On March 22, 2024, the Cyberspace Administration of China (the “CAC”) issued the Provisions on Facilitation and Regulation of Cross-Border Data Flows (the “Provisions”), which were effective the same day. The CAC also held a press conference to introduce and explain the Provisions. The Provisions demonstrate that the regulation of cross-border transfers in China is focused on important data and critical information infrastructure operators (“CIIO”), and that the CAC aims to optimize business environment, stabilize foreign investment, and support the data flow between global companies with a Chinese presence.
The Provisions address the following key topics, which are each discussed in further detail below:
- clarifying when the transfer of important data triggers the requirement to undergo a security assessment, and adjusting the conditions and thresholds for triggering the application of security assessment, the execution of the standard contract of cross-border transfer of personal information (“SC”), and the certification of protection of personal information;
- providing exemptions from the application of security assessment, the execution of the SC, and the certification of protection of personal information;
- establishing authority to create a negative list in free trade zones; and
- extending the validity period of an approved security assessment from two years to three years, with the option to apply for a further extension of three years.
Important Data and the Security Assessment
According to the Provisions, unless a data handler has been notified by the CAC that the data it processes constitutes “important data,” or the CAC otherwise publicly classifies the data as “important data,” the data handler is not required to undergo a security assessment on the basis that it processes “important data.” The recently released “Data Security Technology-Provisions on Data Classification and Grading” provide general rules for data classification and grading, and guidance on identification of important data. Additional guidance specific to defining important data is expected to be issued for each industry.
Transfers Triggering Application for Security Assessment
According to the Provisions, if data is transferred outside of China in one of the following scenarios, the data handler is required to apply for security assessment:
- where a CIIO transfers any personal information or important data outside of China; or
- where a data handler (excluding a CIIO) transfers important data or personal information of over 1 million individuals (excluding sensitive personal information), or sensitive personal information of over 10,000 individuals.
The Provisions also increase the period of validity of an approved security assessment from two years to three years. In addition, the data handler may now apply, 60 business days before the expiration date, for an extension of a further three years if there is no event triggering re-assessment.
Transfers Triggering Execution of the SC or Certification of Protection of Personal Information
According to the Provisions, where a data handler (excluding a CIIO) transfers personal information (excluding sensitive personal information) of between 100,000 and 1 million individuals, it should execute the SC or pass the certification of protection of personal information.
Exempt Processing Activities
The Provisions define the following six processing activities as exempt from the application for security assessment, the execution of the SC, or passing the certification of protection of personal information:
- transfers arising from international trade, cross-border transportation, academic cooperation, transnational manufacturing, marketing and other activities, that do not involve personal information or “important data;”
- transfers necessary for concluding and performing a contract to which the individual is a party, such as cross-border shopping, cross-border shipping, flight and hotel reservations, cross-border remittance and visa processing;
- transit data (i.e., transfers of personal information not collected and generated within the territory of China but only processed in China) provided that no personal information or important data collected in China are added to the transit data during the processing in China;
- transfers of employee personal information necessary for HR management to comply with employee policies formulated in accordance with the law of China and with the collective contract executed in accordance with the law of China;
- transfers of personal information necessary for the protection of a natural person’s life, health or property safety in emergency situations; and
- where a data handler (excluding a CIIO) transfers personal information of less than 100,000 individuals (excluding sensitive personal information) outside of China during a year (beginning January 1).
In the press conference, the CAC clarified that when calculating the number of individuals, the number shall reset each January 1 meaning no transfers of personal information from the previous year shall be counted.
Flexibility for Transfers from Pilot Free Trade Zones
The Provisions grant pilot free trade zones (e.g., the Shanghai Free Trade Zone) the authority to each formulate a list of data which would be subject to the transfer rules (i.e., a “negative list”), in accordance with national policy regarding data classification and grading. Data falling outside the scope of the negative list applicable to a data handler therefore could be transferred by the data handler outside of China without the need to comply with the transfer rules, assuming the data handler is not otherwise subject to the rules.
General Compliance Obligations for Cross-Border Transfers
While pursuant to the Provisions and as detailed above, certain data handlers may no longer be required to undergo the security assessment, or be required to execute the SC or pass the certification of protection of personal information, they will remain subject to other compliance requirements with respect to transfers of data outside of China, including:
- obtaining separate consent from the individual for transfers where consent is the legal basis for the transfer;
- preparing a personal information security impact assessment in relation to the transfer and maintaining such assessment in internal files for a period of three years;
- taking technical and other necessary measures to safeguard the security of the transfer; and
- in the case of a data incident or potential data incident, taking remedial action and notifying the cybersecurity administration at provincial level or above and the relevant authority in charge.
Next Steps
Given the regime for cross-border transfers has been established for over a year, many data handlers have taken steps to comply with the regime. For example, some data handlers have been granted approval for a security assessment, while other applications are outstanding. However, as detailed above, certain data handlers will no longer be subject to the same level of obligations when seeking to transfer data outside of China. In the press conference, the CAC answered questions concerning the next steps for data handlers to comply with the Provisions. In this respect, the CAC confirmed that:
- If a data handler has obtained approval of a security assessment, it may continue to transfer data pursuant to the approval.
- If a data handler did not pass the security assessment or passed it with conditions, but would no longer be required to apply for a security assessment pursuant to the Provisions, the data handler may transfer personal information outside of China through the execution of a SC or certification of protection of personal information (subject to the Provisions).
- If the data handler has submitted a security assessment or filed the SC and the application is ongoing but they are no longer subject to such procedures pursuant to the Provisions, the data handler may continue the original application or withdraw the application or filing from the CAC.
As the Provisions are in effect, data handlers should review their transfers in accordance with the Provisions to determine whether any further steps are required to comply with the data transfer regime of China.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code