News & Insights

New Rules on Data Export Are Implemented

View PDF

Authored by: Edwarde Webre and Minning Wei

The Cyberspace Administration of China (“CAC“)  promulgated the Provisions on Promoting and Regulating Cross-border Data Flows (“Provisions“) on 22 March 2024. The CAC officials have also answered questions from journalists regarding the Provisions.  The Provisions refine the conditions and operation of cross-border data flows under the existing legal framework and provide enterprises clear guidance for data export.  The Provisions have 14 articles, which became effective on the date of promulgation.  Key points are outlined as follows:-

I. Circumstances where the data can be exported out of China directly

A data processor is exempt from going through a security assessment for data export, concluding a standard contract for personal information (“PI”) to be provided abroad or passing an authentication for PI protection under any one of the following circumstances.  That is, it (regardless of whether it is or not a critical information infrastructure operator(“CIIO”) unless otherwise provided clearly) can export the relevant data out of China directly:-  

1. Where a data processor provides the data collected and generated in such activities as international trade, cross-border transportation, academic cooperation, transnational manufacturing and marketing, which do not contain PI or important data, to overseas parties.

2. Where a data processor provides PI collected and generated abroad to overseas parties after being transferred to China for processing, and no domestic PI or important data is introduced in the process of processing.

3. A data processor satisfies any of the following conditions when providing PI abroad:-

(1) Where it is really necessary to provide PI abroad for the purpose of concluding or performing a contract to which an individual concerned is a party, such as cross-border shopping, cross-border delivery, cross-border remittance, cross-border payment, cross-border account opening, air ticket and hotel reservation, visa processing and examination services;

(2) Where it is really necessary to provide employees’ PI abroad for the purpose of conducting cross-border human resources management in accordance with the employment rules and regulations formulated legally and collective contracts concluded legally;

(3) Where it is really necessary to provide PI abroad in an emergency to protect the life, health and property safety of a natural person; or

(4) Where a non-CIIO data processor provides abroad the PI (excluding sensitive PI) of not more than 100,000 people accumulatively as of January 1 of the current year.

Kindly note that aforementioned PI provided abroad shall not contain important data.  A data processor, regardless of a CIIO or not, shall go through security assessment for data export if the data to be exported is important data.  A data processor shall identify and declare important data in accordance with relevant provisions1.   If the data has not been identified or publicly announced as important data by relevant departments or regions, it will be treated as non-important data and be exported in accordance with the relevant rules.

4. Where a data processor in a pilot free trade zone (“FT Zone”) provides overseas parties with any data not in the negative list.  The negative list is a list of data formulated by the FT Zone, under the framework of the national system for data classification and grading, that needs to be included in the scope of administration of security assessment for data export, the standard contract for providing PI abroad and authentication for PI protection.  The negative list shall be filed with the CAC and the national data administration for the record upon approval by the Cyber Security and Informatization Commission at the provincial level.  The data processors in the FT Zone shall comply with the State regulations on data export security administration before the negative list is released.

II. Circumstances where security assessment is required for data export

A data processor shall apply for security assessment for data export to the CAC through the Cyberspace Administration at the provincial level (“Provincial CA”) at its locality if it satisfies any of the following conditions:-

(1) Where the data to be exported is important data.

(2) Where a CIIO exports PI; or

(3) Where a non-CIIO provides, as of January 1 of the current year, PI (excluding sensitive PI) of not less than 1 million people or sensitive PI of not less than 10,000 people in aggregate to overseas parties.  The data which can be exported directly under Section I (except for those under Item 3 (4)) shall not be counted in for calculation of PI under this circumstance.

The security assessment result for data export shall remain valid for 3 years from the date of it issuance. Where it needs to continue with data export and nothing triggers re-submission for security assessment for the data export upon expiry of the assessment result, the data processor may, within 60 workdays prior to the expiry date, apply to the CAC through the local Provincial CA to extend the period of validity of the assessment result. Upon approval by the CAC, the period of validity of the assessment result can be extended by 3 years.

III. Circumstances where a standard contract with the overseas recipient for the export of PI or PI protection authentication is required for data export

Where a non-CIIO exports PI (excluding sensitive PI) of not less than 100,000 but not more than 1 million people, or the sensitive PI of not more than 10,000 people, accumulatively as of January 1 of the current year, it shall conclude a standard contract with overseas recipient for PI export or go through the authentication on protection of PI in accordance with the law.  Similarly, the data which can be exported directly under Section I (except for those under Item 3 (4)) shall not be counted in for calculation of PI under this circumstance.

The CAC released the Guidelines for Data Export Security Assessment (Second Edition) and the Guidelines for Filing Standard Contracts for Personal Information Export (Second Edition) with the Provisions.  A data processor may apply for data export security assessment or file standard contracts for PI export online through the Data Export Declaration System (https://sjcj.cac.gov.cn).   If application or filing has been submitted on site, the data processor will not need to redo the submission online.  A data processor may log in the Personal Information Authentication Administration System (https://data.isccc.gov.cn) to apply for authentication on PI protection online.  CIIOs or others that are deemed unsuitable for online application still need to apply for data export security assessments offline to the CAC through their local Provincial CA.

Our Comments

The Provisions have modified certain rules on data export under the Security Assessment Measures for Data Export and Measures for the Standard Contract for the Outbound Transfer of Personal Information, and relaxed the conditions for data export and provide clearer compliance guidelines.  As a result, data processors, especially small and medium-sized enterprises, may have lowered  compliance costs and improved certainty and efficiency in data exchange with overseas parties.

The Provisions emphasize that data processors shall take appropriate measures to protect data security; fulfill obligations such as notification, obtaining separate consent, and conducting PI protection impact assessments in accordance with relevant regulations when providing PI abroad.

Data processors with the need for data export shall refer to the Provisions to determine the appropriate procedure and take actions accordingly.  According to  CAC officials, a data processor that did not pass through the data export security assessment completely or only partially before the implementation of the Provisions under which it is exempt from security assessment, may provide PI abroad through entering into standard contracts for PI export or passing authentication on the protection of the PI.  Data processors that have already submitted application for data export security assessment or filed of standard contracts for PI export before the Provisions under which it is exempt from the aforementioned procedures may continue proceeding with the original procedures or withdraw their application from the local Provincial CA.  We would suggest these data processors  communicate with the CAC or the Provincial CA which deals with their submission and seek their advice before determining whether to complete the original procedures or proceed in accordance with the Provisions.

We will continue to monitor the implementation of the Provisions and will advise on important developments.


1 The National Information Security Standardization Technical Committee released the national standard GB/T 43697-2024 “Data Security Technology — Rules for Data Classification and Grading” on March 15, 2024.  This standard outlines the principles, framework, methods, and procedures for data classification and grading, along with guidelines for identifying important data. Data processors may refer to this standard to assess whether their data may be classified as important data. This standard will be implemented from 1 October, 2024.

Key Contacts

Edwarde Webre

Consultant | Corporate Commercial

Email or call +852 2825 9730

Related Services and Sectors:

China Trade & Investment

Portfolio Builder

Select the legal services that you would like to download or add to the portfolio

Download    Add to portfolio   
Portfolio
Title Type CV Email

Remove All

Download


Click here to share this shortlist.
(It will expire after 30 days.)