If finalized as proposed, the Draft Provisions would significantly ease the triggering conditions for security assessments, Standard Contractual Clauses (SCCs), and security certifications by proposing a series of exemptions for transfers that are currently subject to China's data transfer restrictions. In recent years, these restrictions have been challenging for multinational companies operating in China, particularly when engaging in cross-border transfers of data from sales and customer relations, enterprise resource management, manufacturing, human resource management, or other data. As a result, many companies have found it difficult to comply with or fully understand the scope of Chinese data transfer restrictions.

Existing cross-border data transfer mechanisms

Under existing law in the People's Republic of China (PRC), a company is required to implement one of the following three cross-border data transfer mechanisms (CBDT Mechanisms) before any personal information, sensitive personal information, or 'important data' is transferred out of mainland China:

• passing a security assessment;
• entering into a standard contract with a foreign data recipient in accordance with SCCs published by the CAC; or
• obtaining a security certification by a third-party certification institution designated by the CAC.

Currently, a CAC security assessment is generally triggered in the following circumstances:

• the data exporter is a critical information infrastructure operator (CIIO), which is broadly defined as an operator of critical network facilities or information systems in important industries (such as finance, energy, or transportation), where destruction, loss of function, or data leakage may seriously endanger China's national security, peoples' livelihood, or the public interest;
• the data exporter has processed the personal information of more than one million individuals (Mass Processor);
• the data transferred is important data, generally defined as data for which its transfer may endanger national security, economic operation, social stability, or public health and safety; or
• since January 1 of the previous year, the data exporter has made aggregated transfers of personal information of more than 100,000 individuals or sensitive personal information of more than 10,000 individuals.

A company may choose to use SCCs or security certification for other data transfers that do not trigger the CAC security assessment.

Exemptions from implementing CBDT Mechanisms

Under the Draft Provisions, a company would be exempted from adopting any of the CBDT Mechanisms in the following circumstances:

• No transfer of personal information or important data: The Draft Provisions state that if no personal information or important data is transferred during the course of international trade, academic cooperation, cross-border manufacturing and production, or marketing activities, then none of the CBDT Mechanisms are triggered. Notably, a company would only need to apply for the CAC security assessment when it transfers important data, if a sectoral or local regulator has informed the company that the data actually qualifies as important data, or the data falls within any of the important data lists published by the Chinese regulators. This exemption addresses a key concern for multinational companies. Under the existing regulations, the data processor is responsible for determining whether its information qualifies as important data, yet very limited guidance exists on how to make these determinations.
• Transfer of personal information collected or generated outside of China: If the data transferred outside of China is not originally collected or generated in China, the transfer will not be subject to any of the CBDT Mechanisms.
• Necessary for entering into or performing a contract: A company is exempted from the CBDT Mechanisms if the proposed transfer of personal information is necessary for entering into or performing a contract to which the company is a party. Examples provided under the Draft Provisions include, without limitation: cross-border e-commerce, cross-border payments, flight and hotel bookings, and visa applications. This carve-out will be welcomed by companies such as e-commerce retailers, online travel agencies, booking service providers, and financial institutions that regularly need to move data globally to fulfill their contractual obligations.
• Necessary for human resource management: Transfer of employees personal information necessary for the implementation of HR management, where such transfer is in accordance with the companies' employment policies or a collective employment contract, is exempted from the CBDT Mechanisms. However, the scope of this exemption still depends on how broadly the CAC interprets what transfers are 'necessary.' According to Article 8 of the Draft Provisions, transfer of sensitive personal information is still subject to the requirements of relevant laws, regulations, or departmental rules, which seems to indicate that transfers of employees' sensitive personal information (e.g., bank account or health information) may not qualify for this exemption.
• Necessary for protecting vital interests: Transfer of personal information necessary for protecting the health and 'property safety' of a natural person in an emergency is exempted from any of the CBDT Mechanisms.

New CAC security assessment threshold

The Draft Provisions would significantly increase the threshold for the CAC security assessment – from 100,000 to one million individuals. The Draft Provisions would also change the previous approach, from focusing on 'cumulative' volume of personal information that has been transferred out of China since January 1 of the previous year, to focusing on 'expected' volume of personal information that will be transferred out of China within the calendar year. However, the Draft Provisions remain silent on what will happen if a company exceeds the expected amount in a given year or how original estimates should be made.

Under these new calculations, if a company transfers the personal information of more than one million individuals, a CAC security assessment will be triggered. Another layer down, if the volume of data a company expects to transfer out of China within a year is between 10,000 and one million individuals, it needs to enter into SCCs or undergo a security certification, but not undergo a CAC security assessment. At the far end of the spectrum, the company is not required to complete any of the CBDT Mechanisms if it expects to transfer personal information of less than 10,000 individuals within a year. An overview of this potential scheme is shown below.

Image source: Crowell & Moring LLP

'Negative list' for companies in pilot free trade zones

The Draft Provisions would authorize pilot free trade zones (Pilot FTZs) to develop a 'negative list' for categories of data. When transferring data out of a Pilot FTZ to other jurisdictions, a company would be required to use a CBDT Mechanism only if the data fell on the Pilot FTZ's 'negative list.' Currently, there are more than 20 Pilot FTZs in different cities across mainland China, such as Shanghai, Beijing, Shenzhen, Guangzhou, and Xiamen, though none have yet drafted their negative lists.

This framework echoes the recent Opinions of the State Council on Further Optimizing Foreign Investment Environment and Further Optimizing the Foreign Investment Environment and Increasing the Efforts to Attract Foreign Investment, which call for the issuance of a 'list of general data' that could be freely transferred out of China without adopting any of the CBDT Mechanisms.

Other developments

Recently, certain progress has been made within the 'Greater Bay Area' (GBA), which includes the southeastern Chinese province of Guangdong and the Special Administrative Regions of Hong Kong and Macau. On June 29, 2023, before the release of the Draft Provisions, the CAC and the Innovation, Technology and Industry Bureau of the Hong Kong (HKITIB) signed the Memorandum of Understanding to Facilitate Cross-border Data Transfer Within the Guangdong-Hong Kong-Macau Greater Bay Area. This memorandum addresses the introduction of implementing rules aimed at reducing the significant challenges of managing the transfer of data from mainland China to Hong Kong, which is currently subject to the CBDT Mechanisms. More recently, on November 30, 2023, Shenzhen and Hong Kong jointly launched a verification platform for cross-border data transfers. The platform is expected to apply to cross-border data transfers in the finance sector as the first phase. The Bank of China and the Bank of East Asia will be among the first batch of financial institutions to use the platform.

On November 2, 2023, the PRC Ministry of Finance and the CAC jointly issued the Interim Measures for Data Security Management of Accounting Firms (the Interim Measures) for public comment. The comment period is open through December 11, 2023. The Interim Measures represent the latest efforts to enhance the regulation of transfers of accounting data to foreign regulatory authorities. The Interim Measures, among others, would require that audit working papers and related data be stored within China, without permitting storing the backups of the above data outside of China. If any audit working papers need to be transferred outside of China, the accounting firm would need to get approval from the Chinese government first. The Interim Measures would apply to accounting firms that provide audit services for listed companies, non-listed state-owned financial institutions, and central-government-owned enterprises, as well as accounting firms engaged in a cross-border auditing business.

Observations

Taken together, the Draft Provisions, the recent Greater Bay Area initiative, and accounting firm Interim Measures demonstrate that China is trying to strike a balance between enhancing data security and promoting data-driven economic growth by easing restrictions on cross-border data transfers. If adopted in their current form, the Draft Provisions would reduce the burden for companies that would otherwise be subject to a CBDT Mechanism when transferring data.

However, the Draft Provisions would not exempt companies from other obligations under existing PRC data protection law, such as obtaining separate consent from relevant data subjects where consent is the legal ground of the processing.

It is unclear when the Draft Provisions will be finalized. Until final rules arrive, companies should continue evaluating the needs for security assessments, SCCs, or security certifications, and revisit their previous analyses based on the changes introduced in the Draft Provisions. Finally, companies should continue to closely monitor their regional (e.g., GBA or other FTZs) and sectoral (e.g., accounting) legislative or enforcement developments.

Kate M. Growley C&M International Director
[email protected]
Evan Y. Chuck Partner
[email protected]
Christiana State Senior Counsel
[email protected]
Zhiwei Chen Counsel
[email protected]
Crowell & Moring LLP, Hong Kong and San Francisco