China’s cross-border data transfer regulations have been relaxed for the first time after the country issued a series of cybersecurity and personal data protection laws that imposed strict conditions on cross-border data transfers, raising concerns among companies doing business in China and abroad.
On 23 March 2024, the Cyberspace Administration of China („CAC“), China’s central cybersecurity and data protection authority, published the final, official version of the „Provisions to Facilitate and Regulate Cross-Border Data Flow“ („Regulation“). The CAC had published the draft version of the Regulation for public consultation on 28 September 2023, which indicated a trend towards easing the conditions for cross-border data transfers and was therefore eagerly awaited by businesses.
What has changed with the new Regulation?
Prior to the Regulation, under the Personal Information Protection Law and the implementing rules issued by the CAC, for each cross-border data transfer, the data exporter located in China was required to
- undergo a security assessment with the CAC if certain conditions are met; or
- enter into the Standard Contractual Clauses („SCCs“) issued by the CAC with the data importer in the third country; or
- obtain data protection certification from a qualified certification centre.
In practice, this means that all foreign-invested enterprises in China, which typically transfer some human resources or customer contact data to headquarters or sister companies outside China, must at least sign the Chinese SCCs. This also applies to any use of service providers outside China. In addition, the signed SCCs have to be registered with the CAC, which has been acknowledged to be burdensome for both the companies and the CAC.
When are SCCs not required?
Following the adoption of the Regulation, assessments, privacy certifications and SCCs are not required anymore in the following cases:
- When it is necessary to provide personal data outside the country for the purpose of entering into and performing contracts to which the individual is a party, such as cross-border shopping, cross-border mail, cross-border transfers, cross-border payments, cross-border account opening, air ticket and hotel reservations, visa applications and examination services;
- When the provision of personal data of employees outside the country is necessary for the implementation of cross-border human resources management in accordance with labour rules and policies formulated in accordance with the law or collective contracts signed in accordance with the law;
- When the provision of personal data outside the country is necessary to protect the life, health and property of natural persons in case of emergency;
- Data handlers other than critical information infrastructure operators have cumulatively transferred less than 100,000 individuals‘ personal data (excluding sensitive personal data) outside China since 1 January of the current year.
The above-mentioned personal information provided abroad must not include sensitive data.
As a result, small and medium-sized enterprises that transfer only some employee data and customer data of less than 100,000 data subjects will be completely exempt from the security assessment and SCC obligations.
Data controllers still have to comply with other obligations
However, this does not affect other obligations of data controllers for cross-border data transfers, such as providing information to data subjects, obtaining explicit consent, and conducting a privacy impact assessment in accordance with the Personal Information Protection Law. These obligations are expected to become the focus of future compliance and enforcement activities.
Of course, operators of critical infrastructure and transfers of important data, as well as transfers of personal data of more than 100,000 individuals, are still required to sign the SCCs or undergo a security assessment, depending on the specific case.
Overall, this regulation has provided more legal certainty on the cross-border data transfer regime in China and will ease the burden on many companies when transferring personal data from China to a third country.