by Ruoxin SU, Research Associate at Institute of Chinese Law, PhD Candidate at Vrije Universiteit Brussel, Belgium
1. Regulatory Landscape Governing Cross-Border Data Transfer (CBDT) under Chinese Law
In the increasingly interconnected world, the flow of data across borders has become a cornerstone of global business operations. Following the “Brussel effect” brought by the General Data Protection Regulation (“GDPR”) of the European Union (EU) in 2018,[1] China accelerated its legislative process in data protection and enacted the Personal Information Protection Law (“PIPL”)[2] and the Data Security Law (“DSL”)[3] in 2021. It is widely believed that the PIPL and the DSL constitute two pillars of China’s emerging data protection framework in recent years. Under this framework, the regulatory landscape governing cross-border data transfer (CBDT) in China is undergoing significant evolution. China has developed its own unique rules for CBDT deriving inspirations from the EU while introducing innovations distinct from other jurisdictions, presenting both challenges and opportunities for businesses operating within its borders.
China’s approach to cross-border data transfer regulation is primarily shaped by several key legislations, including the Cybersecurity Law (“CSL”),[4] the PIPL and the DSL. These laws collectively establish a comprehensive framework for the protection of personal information and non-personal important data within China’s jurisdiction. The Cyberspace Administration of China (CAC),[5] as the competent regulator and an active rule maker in cyber governance, has been promulgating many departmental rules to support the implementation of these high-level legislations in recent years. In the realm of CBDT, it had formulated the Measures on Data Export Security Assessment (“Security Assessment Measures”),[6] the Measures on Standard Contracts for the Export of Personal Information (“Standard Contract Measures”),[7] and the Implementation Rules for Personal Information Protection Certification (“Implementation Rules for PI Certification”).[8] In addition, mandatory and voluntary national standards published by the National Information Security Standardization Technical Committee of China (briefly referred to as “TC260”) also play an important role in providing specific guidance for CBDT in practice, such as Practice Guidelines for Cybersecurity Standards – Technical Specification for the Certification of Cross-Border Processing of Personal Information (“Technical Specification for PI Certification”).[9]
On 22 March 2024, the CAC issued the Provisions on Promoting and Regulating Cross-border Data Transfers[10], the draft of which was released six months ago for public comments. The New CBDT Provisions aim to specify and optimize existing mechanisms for cross-border data transfer for the sake of greater economic value and are expected to ease the compliance burden related to cross-border data transfer for businesses.
The following graph presents an overview of the existing regulatory landscape governing CBDT in China.
The existing regulatory landscape for CBDT in China presents several distinctive characteristics especially when compared to the one shaped by the GDPR in the EU. Both personal data and non-personal data are explicitly covered by this comprehensive but complex regulatory framework, with different levels of protection based on the data’s importance and potential impact on national security. While drawing inspiration from certain CBDT mechanisms provided in the GDPR, China has developed a different government-led mechanism of security assessment for transferring data abroad, especially for the defined critical data under Chinese law. In addition to the powerful cyber regulator the CAC, multiple regulatory bodies are also competent to involve in CBDT issues in special situations provided by law, such as the cross-border provision of data to foreign law enforcement agencies or the export of data related to human genetic resources.
2. Mechanisms for CBDT
China’s regulatory framework for CBDT has established three mechanisms for the legal transfer of data to other countries and regions, i.e., the security assessment for data export (“security assessment”), standard contract for personal information export (“standard contract”), and certification for personal information protection (“certification”).[11] In terms of applicability, the security assessment mechanism enjoys the priority above other two mechanisms if the mandatory obligation of submitting an assessment to the CAC is triggered under the Security Assessment Measures. Accordingly, each of these CBDT mechanisms has its own different applicable scope and a different set of administrative obligations for companies.
Security Assessment Mechanism
The security assessment mechanism is a critical part of China’s approach to managing CBDT, especially for data that may impact national security or public interests. It was firstly established by Article 37 of the CSL, providing that personal information and critical data collected and generated during operations of a critical information infrastructure operator (“CIIO”) within the mainland territory of China shall be stored within mainland China in principle. If it is truly necessary to provide such data outside the mainland due to business needs, the CIIO shall conduct a security assessment by following the measures jointly formulated by the CAC and the relevant departments of the State Council.[12] The DSL reiterates such a CBDT mechanism for CIIOs and further provides that critical data collected and generated by other data processors shall also follow the measures jointly formulated by the CAC and the relevant departments of the State Council.[13] Regarding the cross-border transfer of personal information due to business needs, passing the security assessment is a mandatory requirement for both CIIOs and personal information processors whose processing of personal information reaches the number prescribed by the CAC, otherwise provided by laws, administrative regulations, or rules formulated by the CAC.[14]
The Security Assessment Measures, effective on 1 September 2022, further reveals how the security assessment mechanism will be operated by the regulator and how companies should take actions to perform the security assessment if they trigger such an obligation. Specifically, the Security Assessment Measures clarify the application scope of this mechanism in the CBDT context, the procedure for a security assessment, focused areas in the assessment, legal documents required for the assessment, results of a security assessment and circumstances of reapplying for a security assessment. To better help data processors perform the security assessment obligation, the CAC published the Guidelines for Data Export Security Assessment Declaration (“Guidelines for Security Assessment”)[15] and provided templates of legal documents required for the assessment on 31 August 2022.
According to the Security Measures, a data processor who transfers data overseas in any of the following situations shall submit a data export security assessment to the CAC: (a) the data processor transfers important data overseas; (b) the data processor is a CIIO; (c) the data processor processes the personal information of more than 1 million persons; (d) the data processor has exported the personal information of more than 100,000 persons in aggregate or the sensitive personal information of more than 10,000 persons in aggregate since 1 January of the previous year; or (e) it constitutes other circumstances subject to a security assessment as required by the CAC.[16] The Guidelines for Security Assessment further clarify that the activity of data export includes any of circumstances where (a) a data processor transfers or stores the data collected and generated in domestic operations overseas, (b) the data generated and stored in China while overseas organizations or individuals can inquire, download and export such data; and (c) other activities as stipulated by the CAC.
Standard Contract Mechanism
The standard contract mechanism is designed to facilitate CBDT while ensuring that the personal information of Chinese residents is adequately protected, mirroring data protection practices seen in regions like the EU. It is one of the recognized mechanisms for the legal transfer of personal information outside of China under Article 38 of the PIPL. Following the implementation of the security assessment mechanism in 2022, the CAC further clarified the standard contract mechanism by issuing the Standard Contract Measures as well as the Standard Contract for Personal Information Export (“Standard Contract”) template in 2023. Compared to the security assessment, the standard contract mechanism provides a standardized approach that can simplify the legal preparations for international transfers of personal information and ease the compliance burden for companies.
A Standard Contract, to be entered into by the data exporter and the overseas data recipient, mainly governs the details of personal information to be transferred, the responsibilities and obligations of both parties, the rights of personal information subjects, the impact that local policies and regulations on the protection of personal information in the overseas recipient’s country/region may have on compliance with the Standard Contract, and other aspects such as remedies, termination of contract and dispute resolution. It does not exclude other additional clauses to be agreed between the data export and the overseas data recipient, as long as such clauses do not contradict provisions in the Standard Contract. Notably, the standard contract mechanism entails an administrative obligation to file the Standard Contract with the local CAC agencies, along with the personal information protection impact assessment report, even though entering into a contract is considered an act within the private law domain.
The standard contract mechanism can apply to the activities of transferring personal information internationally that do not reach any of the statutory thresholds of the security assessment mechanism. Specifically, a personal information processor who decides to use a Standard Contract as the legal basis of its provision of personal information to the overseas data recipient shall collectively meet the following conditions: (a) it is not a CIIO; (b) it does not process the personal information of more than 1 million persons; (c) it has not exported the personal information of more than 100,000 persons in aggregate or the sensitive personal information of more than 10,000 persons in aggregate since 1 January of the previous year; and (d) laws and administrative regulations do not provide otherwise regarding the applicability of the standard contract mechanism.[17]
Certification Mechanism
Beyond the security assessment mechanism and the standard contract mechanism, a personal information processor may rely on the mechanism of personal information protection certification issued by an accredited body according to the CAC’s rules to legally transfer personal information abroad for its business needs.[18] It is mainly supported by the Implementation Rules for PI Certification issued by the CAC on 4 November 2022 and the Technical Specification for PI Certification updated by the TC260 on 16 December 2022. Though the Technical Specification for PI Certification is intended to implement the certification mechanism as one of the three specified channels provided in the PIPL for the cross-border transfer of personal information, it describes it as a voluntary certification in nature and all qualified companies are encouraged to adopt this mechanism to improve CBDT compliance.[19] By obtaining the personal information protection certification, the certified companies are presumed to provide adequate protection for the personal information they process and transfer overseas, which may also enhance trust among personal information subjects and regulators.
The Technical Specification for PI Certification outlines the basic principles and requirements that the personal information processor and the overseas recipient should adhere to when engaging in cross-border processing of personal information, covering aspects such as legally binding documents, organizational arrangements for personal information protection work, personal information protection impact assessment and safeguards for personal information subject rights. Similar to the applicable scope of the standard contract mechanism, the certification mechanism can be an alternative compliance route for companies transferring personal information outside of China where the security assessment obligation is not triggered. Particularly, the Technical Specification for PI Certification mentions the typical scenario of intragroup cross-border transfer of personal information among affiliates within the same multinational company or the same economic organization, where the domestic affiliate shall be the applicant for the personal information protection certification.
Important to note, that the above three CBDT mechanisms do not apply to certain special scenarios where the national security consideration takes an overwhelming position over other types of interests. Such exceptional scenarios are usually governed by other laws and administrative regulations that prevail the data protection regime, including, for example, the cross-border provision of evidence data to foreign judiciary or law enforcement, data subject to export control requirements, and human genetic resource information.
3. Major Changes Introduced by New CBDT Rules
Based on the CBDT regulatory framework established by the CSL, the DSL and the PIPL, the Provisions on Promoting and Regulating Cross-border Data Transfers (“New CBDT Provisions”) introduce a series of new changes to optimize and further clarify the implementation of CBDT mechanisms. Where the New CBDT Provisions do not keep consistent with existing CBDT rules in the Security Assessment Measures and the Standard Contract Measures, the New CBDT Provisions shall prevail to replace the previous rules.[20] The New CBDT Provisions are expected to ease the compliance burden related to CBDT for businesses, through measures such as providing exemptions from the security assessment obligation, clarifying the applicable scope of each mechanism, and streamlining administrative procedures.
Introducing New Exemptions from CBDT mechanisms
Where the cross-border transfer of data does not involve domestic personal information or critical data, the New CBDT Provisions provide the following two groups of activities to be exempted from going through a security assessment, a Standard Contract or a personal information protection certification: (a) common cross-border business activities, such as international trade, cross-border transportation, transnational production and manufacturing, marketing and academic cooperation;[21] and (b) the cross-border provision of personal information that is collected and generated outside of China and transmitted to domestic locations for processing, without introducing domestic personal information or important data.[22] In practice, the second circumstance is common for enterprises that provide services to overseas markets, such as providing cloud services and building cross-border data centers in China, which does not impact the data rights and interests of individuals within China.
Even though the cross-border provision of data includes the personal information of individuals in China, there are still several circumstances that can be exempted from going through three CBDT mechanisms. Specifically, the New CBDT Provisions introduce the following exemptions: (a) where it is necessary to share personal information with overseas entities for the purpose of establishing and performing contracts involving such individuals, such as cross-border shopping, cross-border delivery, cross-border remittance, cross-border payment, cross-border account opening, flight and hotel reservations, visa processing and examination services; (b) where it is necessary to provide personal information of employees to overseas entities for the implementation of international human resource management based on labor regulations and collective contracts signed in accordance with the law; (c) where it is necessary to provide personal information abroad for the protection of the life health and property safety of individuals in case of emergency; and (d) if the data processor is not considered a CIIO, where the data processor has transmitted personal information of less than 100,000 individuals to overseas entities since 1 January of the current year and such information do not contain sensitive personal information.[23]
Adjusting Thresholds of Triggering the Security Assessment Mechanism
One of the major changes introduced to the current CBDT regulatory landscape is the adjustment of thresholds for triggering the security assessment procedure. The New CBDT Provisions provide the following two situations that are mandatory to submit a security assessment application with the CAC, simplifying Article 4 of the Standard Contract Measures: (a) where a CIIO provides personal information or critical data to overseas entities; and (b) if the data processor is not qualified a CIIO, where it provides critical data to overseas entities, or provides more than the personal information of more than 1 million persons in aggregate or the sensitive personal information of more than 10,000 persons in aggregate since 1 January of the previous year.[24] Particularly, exemptions established in Articles 5 and 6 of the New CBDT Provisions shall be considered in priority if the CBDT activity constitutes both an exemption and a situation subject to the security assessment mechanism.
Optimizing Administrative Procedures for the Security Assessment Mechanism
According to the Security Assessment Measures, a result of the security assessment will be valid for 2 years from the date of issuance of such a result by the CAC, and the data processor shall re-apply for the assessment 60 working days before the expiration of the validity period.[25] The New CBDT Provisions extend the validity period of the security assessment from 2 years to 3 years and allow data processors to apply for an additional 3-year extension of the assessment results if their CBDT activities do not need to be re-evaluated.[26] It aims to ease the compliance burden of companies that rely on the security assessment to conduct CBDT in the long term on the condition that the security of data exported is not affected by the way of data processing or the data protection environment in the country or region of the overseas recipient.
Clarifying the Identification of Critical Data
The cross-border transmission of critical data, whether by CIIOs or other data processors, should go through the security assessment conducted by the CAC. Currently, the criteria to identify and define critical data are mainly established in the national standards, such as the Data Security Technology – Rules for Data Classification and Grading published by TC260 in March 2024.[27] Many sectors and regions are still developing a detailed catalogue of critical data within their sector and region in accordance with the DSL, making the boundary of critical data ambiguous and increasing the compliance burden of companies. The New CBDT Provisions specify this issue by providing that if the data have not been informed or publicly announced as critical data by relevant departments or regions, the data processor does not need to submit a data export security assessment by reason of critical data.[28] It aims to reduce uncertainties for companies when identifying critical data and performing the corresponding security protection obligations, further facilitating CBDT in businesses.
Special CBDT Rules within Free Trade Zones
The New CBDT Provisions specifically provide that free trade zones have the authority to develop their own lists of data that require security assessment, Standard Contract or personal information protection certification. Such special lists applicable within free trade zones can be briefly referred to as Negative Lists and should be approved by the provincial CAC’s branch. On the contrary, the cross-border transfer of data that is not included in the Negative Lists can be exempted from these CBDT mechanisms.[29] In this sense, data processors located in free trade zones may enjoy extra exemptions from CBDT procedures based on the Negative Lists to be formulated in the future.
4. Reflections under New CBDT Rules
Since the implementation of CBDT mechanisms in 2022, particularly the mechanism of security assessment, many practical uncertainties and difficulties have been popping up for companies without sufficient explanation from the regulator. Particularly, the mechanism of data export security assessment has sparked controversy due to its stringent yet ambiguous thresholds, non-transparent process, and high assessment costs for companies. It has been gradually recognized that the thresholds of triggering the security assessment obligation are relatively low and inflexible, which brings a kind of “chilling effect” to companies and indirectly results in a wide application of the security assessment mechanism. By observing CAC’s practices in addressing applications for security assessment, the administrative procedure of this mechanism tends to be bureaucratic regarding the paperwork required, long-period regarding the announcement of review results and non-transparent regarding CAC’s criteria of decision-making. As for the mechanism of the Standard Contract, there is still a limited number of cases available for accessing its functioning due to the relatively short timeframe of observation with less than a year since its inception. As a parallel approach to the Standard Contract, the certification mechanism seems not to show significant advantages in terms of cost burden, efficiency and compliance requirements, lacking incentive for multinational companies to choose it as the legal basis for cross-border transfer of personal information.
Taking the difficulties found in the implementation of CBDT mechanisms into consideration, the New CBDT Provisions bring effect to reshape and refine China’s CBDT regulatory landscape that covers both personal data and non-personal data. The new exemptions introduced show the regulator’s active reflection on the past two-year explorative implementation of CBDT mechanisms. For example, multinational companies usually conduct intragroup human resource management at a global scale, resulting in cross-border transmission of employees’ personal information to countries outside of China. It is seen as a common practice necessary for the necessity of internal personnel management in affiliates of many multinational companies in China, while usually causing extra compliance burden in the security assessment procedure. The adjusted CBDT regulatory framework exempts this usual scenario from being included in the security assessment and going through CBDT mechanisms, as well as other common business activities that require highly frequent transmission of personal information abroad. It not only further facilitates cross-border flows of data necessary for business activities in a general sense, but also demonstrates the regulator’s active effort to better balance between digital economy and security considerations. It could be anticipated that China’s governance approach to CBDT is developing towards an increasingly mature direction by incorporating further feasible adjustments in line with actual business needs, while the functioning of these new rules still requires time for observation.
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), available at https://eur-lex.europa.eu/eli/reg/2016/679/oj
[2] Personal Information Protection Law of the People’s Republic of China (<中华人民共和国个人信息保护法>), available at https://www.gov.cn/xinwen/2021-08/20/content_5632486.htm
[3] Data Security Law of the People’s Republic of China (<中华人民共和国数据安全法>), available at http://www.npc.gov.cn/c2/c30834/202106/t20210610_311888.html
[4] Cybersecurity Law of the People’s Republic of China (<中华人民共和国网络安全法>), available at http://www.npc.gov.cn/zgrdw/npc/xinwen/2016-11/07/content_2001605.htm
[5] Cyberspace Administration of China, https://www.cac.gov.cn
[6] Measures on Data Export Security Assessment (<数据出境安全评估办法>), available at https://www.gov.cn/zhengce/zhengceku/2022-07/08/content_5699851.htm
[7] Measures on Standard Contracts for the Export of Personal Information (<个人信息出境标准合同办法>), available at https://www.cac.gov.cn/2023-02/24/c_1678884830036813.htm
[8] Implementation Rules for Personal Information Protection Certification (<个人信息保护认证实施规则>), available at https://www.cac.gov.cn/2022-11/18/c_1670399936983876.htm
[9] Practice Guidelines for Cybersecurity Standards – Technical Specification for the Certification of Cross-Border Processing of Personal Information (<网络安全标准实践指南—个人信息跨境处理活动安全认证规范V2.0>), available at https://www.tc260.org.cn/front/postDetail.html?id=20221216161852
[10] Provisions on Promoting and Regulating Cross-border Data Transfers (<促进和规范数据跨境流动规定>), available at https://www.cac.gov.cn/2024-03/22/c_1712776611775634.htm
[11] Article 38 of the PIPL
[12] Article 37 of the CSL
[13] Article 31 of the DSL
[14] Article 38 and 40 of the PIPL
[15] Guidelines for Data Export Security Assessment Declaration (<数据出境安全评估申报指南(第一版)>), https://www.cac.gov.cn/2022-08/31/c_1663568169996202.htm
[16] Article 4 of the Security Assessment Measures
[17] Article 4 of the Standard Contract Measures
[18] Article 38 of the PIPL
[19] Article 4(f) of the Technical Specification for PI Certification
[20] Article 13 of the New CBDT Provisions
[21] Article 3 of the New CBDT Provisions
[22] Article 4 of the New CBDT Provisions
[23] Article 5 of the New CBDT Provisions
[24] Article 4 of the New CBDT Provisions
[25] Article 14 of the Security Assessment Measures
[26] Article 9 of the New CBDT Provisions
[27] Data Security Technology – Rules for Data Classification and Grading (<GB/T 43697-2024数据安全技术 数据分类分级规则>), available at https://www.tc260.org.cn/front/postDetail.html?id=20240321201412
[28] Article 2 of the New CBDT Provisions
[29] Article 6 of the New CBDT Provisions
