Earlier today (28 September), the China Cybersecurity Administration (CAC) released a draft regulation for public consultation that would exempt certain cross-border data transfers (CBDTs) from the current rules.
See our previous briefing here for a summary of the key aspects of the current rules.
If passed in its current form, the Provisions on Regulating and Promoting the Cross-border Flow of Data (the Draft Provisions) would exempt the following CBDTs (among others) completely from the requirement to (i) enter into a standard contract, (ii) undergo a security assessment, or (iii) obtain certification:
- personal data: where necessary for the conclusion or performance of a contract to which the relevant individual is a party. Non-exhaustive examples given are: cross-border shopping, cross-border remittance, air ticket and hotel reservations, visa processing, etc.
- employee personal data: where necessary for human resources management in accordance with an organisation's internal policies/ collective contracts, etc.
The Draft Provisions also propose the following exemptions for transfers of personal data based on annual transfer volume:
- standard contract/ certification: for estimated transfers of the personal data of fewer than 10,000 individuals a year.
- security assessment: for estimated transfers of the personal data of fewer than 10,000 individuals a year. It is not clear what the interaction of this threshold will be with the current two-calendar year volume threshold for security assessment. In practice the exemption is likely to be mostly applicable to either:
- transfers of sensitive personal data since the two-calendar year threshold for transfers of sensitive personal data is set at the same 10,000 level (although the new rules do not explicitly apply to transfers of sensitive personal data, so this is not completely clear), or
- organisations that pass the 'one million threshold' in terms of the personal data they hold/ process, but which transfer very little of this data out of China each year.
- security assessment: for estimated transfers of the personal data of between 10,000 and 1 million individuals a year, provided that the organisation has entered into (and filed) a standard contract for CBDT or has obtained certification. (Transfers above 1 million will need to undergo a security assessment - the counting period is not stated, but is presumably also annual.) The current two-year transfer threshold is 100,000 individuals.
The Draft Provisions do not lift the requirement to obtain individual consent to CBDTs of personal data.
It is not clear whether or not the Draft Provisions will lift the security assessment requirement for organisations that merely hold the personal data of more than one million individuals but are not transferring that data above any of the application volume thresholds. Possibly, yes.
Separately, the Draft Provisions confirm the current de facto situation that a security assessment does not need to be applied for in respect of a CBDT of potential 'important data' unless that data has been formally classified as 'important data' by the relevant authorities. Only a few such classifications have been issued as of today (e.g., for connected car data and aircraft operational data).
Lastly, the Draft Provisions appear to provide that free-trade zones in China will be able to grant further exemptions from CBDT (negative lists), subject to obtaining CAC approval. (The draft is not clear on exactly what the permitted scope of these exemptions will be.)
These proposals will be welcomed by international businesses in China.
Given that the initial execution deadline for standard contracts is 30 November 2023 (to be filed with the CAC within 10 working days), the expectation has to be that these new rules will be brought into effect before then.
On the other hand, no mention is made in the Draft Provisions of the proposed 'green channels' for security assessment that the State Council trailed on 13 August 2023.