China: China's New Draft Provisions To Regulate And Promote Cross-Border

On September 28th, 2023, the Cyberspace Administration of China (“CAC”), China's data protection regulator, released for public comment a draft Provisions on Regulating and Promoting Cross-Border Data Flows (“Draft Provisions”). The term to collect public comments ends on October 15, 2023.

Under the current regulation of China on data cross-border flow, data processors outbound transferring data should apply for CAC's security assessment (“Security Assessment”), or file for record with the provincial office of the CAC the Chinese standard contractual clauses they sign with the foreign data recipients (“Standard Contract”), or obtain the personal information protection certification(“Certification”).

The Draft Provisions attempt to provide clarity and exemptions to the current data outbound transfer administrative regulation. The contemplated exemptions try to address concerns of foreign investors about the uncertainty created in the existing provisions and the enforcement of the Security Assessment, the Standard Contract, and the Certification. Although there are questions remained to be answered, such an effort is plausible because it inclines to normalize China's regulation on data cross-border flow and align it with the mainstream practice of the world. We encourage our readers to share their comments about the Draft Provisions with the CAC before the expiration of the public comment term.

In particular, the clarifications and the exemptions in the Draft Provisions include:

(1) where there is no individual notice or public announcement from the competent regulators or the local authorities determining the important data in the data that is being transferred by a data processor, the data processor can deem that it does not transfer any important data;

(2) a data processor needs not to go through any of the regulatory mechanisms for data cross-border transfer when it transfers data in the circumstances of international trade, academic cooperation, transnational manufacture, and marketing, and such data do not include personal information or important data;

(3) a data processor needs not to go through any of the regulatory mechanisms for data cross-border transfer when it transfers personal information that is not generated or collected within the territory of China;

(4) a data processor needs not to go through any of the regulatory mechanisms for data cross-border transfer when it transfers the personal information [of its contractual counterparties] that is necessary to conclude or perform contracts with the counterparties who are individuals, or when it transfers its employees' personal information that is necessary for human resource management according to the labor rules and policies formulated under the Chinese law and the collective labor contracts, or when it transfers in emergencies personal information that is necessary for the protection of the life, the health and the property security of the individuals;

(5) a data processor needs not to go through any of the regulatory mechanisms for data cross-border transfer when it estimates that it will transfer personal information of less than 10,000 individuals in a year;

(6) a data processor needs not to go through the Security Assessment if it anticipates that it will transfer personal information of more than 10,000 but less than 1,000,000 individuals in a year and it will go through the Standard Contract or the Certification regulatory mechanisms; and

(7) a data processor should be required to obtain consents from individuals for the outbound transfer of their personal information if the lawful ground of such outbound transfer is the consent.

The CAC will further allow the Pilot Free Trade Zones in China to formulate their own negative lists of data applicable within the corresponding Pilot Free Trade Zones only (“Negative List”) to define the outbound transfer of what types of data that needs to be subject to the current data outbound transfer regulatory mechanisms; provided, however, that such Negative Lists are approved by the provincial counterparts of the CAC and on file with the CAC.

We will share with you a more detailed analysis of the Draft Provisions shortly and will closely monitor and timely report any progress made with the Draft Provisions. For those who are interested in reading the Draft Provisions, you can find in Annex 1 for your reference of our draft English translation of the Draft Provisions.

Annex 1

规范和促进数据跨境流动规定

Provisions to Regulate and Promote Cross-Border Data Flow

（征求意见稿）

（Draft for Public Comments）

为保障国家数据安全，保护个人信息权益，进一步规范和促进数据依法有序自由流动，依据 有关法律，对《数据出境安全评估办法》、《个人信息出境标准合同办法》等数据出境规定的 施行，作出以下规定。

These provisions are formulated to implement the Measures for the Security Assessment of Outbound Data Transfer, Measures for the Standard Contract for Cross-Border Transfer of Personal Information, and other provisions on data outbound transfer, in accordance with the relevant laws and for the purpose to safeguard national data security, protect personal information rights and interests, and to further regulate and promote the lawful, orderly and free flow of data.

一、国际贸易、学术合作、跨国生产制造和市场营销等活动中产生的数据出境，不包含个人 信息或者重要数据的，不需要申报数据出境安全评估、订立个人信息出境标准合同、通过个 人信息保护认证。

I. Outbound transfers of the data, that are generated in international trade, academic cooperation, transnational manufacturing, marketing, or other activities and that do not include any personal information or important data, will not be subject to the regulatory mechanisms of the Security Assessment, or the Standard Contract, or the Certification.

二、未被相关部门、地区告知或者公开发布为重要数据的，数据处理者不需要作为重要数据 申报数据出境安全评估。

II. The data processors need not treat as important data any data that has not been individually notified or published announced by the competent agencies or the local authorities as important data and need not to apply for the Security Assessment of data outbound transfer for such data.

三、不是在境内收集产生的个人信息向境外提供，不需要申报数据出境安全评估、订立个人 信息出境标准合同、通过个人信息保护认证。

III. Outbound transfer of personal information that is not collected or generated within the territory of the People's Republic of China (“China”) needs not to be subject to the regulatory mechanisms of the Security Assessment, the Standard Contract, or the Certification.

四、符合以下情形之一的，不需要申报数据出境安全评估、订立个人信息出境标准合同、通 过个人信息保护认证：

IV. The following circumstances need not to be subject to the regulatory mechanisms of the Security Assessment, the Standard Contract, the Certification:

（一）为订立、履行个人作为一方当事人的合同所必需，如跨境购物、跨境汇款、机票酒店 预订、签证办理等，必须向境外提供个人信息的；

(i) where it is necessary to outbound transfer personal information in order to conclude and perform contracts with the counterparties being individuals, such as contracts for cross-border shopping, cross-border remittance of payments, flight booking and hotel reservations, visa application, or etc.;

（二）按照依法制定的劳动规章制度和依法签订的集体合同实施人力资源管理，必须向境外 提供内部员工个人信息的；

(ii) where it is necessary to outbound transfer personal information of internal employees in order to implement human resources management under the labor rules and policies formulated in compliance with the law and the collective contract concluded in accordance with the laws; or

（三）紧急情况下为保护自然人的生命健康和财产安全等，必须向境外提供个人信息的。

(iii) where it is necessary to outbound transfer personal information in emergencies in order to protect the life, the health, and the property safety of the individuals.

五、预计一年内向境外提供不满 1 万人个人信息的，不需要申报数据出境安全评估、订立个 人信息出境标准合同、通过个人信息保护认证。但是，基于个人同意向境外提供个人信息的， 应当取得个人信息主体同意。

V. A data processor is not required to go through the regulatory mechanisms of the Security Assessment, the Standard Contract, or the Certification, should it estimate that it would outbound transfer personal information of less than 10,000 individuals in one year. However, the data processor should obtain the consents from the individuals should they base their outbound transfer of personal information on consents from the individuals.

六、预计一年内向境外提供 1 万人以上、不满 100 万人个人信息，与境外接收方订立个人信 息出境标准合同并向省级网信部门备案或者通过个人信息保护认证的，可以不申报数据出境 安全评估；向境外提供 100 万人以上个人信息的，应当申报数据出境安全评估。但是，基于 个人同意向境外提供个人信息的，应当取得个人信息主体同意。

VI. A data processor may not need to go through the Security Assessment if it goes through either the Standard Contract or the Certification,should it estimate that it would outbound transfer personal information of more than 10,000 but less than 1,000,000 individuals in one year; a data processor should go through the Security Assessment if it outbound transfers personal information of more than 1,000,000 individuals. Nonetheless, the data processor should obtain consents from the individuals should it bases its outbound transfer of personal information on the consents.

七、自由贸易试验区可自行制定本自贸区需要纳入数据出境安全评估、个人信息出境标准合 同、个人信息保护认证管理范围的数据清单（以下简称负面清单），报经省级网络安全和信 息化委员会批准后，报国家网信部门备案。

VII. The Pilot Free Trade Zones may formulate their respective lists of data (the “Negative List”), the outbound transfer of which will be subject to the regulatory mechanisms of the Security Assessment, the Standard Contract, or the Certification. Such Negative Lists shall be approved by the provincial cybersecurity and informatization commission and file with the CAC for record.

负面清单外数据出境，可以不申报数据出境安全评估、订立个人信息出境标准合同、通过个 人信息保护认证。

Outbound transfer of the data that are not on the Negative List may not be subject the regulatory mechanism of the Security Assessment, the Standard Contract, or the Certification.

八、国家机关和关键信息基础设施运营者向境外提供个人信息和重要数据的，依照有关法 律、行政法规、部门规章规定执行。

VIII. The outbound transfer of personal information and important data by national agencies or the critical information infrastructure operators (“CIIO”) shall be subject to the provisions of the relevant laws, the administrative regulations, and the administrative rules.

向境外提供涉及党政军和涉密单位敏感信息、敏感个人信息的，依照有关法律、行政法规、 部门规章规定执行。

Outbound provision of the sensitive information of the Chinese Communist Party, the Chinese government, the Chinese military forces and the State secrets holders, and of the sensitive personal information, shall be subject to the provisions of the relevant laws, the administrative regulations and the administrative rules.

九、数据处理者向境外提供重要数据和个人信息，应当遵守法律、行政法规的规定，履行数 据安全保护义务，保障数据出境安全；发生数据出境安全事件或者发现数据出境安全风险增 大的，应当采取补救措施，及时向网信部门报告。

IX. When data processors are providing important data and personal information abroad, they shall abide by the provisions of the laws and the administrative regulations, fulfill their obligation to protect data security, and ensure the security in the outbound transfer of the data. In case of a security incident or an increase of the security risk in the outbound transfer of the data, the data processors shall take remedial measures and timely report to the cyberspace administration agencies.

十、各地方网信部门应当加强对数据处理者数据出境活动的指导监督，强化事前事中事后监 管，发现数据出境活动存在较大风险或者发生安全事件的，要求数据处理者进行整改消除隐 患；对拒不改正或者导致严重后果的，依法责令其停止数据出境活动，保障数据安全。

X. All local cyberspace administration agencies shall enhance their guidance to and supervision of the data processors in the data outbound transfer, strengthen the regulation before, during, and after the data outbound transfer. When they discover substantial risk or security incidents in the data outbound transfer, they shall request data processors rectify and eliminate the potential risks. Should any data processors refuse to rectify or causes severe consequences, they shall order suspension of the data outbound transfer to safeguard the data security.

十一、《数据出境安全评估办法》、《个人信息出境标准合同办法》等相关规定与本规定不一 致的，按照本规定执行。

XI. In the event of any inconsistency between the provisions under these Provisions and other relevant regulations, such as the Measures for the Security Assessment of Outbound Data Transfer and the Measures for the Standard Contract for Outbound Transfer of Personal Information, the provisions of this Provisions shall prevail.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.