China: Cyberspace Administration of China Issued Regulations on Promoting and Standardizing Cross-Border Transfer of Data

On 22 March, the Cyberspace Administration of China issued the Regulations on Promoting and Standardizing Cross-Border Transfer of Data (the “Regulations“), which will take effect from the date of their publication. The Regulations consist of fourteen articles and provide clear guidelines for data processors.

Under specific circumstances outlined in the Regulations, data processors are exempt from certain requirements related to data export procedures. These exemptions include:

1. Cross-border transfer of personal information for the purpose of entering into or performing contracts where the individual is a party, such as cross-border shopping, international shipping, remittances, cross-border payments, overseas account opening, flight and hotel bookings, visa processing, and examination services.
2. Cross-border management of human resources in compliance with employment regulations and collective contracts.
3. Emergency situations where it is necessary to transfer personal information abroad to protect the life, health, and property of individuals.
4. Data processors, excluding operators of critical information infrastructure, who have cumulatively transferred personal information (excluding sensitive personal information) to overseas recipients in quantities below 100,000 individuals since January 1st of the current year.

Furthermore, as a special geographical system, Free Trade Zones are authorized to establish their own negative lists. For data outside the negative list, it can be freely transferred abroad without the need to fulfil data export procedures.

Key Action Points

According to the Regulations, domestic companies that provide employees’ personal information to their overseas headquarters may be exempt from fulfilling data export procedures. However, employers are still required to comply with the provisions of the PRC Personal Information Protection Law. It is advisable for employers to establish an internal policy that informs employees about various aspects, such as the name or identity of the overseas recipients, their contact information, the purpose and method of processing, the types of personal information involved, and the procedures and methods for individuals to exercise their legal rights with regard to the overseas recipients. Additionally, employers shall also obtain individual consent separately and conduct a personal information protection impact assessment accordingly.