Introduction

On 22 March 2024 at 2000 hours, the Cyberspace Administration of China (“CAC”) released the long-awaited Regulations for Promoting and Standardising Cross-Border Data Transfer (“CBDT Regs”), which took effect immediately. The CBDT Regs undo or further clarify some of the requirements under:

This article explores the CBDT Regs in detail and discusses their practical implications for organisations with cross-border data transfers (“CBDT”) to and from China.

“For the purposes of these Measures, the term “Important Data” means any data, the tampering, damage, leakage, or illegal acquisition or use of which, if it happens, may endanger national security, the operation of the economy, social stability, public health and security, etc.”

Due to the factors listed above, Data Processors could not be sure that their views on what constituted Important Data would align with those of regulators. This, in turn, made data compliance activities challenging.

Article 2 of the CBDT Regs simplifies the identification of Important Data by stating:

Moreover, during a Q&A Session on 22 March 2024 (“CBDT Q&A”), the CAC stated:

Based on the CBDT Regs and the CBDT Q&A, unless a public authority tells a Data Processor or announces that data is Important Data, the data in question is not Important Data. Accordingly, Article 2 gives Data Processors much-needed clarification to help them understand how to identify Important Data.

The CBDT Regs introduce several data export scenarios which are exempt from the Security Assessment, concluding the Standard Contract or obtaining Certification (the Security Assessment, Standard Contract and Certification are each a “CBDT Path” and collectively the “3 CBDT Paths”). These exemptions will presumably be welcomed by businesses and include:

Exemption 1: Exporting data other than Important Data and Personal Information

Article 3 of the CBDT Regs provides:

This provision is actually not new. Data not classified as Important Data or Personal Information has never been required to follow the 3 CBDT Paths. We understand the CAC merely reiterates this point to clarify some misunderstandings of the outside world.

Exemption 2: Exporting imported overseas Personal Information

Article 4 of the CBDT Regs state:

In other words, Personal Information not originating from China is exempt from the 3 CBDT Paths. A typical scenario that this exemption covers is when a foreign entity engages a Chinese entity to analyse the Personal Information of overseas individuals and then transfer the analysis results to the foreign entity. Other scenarios may also fall under this exemption but will need to be considered on a case-by-case basis.

Exemption 3: Contract Exemption

Article 5, Paragraph 1, Item 1 of the CBDT Regs exempts Data Processors from having to follow a CBDT Path in relation to “necessary” exports of Personal Information for the following purposes:

The wording of the Contract Exemption mirrors the first part of Article 13, Paragraph 1, Item 2 of the PIPL. However, it also provides illustrative examples that appear to be part of an open list. Based on the plain wording of the Contract Exemption, two key requirements must be met to rely on it: (1) there is a genuine necessity to export Personal Information to conclude or perform a contract, and (2) the concerned individual must be a party to such a contract.

Exemption 4: Employee Exemption

Article 5, Paragraph 1, Item 2 of the CBDT Regs exempts Data Processors from having to follow a CBDT Path in relation to “necessary” exports for the following purposes:

The wording of the Employee Exemption matches the second part of Article 13, Paragraph 1, Item 2 of the PIPL. Two key requirements must be met to rely on the Employee Exemption: (1) there is a genuine necessity to export Personal Information for human resources management, and (2) an employment policy has been legally established or a collective contract has been legally concluded which specifies the Personal Information export.

Currently, no guidance exists on the meaning of necessity for human resources management. However, in our experience of the Security Assessment and Standard Contract, the CAC has generally accepted filings where the issue of necessity was addressed from the perspective of achieving centralised and unified personnel management within a global organisation.

As for the requirement of a legally established employment policy, a Data Processor will need to follow some specific provisions in relevant employment laws and regulations to meet this requirement. Such provisions relate to the specific content of relevant employment policies and the procedures for drafting and issuing them, including consultations with employees and work unions.

Exemption 5: Emergency Exemption

Article 5, Paragraph 1, Item 3 of the CBDT Regs exempts Data Processors from having to follow a CBDT Path in relation to “necessary” exports of Personal Information for the following purposes:

The wording of the Emergency Exemption matches part of Article 13, Paragraph 1, Item 4 of the PIPL. This is not a situation that every company will come across every day. However, it would be impractical for any company to follow any of the 3 CBDT Paths if a real emergency arose. Two key requirements must be met to rely on the Emergency Exemption: (1) there is a genuine necessity to export Personal Information for saving life, health or property, and (2) an emergency threatening life, health or property has occurred or will likely occur.

Exemption 6: De Minimis Exemption

An exemption from the 3 CBDT Paths exists in Article 5, Paragraph 1, Item 4 of the CBDT Regs, which provides:

The De Minimis Exemption can be understood by reference to volumes of ordinary Personal Information exported within a calendar year. The wording of the De Minimis Exemption also excludes exports containing sensitive Personal Information from its scope. In other words, a single item of sensitive Personal Information among 99,999 or fewer individuals’ Personal Information is enough to void the exemption.

Regarding Article 7 of the CBDT Regs, which also requires a consideration of data quantities, Question 11 of the CBDT Q&A states that if “it falls under the circumstances specified in Article 3, Article 4, Article 5, Paragraph 1, Items 1 to 3, or Article 6 of the Regulations, it shall not be included in the cumulative quantity.” This suggests that Data Processors may first deduct the scenarios covered by exemptions under other provisions of the CBDT Regs when calculating the quantity of individuals for the purpose of the De Minimis Exemption. In other words, it seems that exemptions may be stacked together. However, this point remains untested for the De Minimis Exemption.

Exemption 7: Data not on FTZ Negative Lists

Article 6 of the CBDT Regs provides:

Data processors in an FTZ who provide data not included on a Negative List are exempt from the 3 CBDT Paths.

Please note that according to the CBDT Q&A, until an FTZ issues a Negative List, data export activities in an FTZ should be carried out in accordance with national laws and regulations, including the CBDT Regs.

Articles 7 and 8 of the CBDT Regs, as well as Article 5, Paragraph 1, Item 4 that we introduced above, have changed the previous Personal Information quantity thresholds for the 3 CBDT Paths. We summarise these new thresholds below:

Articles 7 and 8 provide that where a conflict exists with Articles 3, 4, 5 and 6, Articles 3, 4, 5 and 6 prevail. Furthermore, as discussed, the CAC has stated for Article 7 that if “it falls under the circumstances specified in Article 3, Article 4, Article 5, Paragraph 1, Items 1 to 3, or Article 6 of the Regulations, it shall not be included in the cumulative quantity.” We understand that this means exemptions and export scenarios should be considered when calculating export quantities for the purpose of Article 7. Moreover, and for internal consistency, it seems that this approach should also apply elsewhere in the CBDT Regs, though this view is presently untested.

Article 9 of the CBDT Regs states that the results of a Security Assessment are valid for 3 years from the date they were issued. It then states that if a Data Processor needs to continue making exports and has not triggered a reassessment, it may seek an extension of the validity period via its local provincial-level CAC “within 60 working days before the expiration of the validity period.” 

Article 10 of the CBDT Regs contains generic compliance requirements for Data Processors conducting data export activities, regardless of whether any of the 3 CBDT Paths would apply or not. However, it explicitly provides the following illustrative examples:

Based on our experience, the above examples tend to be focal points of CAC review during Security Assessment and Standard Contract filings, as well as other types of examination. Therefore, we suggest that Data Processors conducting data export activities should pay close attention to such matters and improve their compliance work in these areas in particular.

Based on our experience, the CAC may become aware of risks to exported data through a number of channels. If the CAC discovers a significant risk in a data export or a data security incident occurs, it may require a Data Processor to take remediation measures to rectify and eliminate any risks. If the Data Processor refuses to take remediation measures or serious consequences are caused, further action may be taken against the Data Processor.

Based on our experience assisting clients with CAC inspections, the CAC is willing to discuss reasonable remediation measures with Data Processors. However, Data Processors need to maintain open communication channels with the CAC and demonstrate a willingness to cooperate with enquiries if they hope to enter meaningful discussions.

The CBDT Q&A explicitly states that “Data Processors may continue to carry out data export activities” if they passed the Security Assessment before the CBDT Regs took effect.

Where a Data Processor failed or partially passed the Security Assessment before the CBDT Regs took effect, it may rely on any applicable reporting exemptions under the CBDT Regs or, if applicable under the CBDT Regs, the Standard Contract or Certification.

Ongoing filings

Where a Security Assessment or Standard Contract filing was initiated before the CBDT Regs were issued, and any alternative CBDT Path or exemptions are now available under the CBDT Regs, a Data Processor may:

The CBDT Regs fine-tune and, to some extent, relax some restrictions on data exports from China. Based on the CBDT Regs, Data Processors in China may be able to mitigate their overall CBDT compliance obligations if they can adjust their processing activities to take full advantage of the exemptions offered by the CAC. This may involve revisiting legal bases, restructuring commercial arrangements, updating their internal policies, and optimising their overall data compliance framework.