On 22 March 2024, the Cyberspace Administration of China ("CAC") published the long-awaited Regulations on Promoting and Regulating the Cross-border Data Flow (促进和规范数据跨境流动规定) ("Regulations"), which came into immediate effect.
Compared to the draft Regulations earlier issued for comments by CAC on 28 September 2023 ("Draft Regulations"), one of the significant changes is the change of the Regulations' name by moving "promoting" before "regulating". This marks a radical shift in China's cross-border data transfer regulatory approach towards one which seeks to ensure a balance between national security and protection of individual rights on one hand, and commercial practicability on the other hand.
The Regulations and Draft Regulations remain largely aligned with respect to scenarios that may be exempted from the requirements to (i) complete and file a data export security assessment; (ii) conclude a standard personal information export contract; or (iii) obtain a Personal Information Protection Certification (collectively, "Data Export Regulatory Requirements"). However, the Regulations have included more examples of scenarios that can be exempted from the above requirements. In addition, the triggering conditions to comply with the Data Export Regulatory Requirements have been raised from "personal information of 10,000 persons that would be expected to be transferred within one year" to "personal information of 100,000 persons that have been transferred cumulatively starting from 1 January of the current year" when transferring personal information (excluding sensitive personal information) from China to other countries or places.
We have prepared a detailed legal update on the passed Regulations. Please click here to understand more scenarios that can be exempted from the Data Export Regulatory Requirements.
