On 28 September 2023, the Cyberspace Administration of China ("CAC") released the Draft Regulation on Regulating and Facilitating Cross-Border Data Transfer (规范和促进数据跨境流动规定(征求意见稿), "Draft Regulation"), which was open for public comments until 15 October 2023. Although still in draft form, the Draft Regulation shows that the Chinese authorities intend to ease the compliance burden of companies in the People's Republic of China ("PRC") in terms of cross-border transfer of data from the PRC to other countries/regions. A summary of the key highlights in the Draft Regulation is listed below. Kindly note that the Draft Regulation has not been passed, and the final form may be different from the current draft.
Current Transferring Conditions and Thresholds for Safety Review
- Under the current personal information ("PI") protection regime of the PRC, processors of PI ("PIP") are required to obtain separate consent from the PI subject for transferring the PI out of the PRC ("PI Export"), and satisfy one of the following conditions depending on the nature and scale of the PI to be transferred ("Transferring Conditions"):
- passing the safety review organised by CAC;
- obtaining PI protection certification conducted by professional institutions; or
- concluding a contract with the overseas recipient in accordance with the standard contracts ("SCCs") formulated by CAC.
- The following circumstances of PI Export shall be subject to the safety review organised by CAC, which involves the strictest requirements for PI Export:
- transferring important data out of the PRC;
- export of PI by operators of critical information infrastructure;
- export of PI by PIP that process PI of over one million individuals; or
- export of PI of more than 100,000 individuals, or sensitive PI of more than 10,000 individuals from 1 January of the preceding year.
Proposed Exemptions and Change of Thresholds
- Under the Draft Regulation, PI exported under the following circumstances will be exempted from fulfilling one of the Transferring Conditions:
- exporting PI that is not collected or generated within the PRC;
- exporting PI that is necessary for the conclusion or performance of a contract to which the PI subject is a party;
- exporting PI of employees for purposes of implementing human resources management based on relevant employment policies and collective employment contracts;
- exporting PI for purposes of protecting individuals' lives, health, or property safety in emergency situations;
- exporting PI of no more than 10,000 individuals within one year; and
- In addition to the exemptions of PI Export in Item (a) above, the following data is also exempted from the Transferring Conditions:
- the export of data that is collected or generated during international trade, academic cooperation, cross-border manufacturing and marketing, etc., except when such data involves PI or is announced as "important data" by relevant authorities; and
- if relevant Pilot Free Trade Zones formulate their own negative lists of data exporting, any data outside the scope of such negative lists.
- The Draft Regulation has also changed the threshold amount for the PI Export subject to the safety review. According to Clause 6 of the Draft Regulation, PIP may carry out the security certification or signing of the SCCs and will not be subject to the safety review if it estimates that it would export PI of more than 10,000 but less than one million individuals within one year.
Notable Issues
Generally speaking, the Draft Regulation, if formally issued substantially in its present form, will likely benefit many international companies' businesses by easing the strict requirements for PI Export. However, it is notable that certain provisions of the Draft Regulation still need to be further clarified or interpreted by CAC, such as the method of calculating estimated PI to be transferred within a one year period, and whether the security certification or SCC would be sufficient for transferring sensitive PI of more than 10,000 individuals (but fewer than one million) within one year.
