In a significant move aimed at streamlining compliance and alleviating concerns, the Cyberspace Administration of China (“CAC") unveiled the Regulations on Promoting and Regulating Cross-border Data Flows on March 22, 2024 (“2024 CBDT Regulations").  This long-anticipated legislation comes as a beacon of clarity after years of stringent controls and anticipatory anxieties among global businesses.

I. A Retrospective Gaze: The Evolution of Data Transfer Regulations

Between 2017 and 2021, China established the regulatory framework for outbound data transfer with the enactment of three pivotal laws: (i) the Cybersecurity Law, (ii) the Data Security Law, and (iii) the Personal Information Protection Law.  Under this regulatory framework, companies (depending on the nature and volume of the data to be transferred) need to meet one of the following requirements before transferring data out of China:

(a) passing the security assessment conducted by the CAC (“CAC’s Security Assessment");

(b) executing the standard contract in the format prepared by CAC with foreign recipients, and going through a filing process (“Standard Contract Filing"); or

(c) obtaining protection certification from qualified institutions (“Protection Certification").

(collectively, the “Clearance Procedures").

In the subsequent years of 2022 and 2023, CAC introduced several measures to guide the implementation of such Clearance Procedures.  However, many companies found it too stringent and burdensome. For example, companies processing more than 1 million individuals' personal information must pass CAC's Security Assessment, even if they only transfer one individual’s personal information out of China. Also, there is no exemption to the Clearance Procedures. Even if a company transfers several employees' personal information out of China, it needs to complete the Standard Contract Filing or obtain the Protection Certification.  Consequently, the CAC officials would also have enormous workload to handle. 

Therefore, on September 28, 2023, CAC released the Draft Regulations on Regulating and Promoting Cross-border Data Flows for public comments, which set forth several exceptions to the Clearance Procedures and relaxed the volume thresholds for the Clearance Procedures. 

After nearly six months' waiting and speculation, the finalized version of the 2024 CBDT Regulations, was officially published and enacted on March 22, 2024.  

II. Decoding the 2024 CBDT Regulations: An Updated Regulatory Framework

The following chart is prepared to illustrate the updated regulatory framework under the 2024 CBDT Regulations:

1. Outbound Transfer of Important Data: Greater Clarity, Yet Tight Grip Remains

Outbound transfer of important data must pass the CAC’s Security Assessment, and, to date, there is no exception. 

Companies used to face uncertainty on how to identify the important data.  This is because the Data Security Law does not clearly identify the scope of important data, but only provides that the industrial regulators or provinces must formulate specific catalogs of important data applicable to their respective industries, fields, or provinces. 

Though the tight control remains, the 2024 CBDT Regulations have eased the concern of many companies over the outbound transfer of important data by making necessary clarifications on the scope of important data.  According to the 2024 CBDT Regulations, the regulators will clarify what constitutes important data by either notifying companies or disclosing the important data catalogs to the public.  Before such notification or disclosure occurs, companies can assume they do not possess and process important data. 

2. Outbound Transfers of Personal Information: Breathing Space with Exemptions

The 2024 CBDT Regulations have introduced certain scenarios that can be exempted from the Clearance Procedures for the outbound transfers of personal information.  Companies may refer to Section II.2.a - II.2.c below to determine (i) if any exemption applies, and (ii) if not, identify which Clearance Procedures should apply.

a. Exemption Scenarios

(1) Situation-based Exemptions

The 2024 CBDT Regulations delineate specific circumstances under which cross-border data transfers are not subject to the Clearance Procedures. 

1. Data Transit Exemption: In instances where personal information is originated or gathered outside of China and routed through China for processing before being sent abroad, the transfer is exempted from Clearance Procedures provided that the processing in China does not incorporate any domestic personal information or important data.

   
   

2. Contractual Necessity Exemption: Transfers necessary for the performance or execution of a contract with the individual as a contracting party are also exempted. This typically includes transfers essential for international e-commerce transactions, cross-border mail and parcel deliveries, overseas remittances and payments, international account openings, bookings for flights and accommodations, and visa arrangements, etc.

   
   

3. Human Resource Management Exemption: The outbound transfers of employees’ personal information, necessary for cross-border human resource management in accordance with company policies that are legally established, is not subject to Clearance Procedures.

   
   

4. Emergency Exemption: In urgent situation where data transfer is imperative to safeguard an individual’s life, health, or property safety, such transfers may be conducted without undergoing Clearance Procedures.

(2) Free Trade Zone Autonomy

The 2024 CBDT Regulations bestow upon Free Trade Zones (“FTZ"s) in China the discretion to devise their own specific "negative lists" for data categories.  Data not included in these lists may be transferred across borders without the requirement of Clearance Procedures.  However, to implement a "negative list," an FTZ must (i) obtain prior approval from the provincial cyberspace administration authority and (ii) register the established list with the national cyberspace administration authority as well as the national data administration authority.

This grant of autonomy is intended to streamline data transfer processes, leveraging the unique international business environment of the FTZs while maintaining regulatory oversight.  It is important to note that these exemptions apply exclusively to entities that are duly registered within the respective FTZs.

However, there are aspects of the implementation that require further clarification. For instance, it is not specified whether the exemption based on the negative list is confined to data amassed within an FTZ or if it also encompasses data gathered beyond the FTZ's boundaries.  Additionally, the regulations do not currently address whether a company registered in an FTZ is permitted to store data on servers located outside the FTZ.  This point is particularly crucial for businesses that rely on cloud services for data storage and processing, as cloud infrastructure often spans multiple locations, both within and potentially outside the FTZ.  Clear guidance on these matters is essential to ensure that companies can navigate the regulatory landscape with certainty and compliance.

b. Critical Information Infrastructure Operators (“CIIO"): Transfer Volume Does Not Matter

CIIO is an operator of critical information infrastructures[1].  In practice, the government will notify a company if it is a CIIO.  Before being notified, the company may assume it is not a CIIO.

CIIOs’ outbound transfer of any piece of personal information would be subject to the CAC’s Security Assessment, if such transfer does not qualify for any of the above-mentioned exemption scenarios.

c. Non-CIIOs: Transfer Volume Matters

If an outbound transfer of personal information by a non-CIIO does not meet the criteria for any of the aforementioned exemption scenarios, it is advisable for the company to review the volume of the data being transferred.  This assessment will help ascertain whether the transfer falls within the thresholds for volume-based exemptions or which specific Clearance Procedure needs to be adhered to. This step is crucial for ensuring compliance with regulatory requirements while facilitating the necessary cross-border data flow.   

(1) If, since January 1 of the current year, the cumulative amount of personal information transferred out of China reaches either of the below thresholds, then CAC’s Security Assessment is needed: 

1. no less than 1 million individuals’ non-sensitive personal information, or

   
   

2. no less than 10,000 individuals’ sensitive personal information.

(2) If, since January 1 of the current year, the cumulative amount of personal information transferred by a company out of China reaches either of the below thresholds, then the company may choose either to (i) complete the Standard Contract Filing; or (ii) obtain the Protection Certification:

1. 100,000 to 1 million (exclusive of 1 million) individuals’ non-sensitive personal information plus less than 10,000 individuals’ sensitive personal information, or

   
   

2. less than 100,000 individuals’ non-sensitive personal information plus 1 to 10,000 (exclusive of 10,000) individuals’ sensitive personal information.

(3) If, since January 1 of the current year, a company accumulatively (i) transfers less than 100,000 individuals’ non-sensitive personal information out of China and (ii) does not transfer any sensitive personal information out of China, the Clearance Procedures can be exempted.

It is critical to note that when computing the aggregate volume of transferred personal information, any data transferred pursuant to the above-mentioned situation-based exemptions or the FTZ negative list-based exemptions should not be included in the total amount. This is essential for maintaining accurate records and ensuring adherence to the regulatory thresholds established.

3. Separate Consent and Personal Information Protection Impact Assessment ("PIPIA")

Despite the above-mentioned exemptions, the 2024 CBDT Regulations do NOT exempt companies from the statutory obligations of (i) obtaining individuals’ separate consents and (ii) conducting PIPIA for their outbound transfers of personal information, even if the exemptions apply.  

4. Outbound Transfer of Other Data: A Liberated Path

During the official press briefing on the 2024 CBDT Regulations, representatives from CAC emphasized that the Clearance Procedures are specifically applicable to transfers involving important data and personal information. It was noted that transfers of routine data that does not contain either important data or personal information are not subject to these regulations.

Furthermore, the 2024 CBDT Regulations delineate that data collected and produced through various “activities"—such as international commerce, cross-border logistics, academic cooperations, transnational production, manufacturing and marketing—do not require Clearance Procedures, provided they do not contain personal information or important data[2].

5. Our Advice

The enactment of the 2024 CBDT Regulations marks a milestone moment. Companies are advised to promptly consider the following measures:

1. Re-evaluation: Companies should conduct a thorough re-evaluation of their projects involving outbound data transfers to determine (i) whether any exemptions apply and (ii) whether it is necessary to go through any Clearance Procedures as outlined by the 2024 CBDT Regulations.

   
   

2. Review of Current Filings: For companies in the midst of Security Assessment or filing processes with the CAC that are affected by the 2024 CBDT Regulations, according to the CAC’s official response in its press conference for the release of the 2024 CBDT Regulations, there is an option to either retract their previous submissions or to proceed with the established procedures.  Companies may take either option that is optional to themselves.

   
   

3. Unchanged Compliance Requirements: It is critical for companies to note that the obligations to secure individual consents and to execute a PIPIA, along with the preparation of corresponding PIPIA reports for outbound personal information transfers, remain mandatory under all circumstances.  

These actions are integral to align with the updated regulatory framework and ensure ongoing compliance under the 2024 CBDT Regulations.

[Note] 

[1] Critical information infrastructures refer to important network facilities and information systems in important industries and fields that are related to national security and public interests.  Important industries and fields include public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, and defense technology industries, etc.  

[2] Nonetheless, in accordance with the Data Security Law, any transfer of data from China to foreign judicial or law enforcement agencies mandates prior approval from the appropriate Chinese authorities, even if such transfer does not contain any personal information or important data.