On 23 March 2024, the Cyberspace Administration of China (“CAC”) released the Regulation for Promoting and Administering Cross-border Data Flows (“Regulation”) together with guidelines (“Guidelines”) on the data export filing processes, which revamps the current regime in a bid to ease the data export restrictions.
In this article, we highlight the key provisions and set out our comments. If you would like a copy of the English translation of the Regulation, please contact James Gong at [email protected].
The Personal Information Protection Law (“PIPL”) (for our comments on the PIPL, please click here) provides three routes for personal information processors ("PI Processor”) [1] to export personal information (“PI”). In addition, the Data Security Law (“DSL”) and the Cyber Security Law (“CSL”) also require security assessment for the export of important data, although the scope of important data is yet to be defined. The three routes for data export are as follows (collectively “Data Export Regime”):
The Security Assessment regime took effect on 1 September 2022 with a six-month grace period. Since then, many PI exporters in China, mostly large multinationals, have filed hundreds of applications with the CAC, but only a handful have since been approved. The assessment process is expected to take over ten months, and applicants will face multiple rounds of review from the CAC after their initial submission.
Most PI Processors do not reach the Thresholds and are therefore ineligible for the Security Assessment. The Certification regime appears to be designed for intragroup PI transfers within large multinational groups or international organisations, and the process is quite complicated. As a result, the SCCs are expected to be the favoured data export route for PI Processors.
Filing the SCCs
The CAC requires that all PI exporters should file signed SCCs and a report of personal information protection impact assessment (“PIPIA”) with the provincial CAC, which took effect on 1 June 2023 also with a six-month grace period ending on 30 November 2023. Effectively, most PI exporters must comply with this requirement, unless they are being certified for PI Protection. Many PI exporters have made the filing since then.
The filing materials for SCCs are similar to those for the Security Assessment, and therefore the workloads for PI exporters choosing to make SCCs filings are no less burdensome at least before the first submission. Companies are expected to incur a substantial amount of cost and resources throughout the compliance process.
The Data Export Regime has since given rise to extensive concerns amongst multinational companies and commercial delegates over the complex and unpredictable nature of the processes, coupled with the uncertainty as to its impact on cross-border data flows in the normal course of business.
The Chinese government seems to have recognised such concerns against the backdrop of its policy to boost economic growth post the pandemic. The central government has pledged to streamline the Data Export Regime on several occasions and required the CAC to implement it.
On 28 September 2023, the CAC released a draft of the Regulation, which purported to exempt several types of data export from the Data Export Regime and raise the Thresholds. The final version has now been declared after six months.
The Regulation has set out a range of scenarios where data export will be exempt from the entire Data Export Regime, which we summarise as follows:
Our comments: this should benefit cross-border e-commerce, international payment and banking services, tourism, transport and other relevant industries, where exporting their customers’ PI is an integral part of the business.
To make it clear, the PI exporter should be the other party to the contract, and presumably the other party should be the Chinese individuals whose PI is to be exported. Where the PI exporter does not contract directly with the individuals, then further analysis will be necessary.
However, the Regulation does not specify all types of contracts that may qualify for this exemption. The examples given by the CAC seem to suggest that the transactions in the underlying contracts should involve cross-border elements, e.g., services provided by an overseas service provider. According to our verbal consultation, the CAC takes a much stricter approach and treats the examples set out in the Regulation as an exhaustive list of qualified contracts. If this is the case, the scope of the exemption would be much narrower than expected.
One other question is how to determine exporting PI is “necessary” to concluding or performing the contract. PI exporters may need to check whether the relevant services or transactions could be completed without exporting the data.
It is necessary to export employees’ PI for the purposes of HR management pursuant to legally formulated employment rules or policies and collective employment agreements.
Our comments: this exemption appears to address the scenarios where multinationals’ headquarters need to receive the PI of their local subsidiaries’ employees. However, the Regulation still does not go any further to explain how “necessary” will be interpreted. For instance, if the PI could be processed via alternative systems in China with extra cost incurred, would the data export still be considered necessary? A more liberal interpretation should be more appropriate, given the intention of the CAC to exempt HR-related data export from the Data Export Regime. The CAC should provide more guidance here.
Besides, it has still not been clarified whether HR management must be based on both employment rules and policies as well as collective employment contracts at the same time. The CAC apparently uses the same wording in the PIPL for HR management legal basis for PI processing, but the meaning is still being contested. Most practitioners take the view that the data exporters should be allowed to choose either one as the basis for implementing HR management.
Another scenario that needs to be clarified is where agency workers’ PI and job candidates’ PI are being exported. As agency workers and job candidates are not employees of companies that export their PI, should this exemption also apply? Whilst agency workers subject to employment rules and policies of the PI exporter may be considered part of its workforce, exporting PI of job candidates will less likely qualify for the exemption.
Our comments: it is the default position under the PIPL, the DSL and the CSL that non-PI and non-important data should not be subject to any export restrictions. Unfortunately, by setting out a series of scenarios, the Regulation has effectively reduced the scope that is exempt from the Data Export Regime. We tend to view this as unintended, and the default position should still stand.
Our comments: this is a major change to the Data Export Regime, in particular, the Security Assessment. The Thresholds have been amended and replaced with higher ones. However, this provision is also problematic.
The first issue is that the Regulation fails to specify the time period, within which the volume of PI being exported should be measured against the threshold amount. Given that the starting date is 1 January each year, presumably it means a twelve-month period ending on 31 December, but this would benefit from being clarified in the Regulation.
Another question is what happens when the amount in the year exceeds 100,000. Do the PI exporters need to stop exporting the PI and make filings for SCCs or even Security Assessment first? If so, should the PI exporters make a filing pre-emptively to avoid it?
Notably, in the Guidelines the CAC seems to affirm the position taken in the SCCs that separate consent for the export of PI from individuals is required only when the legal basis for processing is consent.
Our comments: this provision effectively exempts from the Data Export Regime export of PI that is collected outside China, which will benefit companies processing such PI in China, e.g., multinationals that are headquartered in China and Chinese cloud service providers.
The Regulation retains most of the exemptions in the draft with minor amendments, but as discussed above, there still remain questions to be answered. Besides, it is worth pointing out that the PI exporters exempted from the Data Export Regime must still comply with other requirements applicable to PI exporters under the PIPL, namely:
i. Conducing the PIPIA;
ii. Obtaining a separate consent where the legal basis for the processing is consent; and
iii. Ensuring that the processing activities of the PI importer meet the data protection standards under the PIPL, possibly by signing a data transfer agreement with the PI importers.
The Regulation has adjusted the Thresholds for the Data Export Regime, which has greatly reduced the number of companies required to adopt the safeguards thereunder.
A PI exporter should apply for the Security Assessment if:
(i) The PI exporter is a CII operator and exports PI and important data; and
(ii) The PI exporter is not a CII operator and exports PI of at least 1 million individuals or sensitive PI of no fewer than 10,000 individuals from 1 January each year.
A PI Exporter should make a filing of the SCCS with the CAC if it is not a CII operator and exports from 1 January each year (i) PI (excluding sensitive PI) of 100,000 or more but fewer than 1 million individuals or (ii) sensitive PI of fewer than 10,000 individuals.
Our comments above on the revised numerical thresholds also apply here and will need further clarification from the CAC.
The Regulation retains the position on important data that non-personal data concerned is not important data unless it is designated as such by the relevant authority or region by notices or publication. In the absence of a clear scope of important data, this will temporarily release the non-personal data exporters from the obligations of filing the Security Assessment until the authorities define the scope.
In addition to the Regulation, the CAC also published the guidelines for making SCCs filings and applications for the Security Assessment. In the Guidelines, the CAC extends the scope of PI export from the PI exporters, who cross-border transfer PI or grant remote PI access to PI importers, to also include overseas entities processing PI subject to the extraterritorial effect of the PIPL.
This has broadened the scope of the Data Export Regime to cover scenarios that are not usually regulated as PI export in other countries and could contradict the reasoning behind data protection laws, including the PIPL. The reason why this is not considered PI export elsewhere is that the data export should involve a PI exporter and a PI importer, and the PI importer is usually not subject to the PI protection laws of the country where the PI exporter is located. Safeguards are therefore imposed via the PI exporters to ensure that the processing by the PI importer will comply with the same standards that the PI exporter is subject to, in this case, the PIPL.
Where the processing by a foreign entity is subject to the extraterritorial effect of the PIPL, the foreign entity should comply with the PIPL in relation to the processing of the PI as if it operates within the Chinese territory. As such, there is no need to regulate it as data export.
This approach could also prove to be problematic in practice. The Guidelines do not provide for how an overseas entity can make a filing for the SCCs or the Security Assessment. The filing materials do not contemplate the scenarios where there is no PI exporter e.g. how then should SCCs or other transfer contracts be signed?
Upon consultation, the CAC requires the overseas entities to set up a local office to act as its local representative under the PIPL and also the applicant for the fillings. This will not be commercially viable? for most companies, not to mention that the local representative related rules are yet to implemented. Whilst this could pose a challenge to overseas companies processing PI subject to the extraterritorial effect of the PIPL, it would also test the capability and determination of the CAC to police such requirements outside the Chinese territory.
The CAC has made some efforts to streamline the processes and materials for SCCs filings and Security Assessment applications, including:
i. Providing online portals for submission;
ii. Stipulating the formatting for the documents;
iii. Optimising requirements for the description of PI export scenarios;
iv. Removing unnecessary information disclosure requirements; and
v. Simplifying the outline of the PIPIA report.
These changes reportedly reflect the feedback that the CAC has received from companies that went through the processes. We expect the process for completing the filing process to be shortened under the new regime. In addition, the validity of the approval of the Security Assessment has been extended to three years.
The Regulation allows free trade zones to formulate their own negative list of data sets, which can be exported subject to the Data Export Regime and with approval by the provincial-level CACs and filing with the central CAC and the National Data Administration (NDA). Outside of this negative list, data exporters will be exempted from the Data Export Regime.
In the Regulation, the NDA is added as a new ministry alongside the CAC to receive filings from the free trade zones. It seems that the NDA has played a role in the rollout of the Regulation and will continue to influence the Data Export Regime in the future.
The Regulation also stresses that the relaxation in the trade zones must be implemented within the framework of the national data categorisation and classification framework, which aims to protect important data and core data. It appears that such a negative list regime may also extend to important data and core data.
The CAC published the Regulation to implement the central government’s policy of boosting economic growth and foreign investment and to address concerns over the burdensome and complex compliance obligations under the previous Data Export Regime.
The Regulation exempts a wide range of data export activities from the entire Data Export Regime and, by amending the Thresholds, significantly reduces the number of data exporters that are required to make SCCs filings or apply for the Security Assessment.
Many data exporters will be released from all or part of their obligations under the Data Export Regime. However, as pointed out in our comments, the CAC should clarify the key issues that could hinder its implementation.
Companies should reassess their obligations under the Data Export Regime in accordance with the Regulations. For companies that are exempt from the Data Export Regime, the general obligations in relation to data export under the PIPL will also apply. For companies that have submitted their SCCs filing or Security Assessment application or have completed the processes, we would recommend that they liaise with their case handlers for instructions on the next steps.
[1] A personal information processor is defined as an organisation or individual that independently determines the purposes and means of the processing, akin to the concept of data controller under the General Data Protection Regulation of the European Union.
[2] The previous thresholds for triggering security assessment by PI Processor are: (i) from 1 January of the preceding year, (a) exporting PI of 100,000 individuals, or (b) exporting sensitive PI of 10,000 individuals; or (ii) processing PI of 1 million or more individuals.