China’s Data Regulator Significantly Relaxes CBDT Regime

Keep up with the latest legal and industry insights, news, and events from MoFo

After months of uncertainty, China’s data regulator, the Cyberspace Administration of China (CAC), issued the Provisions on Facilitating and Regulating Cross-Border Data Flows (促进和规范数据跨境流动规定, the Provisions) addressing a range of issues concerning China’s cross-border data transfer (CBDT) regime. The Provisions relax and clarify key elements of that regime, raising the volume threshold that triggers the requirement to conduct a security assessment for the export of personal information (PI), introducing welcome carve-outs for certain low-volume exports and for exports in certain contexts (such as HR administration), and significantly clarifying the scope of important data intended to be subject to the CBDT regime. This will ease the compliance burden for many companies in the short term and help resolve the bottleneck at CAC in its review of the large volume of applications it has already received under the old regime. But this apparent good news may also give rise to challenges.

The Provisions came into force immediately and will prevail over earlier regulations concerning CBDT in the event of any conflict or inconsistency.

China’s Evolving CBDT Regime

With promulgation of the Personal Information Protection Law (PIPL), the Data Security Law (DSL), and a raft of ancillary regulations over the last few years, the Chinese government introduced what came to be viewed in the market as an extraordinarily burdensome CBDT regime.

Under the terms of the regime as it operated before the Provisions were issued, a PI handler (broadly akin to a “controller” under the General Data Protection Regulation) needing to transfer PI or important data out of China was required to satisfy one of the following conditions:

pass a security assessment undertaken by CAC, which is mandatory for the export of important data or if the export of PI meets certain criteria;
conclude a standard contract in the form prescribed by CAC (SCCs) with the overseas recipient and complete associated filing formalities with the provincial CAC; or
undergo a PI protection certification conducted by a specialized agency accredited by CAC.

Due to the dearth of guidance on how to comply with these formalities, and bottlenecks within CAC in its review of those regulatory filings that were made, many PI handlers held off on completing the formalities beyond the relevant official deadlines, waiting for additional guidance. CAC issued a draft of the Provisions on September 28, 2023, which many commentators expected to be issued in final form before the end of 2023. The Provisions, although issued much later than expected, adhere closely to the September draft. The principal difference between the two is that the Provisions set separate, lower thresholds for sensitive PI.

Comparison of New and Old CBDT Regimes

The Provisions feature a number of significant relaxations from the previous regime. Key highlights include:

eliminating volume of PI handled as a threshold for triggering the requirement to conduct a security assessment and increasing the volume of annual PI exports that triggers this requirement;
excluding the necessity to conduct a security assessment for the export of important data, if the data at issue has not yet clearly been identified as important data;
introducing new exemptions from the need to fulfill any of the mechanisms for certain low-volume data exports and for data exports made under certain legal bases; and
permitting regulators of pilot free trade zones (FTZs) to promulgate special rules that will apply to transfers from those FTZs.

The following table sets out a more detailed comparison of the old and new CBDT regimes:

	Old Regime	New Regime pursuant to the Provisions
Security Assessment	Export of PI by a critical information infrastructure operator (CIIO) Export of PI by a PI handler that handles PI of more than one million individuals Export of PI by a PI handler that, since January 1 of the previous year, has already exported (i) PI of 100,000 or more individuals or (ii) sensitive PI of 10,000 or more individuals Export of important data	Export of PI by a CIIO Volume of PI handled no longer a threshold Export of PI by a PI handler that, since January 1 of the current year, has already exported (i) PI of more than one million individuals or (ii) sensitive PI of more than 10,000 individuals Export of important data that has clearly been identified as important data pursuant to published rules or notice of the relevant sectoral or regional regulator
SCCs Filing / Certification	A PI handler may opt to comply with either the SCCs filing or the certification mechanism when a security assessment is not triggered	Export of PI by a PI handler that, since January 1 of the current year, has already exported (i) PI of between 100,000 and one million individuals or (ii) sensitive PI of less than 10,000 individuals A PI handler meeting this criterion may opt to comply with either the SCCs filing or the certification mechanism
Exemptions	None Every PI handler contemplating the export of any amount of PI or important data is required to fulfill one of the prescribed mechanisms.	Volume Exemptions: No export mechanism required for a PI handler that, since January 1 of the current year, has exported PI of less than 100,000 individuals, provided that such data do not contain any sensitive PI Exempted Categories of PI Export: No export mechanism required for a PI export that is undertaken on one of the following legal bases: Export of employee PI that is necessary for the implementation of cross-border HR administration in accordance with lawfully formulated employment policies and rules Export of PI that is necessary for the performance of a contract to which the data subject is a party, involving a service that is offered on a cross-border basis (e.g., cross-border shopping, postal or delivery service, fund remittance, overseas account opening, flight ticket and hotel booking, visa processing, and exam service) Export of PI that is necessary for protecting the life, health, or safety of property of an individual in an emergency PI that is exported under any of these three legal bases will not be taken into account in the calculation of PI export volume for the purposes of measuring against the relevant PI volume thresholds
Special Treatment	None	A FTZ may formulate its own negative list of data that is subject to data export mechanisms upon completing certain approval and filing procedures

With its issuance of the Provisions, CAC has eased the procedural burden for companies by extending the validity period of a security assessment approval from two years to three. CAC has also streamlined filing processes by launching a web portal for the online submission of security assessment and SCCs filing applications. It remains to be seen whether (and, if so, how) CAC will also standardize and streamline its regulatory review process.

To align with the Provisions, CAC has also updated guides for security assessments and SCCs filings that set out the application process and documentary requirements for those two mechanisms. Among other updates, CAC has revised the template assessment reports under both mechanisms to clarify the scope of information required to be included. Another notable update is the addition of language that makes clear that CAC considers there to be an export of data when a foreign PI handler that is subject to the PIPL’s extraterritorial scope directly collects and processes PI from Chinese residents and requires that any such export be undertaken in reliance on one of the data export mechanisms when relevant criteria are met. However, CAC has not yet clarified how this would work in practice, for example, who the foreign PI handler should conclude the SCCs with and how it should complete the assessment report, which is designed for domestic PI handlers. We expect further guidance from CAC on this issue.

CBDT Restrictions on Important Data

Reportedly, CAC’s slowness in issuing the Provisions was due in part to competing views among regulators on how to balance the conflicting goals of boosting economic growth and strengthening national security.[1]

The requirement under the CBDT regime that a security assessment be undertaken for the export of “important data” is of particular national security importance. Yet compliance with this requirement has been virtually impossible due to the lack of clarity as to what counts as important data. The DSL calls for central government departments and local governments to issue catalogues identifying important data within their respective scopes of authority, but they have been slow to do so over the almost three years since the DSL was promulgated.

The last few months have seen a faster pace of efforts by governmental authorities to publish such catalogues. In February, authorities in both Tianjin FTZ and Lin-gang Special Area of Shanghai FTZ issued regional guidance on the identification of important data. Also, regulators in the automotive, financial, telecommunications, aviation, and certain other sectors have published rules that at least provide guidance on the criteria to be used in identifying important data. However, the process will be gradual and uncertainty as to the scope of important data will endure.

In this context, the Provisions provide meaningful comfort by expressly clarifying that data (other than PI) that has not yet clearly been identified as important data may be exported without complying with the CBDT regime. Meanwhile, data exporters ought to keep track of the fast-evolving landscape relevant to important data.

Implications of the Provisions and Remaining Challenges

The Provisions go a long way to addressing criticisms of China’s old CBDT regime. The exemption from compliance with the various regulatory filing and related requirements of the CBDT regime for companies that export only small volumes of PI is particularly welcome, as is the change in approach concerning important data. The Provisions will also help clear the bottleneck that the old CBDT regime created within CAC in its review of the large volume of applications the old regime required.

Nonetheless, data exporters should bear in mind that, by reducing its ex-ante review of data exports, CAC is not in any way exempting data exporters from other requirements of China’s CBDT regime or relinquishing its authority to scrutinize data export practices. These other requirements include:

providing individuals with a sufficient privacy notice that sets out the name and contact information of the overseas recipient, among other information;
when the initial basis for collecting relevant PI is consent, obtaining separate consent from the individual specifically relating to the PI export; and
conducting a PI protection impact assessment.

Through CAC’s ex-post inspections of their data handling practices, or indeed because of enforcement actions by data subjects, individual companies can be called to account for any non-compliance with these requirements. To some extent, with its issuance of the Provisions, CAC has shifted the burden to individual companies to make judgment calls as to what practices are compliant with these and other PIPL requirements. Notably, the Provisions urge local CAC branches to strengthen the supervision of data export activities of local companies. We expect that various remaining uncertainties concerning PIPL’s data export and other rules will be clarified gradually through CAC’s enforcement activity and claims pursued by individual data subjects.

As further explained in the Terms / Notices linked below, the information provided herein is not legal advice. Any information concerning the People’s Republic of China (PRC) is not an opinion on, determination on, or certification of the application of PRC law. We are not licensed to practice PRC law.

[1] See the Financial Times: China’s sluggish approval of data exports leaves companies struggling, January 3, 2024.

Paul D. McKenzie
Partner
Gordon A. Milner
Partner
Chuan Sun
Managing Partner, Shanghai
Tingting Gao
Associate

Practices

Privacy + Data Security

Industries + Issues

Technology

Regions

China