China Finalizes Provisions on Cross-Border Data Transfer
Chinese authorities issued new regulations and guidance governing cross-border transfers of data and personal information, which will significantly reduce procedural and compliance burdens for many multinationals.
On March 22, 2024, the Cyberspace Administration of China issued the Provisions for the Promotion and Standardization of Cross-Border Data Flows (the "Provisions") and updated guidelines for security assessments and standard contracts (collectively, the "Guidelines"), all effective immediately.
The Provisions and the Guidelines clarify and relax requirements relating to cross-border data transfers.
Exemptions From Additional Procedural Requirements for Cross-Border Data Transfers
Previously, data handlers were required to pass an assessment, file a standard contract with authorities, or undergo personal information ("PI") protection certification if they transferred any PI abroad. Under the Provisions, a data handler is exempt from such requirements in these scenarios:
- Re-export of PI imported from outside China, as long as the data handler does not introduce PI or "important data" from China during processing;
- PI transfers for entering into or performing contracts with individuals;
- Employee PI transfers for human resources management;
- PI transfers to protect life and property in emergencies;
- Non-sensitive PI transfers by handlers that are not critical information infrastructure operators ("CIIOs") of less than 100,000 persons in the current year;
- Transfers of data not listed in a free trade pilot zone's Negative List by a registered handler; and
- Data generated from international trade, cross-border transportation, academic cooperation, transnational manufacturing, and marketing, if the data does not contain PI or "important data" (data is not "important data" unless notified by relevant authorities or publicly released as "important data").
When Additional Procedural Requirements Apply
Subject to exemptions, assessments are mandatory when: (i) CIIOs transfer PI or "important data"; or (ii) non-CIIOs transfer "important data" or PI (in the current year) of more than 1 million persons or transfer sensitive PI of more than 10,000 persons.
Subject to exemptions, Standard Contracts or Certifications are required when non-CIIOs: (i) transfer PI (in the current year) of more than 100,000 and less than 1 million persons; or (ii) transfer sensitive PI of less than 10,000 persons.
Next Steps
Because the Provisions and the Guidelines significantly ease compliance burdens, companies should evaluate their cross-border transfers to determine what requirements they are required to meet going forward.