On 28 September 2023, the Cyberspace Administration of China ("CAC") released the Draft Regulation on Regulating and Facilitating Cross-Border Data Transfer (规范和促进数据跨境流动规定(征求意见稿), "Draft Regulation"), which was open for public comments until 15 October 2023. Although still in draft form, the Draft Regulation shows that the Chinese authorities intend to ease the compliance burden of companies in the People's Republic of China ("PRC") in terms of cross-border transfer of data from the PRC to other countries/regions. A summary of the key highlights in the Draft Regulation is listed below. Kindly note that the Draft Regulation has not been passed, and the final form may be different from the current draft.
Current Transferring Conditions and Thresholds for Safety Review
- Under the current personal information ("PI") protection regime of the PRC, processors of PI ("PIP") are required to obtain separate consent from the PI subject for transferring the PI out of the PRC ("PI Export"), and satisfy one of the following conditions depending on the nature and scale of the PI to be transferred ("Transferring Conditions"):
- passing the safety review organised by CAC;
- obtaining PI protection certification conducted by professional institutions; or
- concluding a contract with the overseas recipient in accordance with the standard contracts ("SCCs") formulated by CAC.
- The following circumstances of PI Export shall be subject to the safety review organised by CAC, which involves the strictest requirements for PI Export:
- transferring important data out of the PRC;
- export of PI by operators of critical information infrastructure;
- export of PI by PIP that process PI of over one million individuals; or
- export of PI of more than 100,000 individuals, or sensitive PI of more than 10,000 individuals from 1 January of the preceding year.
Proposed Exemptions and Change of Thresholds
- Under the Draft Regulation, PI exported under the following circumstances will be exempted from fulfilling one of the Transferring Conditions:
- exporting PI that is not collected or generated within the PRC;
- exporting PI that is necessary for the conclusion or performance of a contract to which the PI subject is a party;
- exporting PI of employees for purposes of implementing human resources management based on relevant employment policies and collective employment contracts;
- exporting PI for purposes of protecting individuals' lives, health, or property safety in emergency situations;
- exporting PI of no more than 10,000 individuals within one year; and
- In addition to the exemptions of PI Export in Item (a) above, the following data is also exempted from the Transferring Conditions:
- the export of data that is collected or generated during international trade, academic cooperation, cross-border manufacturing and marketing, etc., except when such data involves PI or is announced as "important data" by relevant authorities; and
- if relevant Pilot Free Trade Zones formulate their own negative lists of data exporting, any data outside the scope of such negative lists.
- The Draft Regulation has also changed the threshold amount for the PI Export subject to the safety review. According to Clause 6 of the Draft Regulation, PIP may carry out the security certification or signing of the SCCs and will not be subject to the safety review if it estimates that it would export PI of more than 10,000 but less than one million individuals within one year.
Notable Issues
Generally speaking, the Draft Regulation, if formally issued substantially in its present form, will likely benefit many international companies' businesses by easing the strict requirements for PI Export. However, it is notable that certain provisions of the Draft Regulation still need to be further clarified or interpreted by CAC, such as the method of calculating estimated PI to be transferred within a one year period, and whether the security certification or SCC would be sufficient for transferring sensitive PI of more than 10,000 individuals (but fewer than one million) within one year.
Following the release of the first draft of the amendments to the Company Law of the People's Republic of China ("PRC") ("First Draft") and the second draft of the amendments in late 2021 and late 2022, respectively, the third draft of the amendments to the PRC Company Law ("Third Draft") was promulgated for public comments on 1 September 2023. Below is an analysis of three noteworthy changes contained in the Third Draft.
- Timeline relating to capital contribution
The most notable change relates to the timeline for shareholders to contribute to the registered capital of the company. Since 1 March 2014, the PRC Company Law has allowed shareholders to make the actual contribution of the capital they have subscribed in instalments or at specific milestones set out in the company’s Articles of Association, with no restrictions in terms of the timeline of the capital contribution unless specifically stipulated in the relevant laws. The Third Draft has amended this part by stipulating that the capital contributions shall be paid in full by the shareholders pursuant to the provisions of the Articles of Association of the company or within five years following the establishment date of the company, whichever is earlier. However, the Third Draft does not clarify whether the five-year requirement is also applicable to the contribution to the increased capital subscribed by the shareholders after the establishment of the company.
- Cap on capital reduction
The Third Draft sets limits on capital reduction. Compared with the current PRC Company Law, the Third Draft requires a company to reduce the capital contribution or shareholding of shareholders according to the proportion of capital contribution or shares held by the shareholders when it reduces its registered capital unless otherwise specified by law. This new requirement is mandatory and cannot be excluded by unanimous approval of shareholders.
- No consent for share transfer
Regarding share transfer, the First Draft has expressly provided that the consent of other shareholders of the company is not required for the transfer of shares to a third party. However, the other shareholders still have the priority right and the transferring shareholder(s) must notify in writing such other shareholders of the number of shares, price, and method and period of payment of the transfer, provided that such other shareholders shall respond within 30 days from receipt of the written notice. The Third Draft has followed the position of the First Draft in this regard, but further specifies that the time when the share transfer takes effect shall be when the transferee is recorded in the register of shareholders of the company.
If the Third Draft is passed in its current form, investors will need to take the above into consideration when they invest in, or dispose of the shares of, a PRC-incorporated company.
On 13 July 2023, the Cyberspace Administration of China, together with six other People's Republic of China ("PRC") ministries and commissions, issued the Interim Measures for the Management of Generative Artificial Intelligence ("AI") Services (生成式人工智能服务管理暂行办法) ("Measures"), which took effect on 15 August 2023. This is the first time that the PRC has specifically regulated generative AI services, aiming to promote the healthy development and standardised application of generative AI.
The Measures consist of five chapters and twenty-four articles, clarifying the basic principles and obligations that should be observed in the provision and use of generative AI services, and emphasising the principles of (i) inclusive and prudent supervision of generative AI services, and (ii) classification and grading.
Previously, the draft Administrative Measures for Generative Artificial Intelligence Services (生成式人工智能服务管理办法(征求意见稿)) ("Draft Measures") were released to the public. In May 2023, we prepared a Legal Update on the Draft Measures and their potential impact on service providers providing Generative AI services in China ("Service Providers"). To view the Legal Update, titled "China Issues Draft Administrative Measures for Generative Artificial Intelligence Services", please click here.
Compared to the Draft Measures, the Measures have adjusted and refined the obligations of Service Providers, and introduced the following key changes:
- Article 11: This provision has been added in the Measures: "Service Providers shall promptly receive and process requests from individuals for access, copying, correction, supplementation, deletion, etc., of their personal information."
- Article 14: The Draft Measures provided that "the generated content that does not meet the requirements of the Measures shall be prevented from being produced again within three months through model optimization training and other means" (emphasis added). The Measures have amended this part to: "If the Service Provider discovers illegal content, it shall take measures such as model optimization training for rectification in a timely manner" (emphasis added).
- Article 20: This provision has been included in the Measures: "Where generative artificial intelligence services originating outside China and being provided to the domestic market do not comply with the laws, administrative regulations, and the provisions of the Measures, the PRC Cyberspace Administration authorities shall notify the relevant organizations to take technical measures and other necessary measures."
- Article 21: The penalties in the Draft Measures for violations of the Measures where the monetary penalties are not specified in the laws and administrative regulations, have been deleted in the Measures. Instead, the Measures now specifically make reference to the penalties in the relevant regulations in other laws (including the PRC Cybersecurity Law, the PRC Data Security Law, and the PRC Personal Information Protection Law, etc.).
- Article 22: The definitions of generative AI Service Providers and Users have been included in the Measures.
