How can organizations determine whether they fall within the scope of the Regulations?

Michael highlights that "these Regulations offer some straightforward criteria for companies to assess if the respective exemption of regulatory and procedural obligations (such as data export security assessment and conclusion of standard contractual clauses) may apply to them. E.g. the exemption will apply to data export which is for the performance of a contract with a data subject, for global HR management based on labor rules or collective labor contract, for protection of data subject's life/health and property safety in emergencies."

Building on the above, the Regulations highlight that where a data processor provides personal information overseas, they will be exempted from applying for a data export security assessment, entering into a standard contract, and passing a personal information protection certification if it is necessary to provide personal information overseas and:

• the personal information processing is necessary to enter into and perform a contract to which an individual is party, including cross-border shopping, delivery, remittance, payment, account opening, air ticket and holiday booking, visa processing, and examination;
• the personal information processing is for cross-border HR management according to labor rules or collective employment contracts;
• the personal information processing is in an emergency situation to protect the life, health, and property of natural persons; or
• the aggregated transfer of non-sensitive personal information does not exceed 100,000 individuals since January 1 of that year.

Notably, the personal information above must not include important data.

The Regulations also establish that in the following cases, data processors will be exempt from applying for data export security assessment, entering into personal information export standard contracts, and passing personal information protection certification, namely where:

• data collected and generated in activities such as international trade, cross-border transportation, academic cooperation, cross-border manufacturing, and marketing are provided overseas and do not contain personal information or important data; or
• the personal information collected and generated by data processors abroad is transferred to China for processing and then provided abroad, and no domestic personal information or important data is introduced during the processing.

Under the framework of the national data classification and classification protection system, the free trade pilot zone may independently formulate a list of data that requires data export security assessment, personal information export standard contracts, and personal information protection certification management (the Negative List). To this end, data processors within the pilot free trade zone who provide data outside the negative list to foreign countries are exempt from applying for data export security assessments, entering into personal information export standard contracts, and passing personal information protection certification.

Importantly, data processors that provide data overseas and meet one of the following conditions must apply to the CAC for a data export security assessment, enter into personal information export standard contracts, or pass personal information protection certification through the provincial level CAC:

• critical information infrastructure operators (CIIOs) that provide personal information or important data overseas; or
• data processors other than CIIOs that provide important data overseas, or provide the personal information of more than one million people (excluding sensitive personal information) or the aggregated sensitive personal information of more than 10,000 people since January 1 of that year.

Of equal note, data processors other than CIIOs that have provided the personal information of more than 100,000 people but less than one million people (excluding sensitive personal information) or the sensitive personal information of less than 10,000 people since January 1 of that year must conclude a standard contract for the transfer of personal information overseas or pass personal information protection certification.

For organizations falling within the scope of the Regulations, what other privacy requirements will continue to apply to data transfers?

Michael clarified that "the Regulations are mainly addressing applicability of regulatory procedural obligations. All other statutory data protection and privacy requirements under the PIPL, DSL, and even the earlier CSL still remain. These include not only those that read similar under [General Data Protection Regulation] GDPR context (e.g. good data inventory and governance structure, privacy framework, data protection officer, breach protocol) but also those which bear more China feature and specifics such as data classification mechanism, (export) transfer impact assessment, separate consents, onshore data arrangements with business partners, dawn raid protocol."

The Regulations clarify that when data processors provide personal information overseas, they shall perform obligations such as notification, obtaining individual consent, and conducting personal information protection impact assessments in accordance with laws and administrative regulations. In addition, the regulations explicitly state when data processors provide data overseas, they must: (i) abide by the provisions of laws and regulations; (ii) fulfil their data security protection obligations and (iii) take technical measures and other necessary measures to ensure the safety of data exported overseas. To this end, where a data security incident occurs or may occur, remedial measures must be taken and promptly reported to the CAC or above the provincial level and other relevant competent authorities.

With regard to data export security assessment, the Regulations clarify that they are valid for three years, starting from the date of issuance of the assessment result. Notably, upon expiration of the validity period, where data export activities need to be continued, and there is no need to re-declare the data export security assessment, the data processor may apply to the CAC for an extension of the assessment through the local CAC within 60 working days before the expiration of the validity period. With the approval of the CAC, the validity period of the evaluation results can be extended for three years.

What is the impact of the Regulations for businesses?

Michael noted that "in our view this is quite a U-turn and breakthrough in favor of business, particularly multinational corporations that are operating across different markets. Since launch of the PIPL and the DSL in 2021, the CAC appeared to take a very stringent approach in regulating cross border data transmission. This was reflected by the expanded scoping of regulated export activities as well as ambiguities under the respective CAC rules, resulting in quite some regulatory burden or uncertainties for companies to share data from China with the other parts of their operation around the world. These Regulations now provide for good clarity as regards what data export shall trigger regulatory procedures and what not. It is foreseeable that most companies may no longer be required to undergo governmental filing or approval procedures before they could export data out of China, though other statutory data protection obligations (where many are quite similar to those under GDPR) still remain to be abide by.

It is interesting to see that the two words "promoting" and "regulating" change their places when the Regulations were officially launched. Such a slight change in title actually indicates a quite big change of the PRC regulators' stance. Before the Regulations, any data export from the PRC always went with high sensitivity due to ambiguities of scoping of export that shall follow the regulatory compliance routes (i.e. export security assessment or standard contractual clauses filing). Such ambiguities further result in broad application of the respective regulatory procedures, which, due to insufficient manpower of the regulators, caused delay in completion of these procedures as well as unnecessary regulatory exposure of companies.

This picture is now changed as companies now have a much clearer guidance as regards when they need to resort to regulatory procedures to enable data export and the chance to trigger such procedures is obviously reduced substantially for most companies now."

What next?

The Regulations entered into force on their promulgation. Where the provisions of the Data Transfer Security Assessment Measures (only available in Chinese here) and the Standard Contract Measures for Personal Information Export (only available in Chinese here) are found to be inconsistent with the provisions of the Regulations, the Regulations provisions will apply.

Harry Chambers Senior Privacy Analyst
[email protected]

With comments provided by:

Dr. Michael Tan Partner
[email protected]
Taylor Wessing, Shanghai