can be time-consuming and burdensome for MNCs with the need to export data that is required for their daily business operation relating to individual customers or internal human resource management from China. The Draft Provisions, as a new mechanism stipulated by the CAC under the PIPL, when becoming law, will greatly facilitate routine data transfers and significantly reduce MNCs’ compliance burden by introducing ‘safe harbors’.
Safe harbors under the Draft Provisions would apply according to the following standards:
Necessary Data Exports
Data export that are necessary to conduct routine business operations in respect of individual customers, internal human resource management, or emergency situations are exempt from going through the Three Mechanisms, including:
Export of data generated from international trade, academic cooperation, multinational manufacturing and marketing activities, which do not involve personal data or important data as categorized first and then notified or announced by regulators (Article 1);
- Export of personal data for the purpose of conclusion or performance of a contract to which an individual is a party for cross-border businesses, such as cross-border shopping, cross-border payments, flight and hotel bookings, and visa processing (Article 4);
- Export of personal data of employees of a company in China for the purpose of human resource management under a legally established human resource management policy or a legally concluded collective contract (Article 4); and
- Export of personal data in emergency situations where it is necessary to transfer personal data to protect the life, health, and property of people (Article 4).
Volume of Data
The following anticipated volumes of data to be transferred per year will be exempt:
For exports of personal data of less than 10,000 individuals will be exempt from all Three Mechanisms (Article 5);
- For exports of personal data of between 10,000 and 1 million individuals, the CAC Assessment can be waived (Article 6).
- For personal data exports of more than 1 million individuals, the Licensed Certification and the China SCC are exempt, but the CAC Assessment will still be required.
Free Trade Zones
Data exported from free trade pilot zones (the FTZs) is exempt from the Three Mechanisms, so long as it is not included in the “negative list” that will be published by FTZs (Article 7).
Data Collected in Other Jurisdictions
Personal data that is not collected within China is exempt from the Three Mechanisms (Article 3).
It appears that the above safe harbors do not apply to the export of the following data:
Personal data and important data transferred by government agencies and operators of critical information infrastructure in China; and
- Sensitive information and sensitive personal data related to the Communist Party of China, government, military, organizations and entities that have access to classified state secrets in China. (Article 8).
With respect to important data, the Draft Provisions further clarify that if data regulators have not notified data controllers or publicly announced that the data is important data, the data controllers are not required to submit CAC Assessment for the export of data. Accordingly, MNCs do not have to make a self-judgment of what constitutes important data under the Draft Provisions.
The Draft Provisions put effort into facilitating the free movement of data from China in the normal course of business operation. With less stringent data transfer requirements, the administrative burden and costs associated with data transfer of MNCs will be significantly reduced and there will be better collaboration among affiliated entities of an MNC in different jurisdictions. In addition, clear guidelines on cross-border data transfer can help MNCs manage their data compliance risks more effectively, as they will have a better understanding of what is permitted and what is not.
MNCs should establish a comprehensive process to constantly monitor and identify which data are categorized, notified, or announced by regulators as “important data”. In addition, the process should meticulously document the origin of the data collected together with a paper trail, especially for data gathered outside of China.
It is worth noting that, even when a transfer of personal data out of China meets any of the safe harbor rules and does not require any of the Three Mechanisms, the data transferor in China is still required to conduct a pre-transfer personal data PIA as required by the PIPL. As such, MNCs that are data controllers still need to put the PIA in place as a compliance measure.
The Draft Provisions emphasize in a number of provisions that the consent from data subject is still required for transferring personal data out of China even when none of the Three Mechanisms is required. This comes from the general notification and consent requirement under the PIPL that a separate consent from the data subject is required for transferring his or her personal data out of China, when and where the collection of such personal data is based on the consent of the data subject. As such, MNCs should still properly collect and document the separate consent from data subjects for the outbound transfer of personal data in this scenario.
For any outbound transfer of personal data that is exempt from the Three Mechanisms under the safe harbor rules, it is still advisable for the data controller or processor in China and the overseas data recipient to enter into a data transfer agreement or other legal document such as an intragroup undertaking to set out rights and obligations of each party regarding the transfer as a risk control and compliance measure.
A data controller who has proceeded with the CAC Assessment or filing of the China SCC as of the date of the Draft Provisions but can be exempt under any of the safe harbor rules according to the Draft Provisions may wait for further clarifications from the CAC on whether the process could be ceased when the Draft Provisions become law.
Some key practical points are subject to regulators’ further clarification, such as: (i) whether the export of the sensitive personal data that could not be exempt under the safe harbor rules is limited to that relating to the Communist Party of China, government, military, organizations and entities that have access to classified state secrets in China or includes any and all sensitive personal data of any entity; and (ii) what would be the requirement where a data controller anticipates that the volume of personal data to be exported meets the safe harbor rules by not exceeding the volume limit but the personal data eventually exported exceeds the volume limit.
Enzo Wu, trainee solicitor in the firm’s Hong Kong office, also contributed to this article.
1 The guidance on the licensed certification was updated on December 16, 2022.