China Issues Rules to Clarify and Relax Cross-Border Data Transfer Controls

Current Data Export Mechanisms
The current cross-border data transfer regulatory regime was initially established under the Personal Information Protection Law (PIPL), effective since November 1, 2021. As we summarized in a previous client alert, PIPL established the following three legal mechanisms (Data Export Mechanisms) for a personal information processor (equivalent to a “data controller” under the EU General Data Protection Regulation) in mainland China to transfer personal information outside mainland China:

• Completing a mandatory security assessment under the administration of the CAC (Security Assessment), which is further administered according to the Security Assessment Measures;
• Obtaining a personal information protection certification from a CAC-recognized professional institution (Certification), which remains a less-adopted option given the lack of clarity on specific requirements for certification; or
• Entering into a standard contract with overseas recipients for sharing/transferring personal information (Standard Contract), which is further administered according to the SC Measures.

If a critical information infrastructure (CII) operator in mainland China transfers any personal information outside of mainland China, such transfer must pass the Security Assessment.

In addition to personal information, export of Important Data by a data controller in mainland China is also subject to the Security Assessment.

Key Clarifications and Relaxations under the Provisions
EXEMPTIONS FROM DATA EXPORT MECHANISMS

The Provisions exempt the following cross-border data transfers from the three Data Export Mechanisms (i.e., Security Assessment, Certification and Standard Contract):

• Export of data generated in activities such as international trade, cross-border transportation, academic cooperation, cross-border manufacturing and marketing that do not contain personal information or Important Data (Article 3);
• Where personal information collected and generated outside of mainland China by a data controller is transferred into mainland China for processing and then provided to outside of mainland China, and no personal information or Important Data in mainland China is incorporated during the processing (Article 4);
• Where it is necessary to transfer personal information to outside of mainland China for concluding and performing a contract to which the data subject of such personal information is a party, such as for cross-border shopping, cross-border delivery, cross-border remittance, cross-border payment, cross-border account opening, air ticket and hotel booking, visa processing, examination services, etc. (Article 5(1));
• Where it is necessary to transfer personal information of employees outside of mainland China for cross-border human resources management in accordance with legally formulated labor policies or collective contracts (Article 5(2));
• Where it is necessary to transfer personal information outside of mainland China for the protection of health and property safety of a natural person in an emergency (Article 5(3));
• Where a data controller that is not a CII operator cumulatively exports personal information (excluding any sensitive personal information) of less than 100,000 individuals since January 1 of the current year (Article 5(4)); and
• Export of data from a free trade zone (FTZ) in mainland China that falls outside the scope of any negative list to be formulated by such FTZ (Article 6).

IDENTIFICATION OF IMPORTANT DATA

Under the Security Assessment Measures, Important Data is defined as “data that may endanger national security, economic operation, social stability, public health and safety once it is tampered with, destroyed, leaked, or illegally obtained or used.”

The concept of important data was first introduced in China’s Data Security Law (DSL), under which network operators in China are required to categorize data and formulate backup and encryption measures for the protection of “important data.” Also, according to the DSL, China will establish a data categorization and classification system and Chinese authorities will formulate a catalog of Important Data. Certain industry regulators and regions have been making progress on formulating industrial and local rules and guidance on identifying Important Data.

The Provisions now make it clear that the Security Assessment for the export of Important Data should not be triggered if the data to be exported has not been identified as Important Data as notified by the relevant industrial regulators or local authorities or through public notices. At the same time, this clause also requires a data controller to identify and report Important Data in accordance with the relevant regulations.

THRESHOLDS FOR DATA EXPORT MECHANISMS

Article 7 and Article 8 of the Provisions set forth the thresholds for different types of Data Export Mechanisms, which we summarize in the table below.

Our Observations
Among all the clarifications under the Provisions, the one most relevant to the Chinese subsidiaries of multinational corporations is the various scenarios exempted from Data Export Mechanisms, in particular item (6) referred to above. Under this scenario, a Chinese subsidiary of a foreign company (assuming not a CII operator) that cumulatively exports personal information (excluding any sensitive personal information) of less than 100,000 individuals since January 1 of the current year is not required to undergo any of the three Data Export Mechanisms. Please note that such an exemption only applies to complying with the Data Export Mechanisms. The data controller is still required to comply with other requirements and obligations under the PIPL and other applicable laws and regulations, such as obtaining consent from individuals, conducting a personal information protection impact assessment, etc. The data controller also needs to keep track of the number of individuals whose personal information is exported from mainland China and ensure that no sensitive personal information is included in order to be exempted from the Data Export Mechanisms.