On March 22, 2024, the Cyberspace Administration of China (CAC) released the long-anticipated data regulation, Provisions on Promoting and Regulating Cross-border Data Flows, together with updated guidance of cross-border data transfer security assessment and standard contractual clause (SCC) recordal. It sends a strong message on China’s efforts to ease the data compliance burden on MNCs and further boost the digital economy.
Since 2017, China’s regulators have sought to establish a framework to regulate cross-border flows of data. Two key policies, Measures on Security Assessment for Cross-border Data Transfer and Measures on Recordal of the Standard Contractual Clauses for Cross-border Transfer of Personal Information, came into effect in September 2022 and June 2023 respectively, imposing additional administrative obligations for security purposes (passing national security assessment, filing SCC recordal or obtaining certification) on enterprises that transfer important data or personal information abroad. In practice, the extensive regulations have made enterprises, MNCs in particular, feel under pressure to develop new practices to ensure compliance. In late September 2023, the CAC began to release positive signals by issuing a draft version of data cross-border transfer regulation that the control of data flows will be liberalized for the purpose of promoting business environment and expanding high-level opening-up in China.
1. Narrower scope of governmental approval
Thresholds that trigger official approval have been raised. Transferring “100,000” individuals’ personal information has become the new threshold to trigger the need for SCC recordal or personal information protection certification, and “1,000,000” for official security assessment. The calculation period starts from January 1 of the current year.
Sensitive personal information is highlighted separately. Theoretically speaking, unless an exemption can be applied, so long as sensitive personal information is provided abroad, SCC recordal or personal information certification is required. If personal sensitive data reaches “10,000”, it also triggers official security assessment.
Having said that, no exemption works for important data transfer. Personal information that reaches a certain scale and precision may constitute “important data” and then absolutely trigger official security assessment.
The diagram below shows how the new cross-border data transfer regulation framework runs.
2. The expansion of exemptions
In accordance with the new data regulations, the following scenarios enjoy administrative exemptions if no important data is involved:
3. Streamlined process to promote efficiency
CAC is providing a new online portal to receive materials from appropriate applicants for security assessment and SCC recordal. The validity period of the security assessment has been extended from 2 years to 3 years and the applicant may apply for an extension of an additional 3 years prior to expiration. For the enterprises that have started the security assessment or SCC recordal process but are no longer necessary under the new data regulation, the CAC will offer the option to withdraw the application. The applicant may choose to leave it and wait for the final decision as well.
Among the relaxation measures, the new data regulation reiterates that the PRC regulation framework of data flow is established to safeguard data security and personal information protection. So how should MNCs respond to the new regulation.
1. Solid legal basis to process personal information
The new data regulation doesn’t lift the obligation to have a valid processing basis, such as providing notification and obtaining consent. Do carefully verify the validity of the consent sought from the data subjects directly or indirectly and its consistency with the original compatible purpose to process.
2. Personal Information Protection Impact Assessment (PIA)
Conducting PIA is also mentioned in the new data regulation. PIA is an efficient tool to establish and manage your own data inventory, which is the basis to further identify and mitigate the risk. For MNCs facing daily cross-border data transfer, there is a trend that a routine audit is gradually evolving to supplement the ad hoc PIA. Thus, it is still recommended to check and improve your data security and privacy protection programme in due course. Identify and fix compliance gaps, particularly those in the context of HR management and day-to-day business operations.
3. Timely incident reporting
Another focus of the new data regulation is data breach reporting mechanisms. In the event of security incidents or discovery of potential risks related to cross-border data transfer, the processor shall take remedial measures and report to the provincial or higher level of cyberspace administration in a timely manner. In recent years, China regulators have shown increasing attention to incident reporting and solving. Draft standards have been published for comments and are expected to take effect this year.
4. Keeping watch on the data policy in China
The relevant authorities or regions will further promulgate the standard of important data. FTZs are expected to publish their own negative list to support free flow of data not falling under the negative list. As ever, stay abreast of the policy and seize the opportunity in the fast-moving space.
The new data regulations usher in a new era in cross-border data flows involving China and reflect Chinese government's clear stance on unlocking data value, promoting such flows, in the interest of economic development.
If you want more information on any issues raised in this article, please get in touch with the team: rousedigitalservicesteam@rouse.com
This Alert is written by [XXX] and the Data team of Rouse and Lusheng Law Firm (Strategic Partner of Rouse).