China: Cyberspace Administration of China Issued the Provisions on Regulating and Promoting Cross-border Data Flow (Exposure Draft)
Authors: Carol Zhu and Lynsey Liu
On 28 September 2023, the Cyberspace Administration of China released the Provisions on Regulating and Promoting Cross-border Data Flow (the “Provisions”) in accordance with the Personal Information Protection Law of the People’s Republic of China and other laws and regulations, for which public comments are sought now.
According to the Provisions, if the data to be transferred abroad generated in such activities as international trade, academic cooperation, transnational manufacturing, and marketing does not contain personal information or important data, there is no need to apply for a security assessment or execute a standard contract. Similarly, if the data has not been informed or publicly announced as important data, a security assessment is not required. The Provisions also state that personal information collected or generated outside of China does not require a security assessment or a standard contract for its provision abroad.
As long as it is proven that personal information to be provided abroad is for contract fulfilment or for human resources management according to lawfully made internal rules or collective employment contracts, or to protect the life, health, and property safety of individuals in emergencies, it is not required to apply for security assessment for data to be provided abroad, to conclude a standard contract for personal information to be provided abroad, or to pass the certification for personal information protection. The Provisions also include criteria for different thresholds of data provision, with lower requirements for smaller amounts of data.
Key Action Points
The Provisions provide a clear regulatory framework and practical guidance on cross-border data flow by casting light on situations where cross-border data flow can be fully or partially exempted from the procedural prerequisites. Transnational enterprises with practical needs for cross-border transmission of employee personal information may pay continuous attention to the progress of the Provisions and perfect internal rules to fulfil the requirements.