Happy new year privacy pros. Hope you spent some great and relaxed time with your loved ones for the holiday in the past weeks and are fully recharged for 2024.

As we just stepped into the new year, let's take a moment to review the significant developments in China's data protection landscape during 2023 before we delve into predictions for what's ahead.

Undoubtedly, cross-border data transfers took center stage in 2023. The year witnessed the full implementation of China's three legal mechanisms for cross-border data transfers, initially established in the Personal Information Protection Law.

Before the end of February, thousands of companies across industries submitted to the Cyberspace Administration of China for security assessment as their outward data transfers exceeded thresholds. By the end of December, a small number of businesses received approval from CAC, with many applications still under review.

China's rules on standard contract clauses for cross-border data transfers and template contract terms were officially adopted 1 June 2023, with a 6-month compliance window ending 30 Nov. While resembling the EU General Data Protection Regulation SCCs to some extent, China's SCC regime has unique elements, posing challenges for companies to align with Chinese SCC requirements.

Toward the end of September, CAC issued a consultation draft to ease certain restrictions on cross-border data transfers. Notable relaxations included lenient procedures for transfer of employee data, lessened compliance burden on businesses to determine important data, and future rolling-out of favorable policies at China's free trade zones for outward data transfers.

More integrated data collaborations have emerged in the Guangdong-Hong Kong-Macao Greater Bay Area located in south China, evidenced by the new measures for streamlining SCC requirements for data transfers between Hong Kong and nine cities in the GBA, starting from December 2023. And on Christmas Day, a cross-border data transfer project operated by the University of Macau became the first to receive the Personal Information Protection certification. Subsequently, five other companies, including major players like Alipay and JD Technology, obtained PIP certification for their personal data activities.

On the enforcement front, Chinese regulators maintained an active presence throughout 2023. International brands and local businesses, including large and small companies, were found noncompliant in the dawn-raids and investigations carried out by regulators. China National Knowledge Infrastructure, China's largest online academic database, received a hefty ticket of RMB50 million fines (approximately USD7.1 million) due to multiple violations of the PIPL, Data Security Law, and Cybersecurity Law.

Looking ahead, 2024 promises to be another busy year for privacy pros and you may wish to put your eyes on the following predictions:

First, the draft regulations on easing cross-border data transfers will most likely be finally issued in the first quarter of 2024. Additionally, pilot schemes on negative lists or fast-track reviews of cross-border data transfers are expected to be launched by the free trade zones with dynamic digital economies such as Beijing, Shanghai and Shenzhen. These pilot schemes will serve as China's regulatory sandbox and will likely be rolled out nationwide if they run well in the free trade zones.

Second, two important new regulations took effect 1 Jan. 2024. They are the Regulations on Including Data Assets in Companies' Financial Reporting — which will be a new enabler for data-rich companies to leverage and maximize the value of the data elements — and the Rules on Online Protection of Minors — imposing enhanced compliance requirements on business organizations when collecting and processing personal information of minors.

Third, regulations on determining critical information infrastructures, important data, and personal information compliance audits are likely to be finalized and we have seen that some industry regulators, for example the Ministry of Industry and Information Technology, are more advanced than others in formulating detailed rules to regulate important data in their industry sectors.

Last but not least, Chinese data regulators are never shy about robust enforcement and will remain active in the new year. The recent draft regulations issued in December on data breach notifications impose significant reporting requirements and tight timelines and, if adopted, will raise enhanced compliance challenges for companies across industries. Companies must stay abreast of regulatory movements and take required compliance actions.

Until next time.