China releases Draft Regulations on the Standardisation and Promotion of Cross-Border Data Flow

On 28 September 2023, the Cyberspace Administration of China (“CAC”) released the Consultation Draft of the Regulations on Standardisation and Promotion of Cross-border Data Flow (the “Draft Regulations”). Importantly, the Draft Regulations propose new exemptions to the cross-border data transfer regime under Mainland China’s Personal Information Protection Law, namely conducting a CAC security assessment, execution and filing of standard contract clauses (“SCC”), and certification by CAC-accredited agencies (collectively, the “Cross-Border Data Transfer Requirements”). If passed in its current form, the Draft Regulations will prevail over the Measures on Security Assessment for Export of Data and the Measures on Standard Contract for Export of Personal Information, and exempt entities from complying with Cross-Border Data Transfer Requirements.

It should be noted that the Draft Regulations are not finalised and may be subject to further change. Although there are areas where the Draft Regulations remain uncertain, we consider it is unlikely there would be material changes to the thresholds triggering the relevant exemptions. With the consultation period ending on 15 October 2023, it is generally expected that the Regulations will be published in final form and become effective before 1 December 2023 (i.e., the end of the grace period for SCC filings).

Exemptions. Entities are exempt from all Cross-Border Data Transfer Requirements in any of the following cases:

1. personal data is collected and generated outside Mainland China, and then transferred to outside Mainland China (Art. 3);
2. the export of personal data is necessary for the conclusion and performance of a contract to which the data subject is a party, such as cross-border purchases, cross-border remittance, flight and hotel booking, visa application, etc. (Art. 4(1));
3. the export of internal staff’s personal data is necessary for an entity’s human resource management implemented in accordance with lawfully established labour rules and regulations and collective bargaining contracts (Art. 4(2));
4. the export of personal data is necessary for protecting the life, health, and property safety, etc. of natural persons in emergency situations (Art. 4(3));
5. personal data of less than 10,000 individuals is expected to be transferred outside of Mainland China by an entity within a year (Art. 5); and 
6. for entities registered in free trade zones, the export of the types of personal data that are not listed on the “negative list” formulated by the relevant free trade zone and approved by the CAC (Art. 7).

Separately, an entity is exempt from the CAC security assessment if personal data of more than 10,000 but less than 1 million individuals is expected to be transferred outside of Mainland China by the entity within a year, and the entity has filed the executed SCC with the CAC or obtained certification from CAC-accredited agencies (Art. 6).

Notably, the first exemption applies where personal data is collected and generated outside Mainland China, imported into Mainland China and then re-exported to outside Mainland China.

Exemptions (2) – (4) above are subject to a “necessity” test to export personal data. However, the Draft Regulations do not provide further guidance on the thresholds to achieve “necessity” or how entities may justify such necessity. In particular, Art. 4(1) sets out non-exhaustive examples of cross-border scenarios where the export of personal data may be considered necessary for conclusion and performance of contracts. It is unclear what other contracting scenarios may be able to warrant the “necessity” justification. Similarly, Art. 4(2) appears to be limited to export of personal data that is (i) justified to be “necessary” for implementing HR management and (ii) which has to be in accordance with lawfully established labour rules and regulations and collective bargaining contracts. For multinational companies with HR teams located outside Mainland China, it remains uncertain whether intragroup transfers of employee personal data may be considered necessary for effecting HR management functions.

In any event, a multinational corporation with limited PRC employees and/or customers within Mainland China may likely be able to leverage Art. 5 to transfer personal data outside of Mainland China if such transfer falls below the 10,000 volume threshold noted above.

Consent requirement. Consistent with previous guidelines, the Draft Regulations provide that where consent is the basis for exporting personal data outside Mainland China, an entity is required to continue to obtain such individuals’ consent.

Important data. Entities applying for CAC security assessment are not required to report the export of “important data” if such data has not been publicly declared or otherwise notified to the relevant entities as “important data” by the relevant competent authorities.

Carve-outs. The exemptions in the Draft Regulations may not apply to the export of personal data or important data by government bodies or Critical Information Infrastructure Operators, as well as the export of sensitive data or sensitive personal data relating to Mainland China’s political party, the government, the military or a classified agency, as these transfers will remain subject to the relevant laws, administrative regulations and departmental rules.

We will continue to closely monitor the development and interpretation of the Draft Regulations and will keep you informed of any updates.