Privacy & Information Security Law Blog

Recent developments in the Shanghai Pilot Free Trade Zone to facilitate cross-border data transfers are expected to provide greater flexibility in exporting data from China, which has been stymied by the Cyberspace Administration of China (“CAC”)’s strict cross-border data transfer regulations proposed in December 2023. In recent years, the legal framework and practical enforcement for cross-border data transfers in China have undergone significant developments, especially with respect to the CAC’s cross-border data transfer security reviews and standard contractual clauses. The lack of clarity around the CAC’s strict rules for security assessment reviews appears to have caused significant delays in the approval process for cross-border data transfers and concern among international companies who regularly transfer data outside of China. However, it appears that the Shanghai government is likely to permit international companies to transfer data offshore by leveraging its sprawling free trade zones. Shanghai, for example, has recently unveiled new measures aimed at accelerating cross-border data transfers.

On December 7, 2023, China’s State Council issued its Overall Plan for Promoting High-level Institutional Opening-up in the China (Shanghai) Pilot Free Trade Zone by Comprehensively Aligning with International High-standard Economic and Trade Rules (the “Overall Plan”), assigning Shanghai the objective of “building a national institutional-type opening-up exemplary site,” and setting the direction for the Shanghai Pilot Free Trade Zone to promote further relaxation of cross-border transfer restrictions under the new framework.

To implement the pilot programs of the “Overall Plan,” the Shanghai government issued its Implementation Plan for Shanghai to Implement Overall Plan for Promoting High-level Institutional Opening of China (Shanghai) Pilot Free Trade Zone by Comprehensively Connecting with International High-Standard Economic and Trade Rules on February 3, 2024 (the “Implementation Plan”). On February 6, 2024, the Information Office of the Municipal Government of Shanghai held a press conference to introduce the key aspects of the Implementation Plan, which proposes a series of measures to regulate and foster cross-border data transfer, e.g., developing an Important Data Catalog[1], exploring the establishment of lawful, secure and expedient cross-border data transfer mechanisms, and creating a cross-border data service center in the Free Trade Zone (including the Lingang Special Area[2]) (“Free Trade Zone”). The latter is a new government department with the authority to conduct preliminary reviews of applications for cross-border data transfers. Specifically, the Implementation Plan provides that financial institutions are permitted to transfer operational data outside of China pursuant to applicable security policies and measures.

The Implementation Plan also outlines additional measures related to promoting data sharing and the development of digital trade in the Free Trade Zone. In accordance with the principles outlined in the Implementation Plan, the Lingang Special Area will take the following measures:

Development of "General Data Lists" and "Important Data Catalogs" for Cross-Border Data Transfers

As of February 2024, the Lingang Special Area government issued its “Data Flow Operation Guidelines,” which establish a comprehensive mechanism for “conducting pre-transfer assessments and filing, performing backup and storage during transfers, and conducting random checks and verification after transfers.” Nearly 50 scenarios for convenient cross-border transfer have been contemplated.

Furthermore, the Lingang Special Area government recently released the Management Measures for the Classification and Grading of Cross-border Data transfer in the Lingang Special Area (Trial) (“Management Measures”), which categorize cross-border data into three levels: (1) “Core Data,” (2) “Important Data” and (3) “General Data.” “Core Data” is prohibited from being transferred outside of China. Transfers involving “Important Data” must go through an initial verification and application process with the Cross-border Data Service Center of the Lingang Special Area, after which the transfers must be submitted to the local Cyberspace Administration for a security assessment. “General Data” is permitted to be transferred freely if the relevant data protection management requirements are met.

The Lingang Special Area government has formed working groups comprised of industry (and potentially other types of) stakeholders to address specific data transfer scenarios within various sectors (e.g., intelligent connected vehicles, financial planning, high-end shipping, international trade, biomedicine and cultural export). The working groups are tasked with developing “General Data” lists and “Important Data” catalogs.

The establishment of a dedicated cross-border data service center is intended to streamline processes for the submission of application materials, consultation, and preliminary review of data transfers, offering a potential means for enterprises within the Lingang Special Area to expedite their cross-border transfers.

Mutual Recognition of Standard Contracts and Personal Information Protection Certification

The Lingang Special Area is also developing pilot projects for the mutual recognition of international data related rules[3], with the intention of increasing cooperation with the Digital Economy Partnership Agreement (“DEPA”) countries in the field of digital trade, actively establishing the Lingang Special Area as a model site of DEPA cooperation[4], and promoting the implementation of new rules such as “paperless trade” in the Lingang Special Area. In particular, the Lingang Special Area is exploring a pilot program to implement standard contracts for cross-border data transfers and a personal information protection certification.

Establishment of the International Data Industrial Park

The Lingang Special Area has stated that one of its objectives is to accelerate the development of key industries such as data outsourcing, international cloud services and data compliance. It has also stated that it is actively cultivating the offshore data industry, exploring new types of businesses such as offshore data processing, data analysis and data storage, and promoting the establishment of the model center of digital trading. To promote such business in China, it appears the government has recognized that it is necessary to allow for less stringent cross-border data transfer rules. 

[1] The “important data catalog” is a list of data elements that are subject to heightened assessment requirements.

[2] Shanghai Pilot Free Trade Zone consists of several areas and Lingang Special Area is one such area.

[3] The specific data protection and data related rules and regulations, as well as participating countries, were yet to be announced at the time of publication.

[4] The Digital Economy Partnership Agreement (DEPA) is currently between Singapore, Chile and New Zealand. China applied for membership on Nov 1, 2021.