+44 (0) 121 582 0192 [email protected]

Proposed Changes to Cross-Border Data Transfers Under China’s PIPL

by | FriDecJ | APAC, Artificial Intelligence (AI), Brazil, Canada, China, EU, Hong Kong, India, Japan, Malaysia, North America, Philippines, Singapore, South America, South Korea, Thailand, United Arab Emirates, United Kingdom, United States, Vietnam Privacy Law

China PIPL data Transfer Laws

Introduction

In a significant development for the global business community, China is set to ease its cross-border data transfer (CBDT) requirements under the Personal Information Protection Law (PIPL). This move, announced in September 2023, is part of a broader effort to create a more business-friendly environment, particularly for private and foreign companies.

 

State Council’s Initiative to Attract Foreign Investment

The initiative began in August 2023 when China’s State Council issued opinions aimed at attracting foreign investment. A key recommendation was to establish a more secure and efficient mechanism for data export, simplifying the process for foreign companies to transfer their data internationally.

 

The Draft Regulations for Data Export

The Cyberspace Administration of China (CAC) released the Regulations on Standardising and Promoting Cross-Border Data Flows (Draft for Comment), introducing allowances for exporting “important data” and personal information (PI) under certain conditions. These draft regulations could significantly reduce uncertainties and compliance burdens for many companies.

 

Key Aspects of the Draft Regulations

  1. Waiving CBDT Mechanisms: For data generated through activities like international trade, academic cooperation, transnational manufacturing, or marketing, which does not contain PI or “important” data, companies are exempt from undergoing CBDT mechanisms such as CAC security assessment, third-party certification, or standard contracts.
  2. Security Assessment Conditions: Companies must undergo a CAC security assessment if they export “important data,” are critical information infrastructure operators (CIIOs), handle the PI of more than one million individuals, or have exported substantial amounts of PI.
  3. Flexibility for Smaller Data Volumes: Companies below certain thresholds can opt for PI protection certification by a third party or sign standard contracts for data export.

 

Easing CBDT for Foreign Companies

With the aim of boosting economic recovery post-pandemic, the State Council introduced measures to facilitate data export for foreign firms. This includes establishing “green channels” and piloting a list of “general data” for free cross-border transfer in major cities like Beijing, Tianjin, and Shanghai.

 

Waivers and Facilitations in the Draft Regulations

The draft regulations provide exemptions from the CBDT mechanisms for exporting data that does not contain PI or important data. Additionally, there are stipulated scenarios where exporting PI is deemed necessary, thus exempting such transactions from the CBDT mechanisms.

 

Core Elements of the Proposed Exemptions

The initial section of the Draft Provisions outlines a critical exemption clause. It states that the necessity for a Security Assessment, Certification, or adherence to a Standard Contract is nullified if the data intended for export is derived from activities such as international trade, academic cooperation, cross-border manufacturing, or marketing, and importantly, does not include personal information or categorised as “Important Data.” In detail, the Draft Provisions exempt from the trio of data export requirements in the following scenarios:

  1. Contractual Necessity Exemption: If exporting data is essential for fulfilling a contract involving a data subject (for instance, in cases of international purchases, cross-border financial transactions, reservations for flights or hotels, and visa processing).
  2. Internal Employee Data Exemption: The exemption applies when the data pertains to internal employee information and is essential as per the company’s employment policies, which are based on legal, regulatory frameworks, or collective labor agreements.
  3. Volume Threshold Exemption: An exemption is in place if the anticipated cross-border data transfer involves personal information of fewer than 10,000 individuals within a single year.
  4. Non-PRC Origin Exemption: Personal information that is not collected or produced within the People’s Republic of China (PRC) is exempted from the export requirements.
  5. Emergency Situations Exemption: Data transfers that are crucial for safeguarding an individual’s health or property in emergencies are exempt from the requirements.
  6. Free Trade Zones Exclusion: Data transfers that occur outside the purview of the Negative Data List specified for free trade zones are also exempt from these requirements.

These provisions indicate a substantial shift in the regulatory approach, offering more flexibility and clarity for businesses engaged in cross-border data transactions.

 

Conclusion

The proposed changes in the PIPL represent a significant shift in China’s approach to data governance, especially in terms of cross-border data flows. For businesses operating in China, understanding these changes is crucial for compliance and strategic planning. Check out Formiti Global Privacy Services