Bytes Without Borders: China Relaxes Cross-Border Data Transfer Rules

The regulatory framework governing data export, established under the Personal Information Protection Law, has been implemented through rules such as Measures on Security Assessment for Data Cross-border Transfers and Measures on the Standard Contract for Cross-border Transfer of Personal Information. Despite these efforts, enterprises, especially multinational corporations (MNCs), continue to encounter various practical challenges during security assessment or standard contract record-filing procedures. These challenges include the lengthy security assessment application and rectification process, uncertain approval standards, and difficulties in obtaining separate consent due to the unique characteristics of certain industries.

In a clear demonstration of the Chinese government’s commitment to boosting economic globalisation and improving the foreign investment climate, the Cyberspace Administration of China (CAC) released the Provisions on Promoting and Regulating Cross-border Data Flows (the “CBDT Provisions”) on 22 March 2024. These regulations significantly ease the compliance burden on data handlers by eliminating procedural requirements in certain exempted scenarios, while maintaining oversight over important data and critical information infrastructure operators (CIIOs). Additionally, these provisions update numerical thresholds that trigger government approval for data exports and introduce preferential treatment for free trade zones (FTZ). These changes, compared to the previous rules, create a more favourable environment for data transfers, and reflect the Chinese regulator’s determination to facilitate global data flow and utilisation.

The CBDT Provisions introduced several significant changes to the existing regulatory framework for cross-border data transfers.

According to Articles 3-5 of the CBDT Provisions, the following scenarios are exempted from undergoing a data export security assessment, entering into and filing standard contracts for personal information (PI) cross-border transfers (“Standard Contract”), or undergoing a PI protection certification (collectively “CBDT Procedures”). The exempted scenarios include those data flow scenarios that are highly necessary and common for MNCs.

Data export not involving PI or important data would be exempted from the CBDT Procedures.

The offshore provision of PI that is collected and generated overseas and then processed within mainland China would be exempted from the CBDT Procedures if the processing does not introduce domestic PI or important data.

The CBDT Provisions exclude scenarios in which PI must be exported for the purpose of entering into and performing a contract to which a PI subject is a party. Several examples are listed by the CBDT Provisions, such as cross-border shopping, cross-border mailing, cross-border remittance, cross-border payment, cross-border account opening, airline tickets and hotel reservations, visa processing, examination services, etc.

PI of an employer’s employees may be exported without undergoing CBDT Procedures if the export is necessary for HR management and is implemented in accordance with the employer’s lawfully formulated rules and lawfully executed collective contracts. This would significantly ease the compliance burden on MNCs, given the near inevitability of exporting PI to overseas headquarters and affiliated companies for HR management purposes. However, this clause should be interpreted strictly. For example, the export of PI relating to job candidates who have not yet entered into labour contracts with employers might be excluded from this exemption.

No CBDT Procedure would be required in emergencies where it is necessary to export PI to protect the life, health, and property security of natural persons.

Data handlers other than CIIOs would be exempted from the CBDT Procedures if they transfer non-sensitive PI of less than 100,000 individuals since 1 January of the current year.

FTZs are established across China as testing grounds for special regulations where qualified companies can leverage these regulations to promote economic growth. Under the new CBDT regulations, each FTZ would be empowered to formulate special data export mechanisms that further relax the data export requirements. One such mechanism is a data export negative list, which would be a shortened list of data that is subject to data export security assessment, Standard Contract record filing, or PI protection certification compared to non-FTZs. Data export falling outside the negative list would be exempted from the CBDT Procedures.

On 8 February 2024, Shanghai FTZ published trial regulations that classify the to-be-exported data into three levels – ie, core data, important data and general data. Each category entails varying compliance obligations. Tianjin FTZ published similar rules on 5 February 2024, providing additional guidance on data categorisation and identification of important data within Tianjin FTZ. MNCs may keep close contact with the FTZ administration committees to leverage this preferential treatment.

The CBDT Provisions update the regulatory regime regarding cross-border transfers of non-sensitive PI, while upholding the numerical standards regarding sensitive PI.

A Security Assessment applies to cross-border transfers of:

A Standard Contract record filing or a PI protection certification applies to cross-border transfers by data handlers other than CIIOs concerning:

When applying these standards and calculating the CBDT volume, it is to be noted that:

We have summarised below some FAQ to better illustrate the impact of the CBDT Provisions on data handlers.

The CBDT Provisions aim to simplify the relevant administrative approval and certification procedures for data export, but this does not imply a reduction in compliance obligations. Thus, data handlers exporting PI must continue to abide by the three fundamental principles of “legality, legitimacy, and necessity” to mitigate interim and post-regulatory risks associated with data export activities. Such compliance measures include conducting PI protection assessments and implementing technical and organisational data protection measures.

Normally, CBDT Procedures would be exempted under the Contract Performance Scenarios or HR Scenarios, regardless of the PI export volume. In other words, no security assessment would be applicable even if the data handlers annually export PI of more than one million individuals, as long as the PI export qualifies as an exempted scenario.

If the PI export under such exempted scenarios involves sensitive PI but no important data, then the CBDT Procedures would still be exempted, as according to Articles 7 and 8 of the CBDT Provisions, for situations stipulated in Articles 3, 4, 5, and 6, such provisions shall prevail.

According to the press conference held by the CAC, if it is not necessary to carry out the CBDT Procedures in accordance with the CBDT Provisions, the data handler may proceed in accordance with the original procedures, or it may withdraw the declaration and file with the local provincial cyberspace department.