Addressing China's cross-border data transfer issues is probably one of the biggest challenges faced by privacy professionals working at multinational corporations since China adopted its Cybersecurity Law, Data Security Law and Personal Information Protection Law.
Unlike the EU General Data Protection Regulation, China's cross-border data transfer regime has requirements where the outward data transfer is subject to one of the three mechanisms: regulator-led security assessment, Chinese standard contractual clauses, and certification. Given the volume and extent of documents/information expected, turnaround timeline and the governmental approval or filing process, the CBDT legal mechanisms have posed enormous compliance challenges for multinational corporations and their operations in China.
To address those concerns, China's top data regulator, the Cyberspace Administration of China, issued draft regulations on Promoting and Regulating Cross-Border Data Flows 28 Sept. 2023 for public consultation. After months of thorough debates and discussions, the final version of the CBDT regulations was released 22 March, with immediate effect. These regulations introduce some notable loosening of cross-border data transfer constraints, signaling China's pivot toward striking a balance between data security and fostering digital economy growth. Let's delve into key relaxations, examining their potential impacts on business organizations.
Complete exemption of the CBDT legal mechanisms
Cross-border data transfer is not subject to any of the CBDT legal mechanisms in any of the following:
- A company transfers China-collected data related to international trade, cross-border transportation, academic collaborations, and cross-border manufacturing/sales, if no important data or personal information is involved.
- The data transfer is necessary for signing or performing contracts for cross-border shopping, courier services, payments, account opening, hotel/air ticket booking, visa application, or examination services to which an individual is a party.
- The transfer of personal information is necessary to safeguard an individual's life, health or property in the event of an emergency.
- The transfer of nonsensitive personal information, totaling fewer than 100,000 individuals since 1 Jan. of the current year by noncritical information infrastructure operators.
These relaxations carve out a significant number of day-to-day business transactions from the CBDT legal mechanisms, allowing companies to choose their transfer methods, such as inter-group data processing agreements or GDPR-based data transfer agreements, for transferring China-collected data to their headquarters or business partners outside China.
Employee data
Many multinational corporations use centralized IT systems or tools to manage employee data, conduct performance reviews, and process salary payments and other employee benefits. Previously, under the prevailing regulations on security assessment and Chinese SCC, Chinese subsidiaries of multinational corporations typically had to undergo CAC security assessments or sign the Chinese SCC and file with the regulator, depending on the volume of employee data transferred. Now, under the CBDT regulations, employee data transfers are exempt from any of the CBDT legal mechanisms, irrespective of data volume.
However, the devil is in the details, as companies can only benefit from these new flexibilities if they meet the relevant legal conditions, which extend beyond data protection regulations, requiring compliance with relevant Chinese employment laws and regulations. For example, a legally drafted employee handbook must go through a democratic consultation procedure by employees, so it is important for companies to review relevant corporate documents and policies to ensure the applicable legal standards are met.
Relaxed thresholds triggering the CBDT legal mechanisms
Previously, the rules governing security assessments and SCCs set relatively low thresholds, such as 100,000 individuals' nonsensitive personal information since 1 Jan. of the preceding year to trigger security assessment. There was even no de minimis threshold to trigger SCC. However, given the vastness of the Chinese market and its population, those figures seemed inadequate.
The CBDT regulations have significantly eased those by introducing the following relaxed thresholds:
- The transfer of nonsensitive personal information involving less than 100,000 individuals from 1 Jan. of the current year are exempt from any CBDT legal mechanism.
- The transfer of personal information between 100,000 and 1 million individuals, or sensitive personal information of fewer than 10,000 individuals, from 1 Jan. of the current year, require SCC filing or certification, rather than a CAC-led security assessment.
- The transfer of important data and personal information exceeding 1 million individuals or sensitive personal information exceeding 10,000 individuals from 1 Jan. of the current year, necessitate a security assessment.
Note that these relaxed thresholds apply only to noncritical information infrastructure data handlers. If a company is designated as a critical information infrastructure operator by the regulator, it is still required to conduct the regulator-led security assessment before transferring personal information or important data out of China.
Important data
Transferring important data out of China requires a CAC security assessment. However, due to a lack of clarity, determining what constitutes important data has been challenging for many companies. The CBDT regulations attempt to reduce compliance uncertainty by allowing data handlers to consider their data as nonimportant unless expressly identified or notified by regulators or falling into a category of important data publicly announced by authorities.
While this burden shift is a positive development, it does not mean companies are off the hook. The CBDT regulations still mandate self-regulating measures, including proper data mapping, identification, and reporting important data according to relevant regulations. Industry regulators across multiple sectors and governmental authorities in various free-trade zones have issued or are in the process of drafting catalogues of important data and guidelines for data classification and grading. So, it is important to keep a close watch on the regulatory and enforcement trends and stay abreast of developments and take appropriate compliance actions.
Free-trade zones
Under the CBDT regulations, free-trade zones are empowered to draft the data negative list to specify what data will be subject to security assessment, SCCs and certification for their own jurisdiction. For data outside the negative list, the cross-border transfer will be exempt from any of the legal mechanisms. Tianjin free-trade zones has issued the guidelines for data classification and grading, which has notably increased the important data threshold to 10 million individuals. Shanghai free-trade zones has announced its plan to finalize the catalog for important data and core data. It is also reported to be close to finalizing the guideline for automotive data and health data.
Next steps
The draft regulations stipulate that in case of discrepancies between the regulations and compliance requirements under previous rules governing security assessments, SCCs and certification, the new CBDT regulations take precedence. This raises questions about next steps in light of the new regulations. How can you take advantage of the preferential relaxations under the new regulations? What should you do with the security assessment applications submitted to CAC that have been rejected or partially approved? How about the pending SCC filing applications awaiting the greenlight?
To answer those questions correctly and properly, the company needs to understand the provisions and analyze specific transfer scenarios vis-à-vis the relaxations provided by the new regulations, to determine whether the transfer qualifies for the exemption or relaxed thresholds and whether the company may be able to choose the usual inter-group DPA without adopting any of the CBDT legal mechanisms, switch to a less intrusive and time-consuming transfer model, or even withdraw the exiting application from CAC.
It is important to bear in mind that easing regulatory requirements by the CBDT regulations never means that companies can "set free." Businesses are still required to undertake a thorough data mapping exercise to align with the updated compliance requirements, review and update the relevant privacy documents and corporate policies, and implement appropriate organizational and technical measures to enhance compliance and risk management.