Hi privacy pros. Warm greetings from Beijing, China.
At the IAPP Global Privacy Summit 2024 in Washington, D.C., in April, the most frequently asked question I received was how to address China's cross-border data transfer challenges. I discussed China's new cross-border data transfer regulations released in March during our Asia panel session. These new regulations — which provide long-awaited relaxations on CBDT requirements — introduce exemptions from, and lower the thresholds for, regulator-led security assessments, Chinese standard contractual clauses, and third-party certification, if the transfer scenario falls within their scope.
These positive developments are certainly welcomed by multinational corporations as they reduce compliance burdens and costs. However, it is important to note that there are specific legal conditions that must be met to benefit from these exemptions and relaxations, so the devils is, indeed, in the details, as we say.
In May, there was further good news as local Chinese authorities in the Free Trade Zones of Shanghai and Tianjin issued pilot schemes to fast-track cross-border data transfers and promote the digital economy.
On 8 May, the Tianjin Free Trade Zone issued the groundbreaking Negative List for cross-border data transfers, which includes 13 industries and 64 sub-sectors, covering sensitive industries such as energy, finance, infrastructure, public health, telecommunications, transportation and others. Data can be transferred out of China freely unless explicitly listed on the Negative List. If listed, the data exporter must still go through the security assessment, SCC, or certification process. The Negative List specifically excludes certain types of public data and data generated during ordinary business activities, although further clarification is needed to define the scope and boundaries of these exclusions.
On 17 May, the Shanghai Lingang Free Trade Zone issued general data catalogues covering three industries: biopharmaceuticals, connected vehicles and public funds. Data within the scope of these catalogues can be transmitted freely out of China without undergoing the aforementioned legal mechanisms, provided no important or core data is involved, and the total volume of non-sensitive personal data transferred in the current year does not exceed 100,000 individuals.
To provide further clarity, these "White List" catalogues include industry-specific examples. For instance, the biopharmaceutical list includes data on clinical research and development, pharmacovigilance, side effects, product complaints, and pseudonymized personal data of patients and health care professionals. The list for connected vehicles covers data on vehicle research and development, manufacturing, inventory and warehousing, quality control, and customer services. For public funds, the "White List" applies to data on economic and market research, payment and settlement systems, investor management systems, know your customer and anti-money laundering, and other compliance audits.
China has established multiple free trade zones across the country. The new CBDT policies adopted by Shanghai and Tianjin Free Trade Zones will provide valuable experience and references for others. At the time of writing this note, the Free Trade Zone authority in Beijing is close to finalizing its own CBDT preferential policy, making this an interesting area to monitor closely.
New technologies will continue to play an important role in promoting cross-border data transfers and addressing data security risks. In May, the Hong Kong Monetary Authority launched a pilot project in the financial technology sector, establishing a Shenzhen-Hong Kong cross-border data validation platform using blockchain technology and hash values to validate the authenticity of documents in the financial sector. The first phase of this pilot project will include validation of credit reference reports and know your customer documents required for opening corporate bank accounts.
China's data and privacy regime is constantly evolving, and these are just a few of the most important recent developments. Stay tuned, and until next time.