Five Things to Know About China’s Relaxed Draft Rules on Cross-Border Data Transfers

06 Oct 2023

China is looking to relax its rules on cross-border data transfers, issuing draft provisions that experts say would essentially create “a whitelist” that exempts qualifying foreign companies from the stringent policies that have become a burden to some of those operating in China.

The Cyberspace Administration of China (CAC), the country’s top internet regulator, released the draft rules Thursday to clarify which kinds of data would no longer need to undergo a security review before being transferred abroad. The CAC is seeking public comments on the document until Oct. 15.

Below are five things that you need to know about the latest draft rules and their potential impact:

What circumstances are addressed by the whitelist?

Under the draft rules, companies that expect to transfer the personal information of fewer than 10,000 individuals within a year would not be subject to cross-border data transfer compliance requirements, which include passing a security review, formulating standard contracts with overseas recipients, and getting certified for personal information protection.

The export of data generated in “trade, academic, cross-border manufacturing and marketing activities” that do not contain personal information or important data would also not be subject to these compliance requirements. The draft also clarified the definition of important data, stating it is defined as any that regulators notify processors about specifically or announce publicly as important data.

In addition, conducting human resources work within a company and other activities in which personal information must be sent outside the country — such as booking airplane tickets, processing visas, or conducting wire transfers — would also be free from the compliance obligations.

Personal information that is not generated or collected within China would also be whitelisted.

What activities will still be subject to regulations?

Companies that expect to send the personal information of more than 10,000 people — but fewer than 1 million — overseas in a given year can be exempted from the security review if they have established standard contracts with overseas recipients and registered with provincial-level cyberspace departments or have been certified for personal information protection.

If a company ends up transferring personal information about 1 million people or more abroad, then the security review will still be required.

Operators of key information infrastructure providing personal information and important data overseas, as well as the export of data containing sensitive information involving the government, party, military or confidential units, would need to follow relevant laws and regulations, the draft said.

What’s the potential impact of the draft rules?

The draft could make overseeing cross-border data transfers “more flexible,” said You Yunting, a senior partner at the Shanghai Debund Law Offices.

The provisions related to human resources management could help reduce the compliance costs of some foreign companies when transferring HR information abroad, “which is conducive to the international circulation of human resources,” Yu added.

Who can make their own negative lists?

The country’s pilot free trade zones (FTZ) would be allowed to make their own negative list of data required to go through the different forms of compliance assessment. The list should be approved by the provincial internet security and information technology committee and then submitted to the national cyberspace department.

Meanwhile, exporting data that’s not on the list will be exempt from the required compliance assessment.

Yu believes giving FTZ management committees the freedom to decide their own data transfer “negative list” could lead to timely revision of policies based on the security situation and actual market demand.

How have existing regulations impacted foreign companies?

Following the implementation of several cross-border data transfer regulations in recent years, including the measures on security assessment last September and the rules on standard contracts this June, multinational companies have complained about the lack of clarity and clear guidance.

The situation has created “uncertainty and huge administrative burdens for European companies in China,” the European Chamber of Commerce in China said in a position paper released this month.