January 18, 2024

China’s new requirements for cross-border data transfers

China’s new requirements for cross-border data transfers

The Chinese PIPL regulations and Cybersecurity Laws are crucial safeguards for both Chinese businesses and the personal data of Chinese residents. While these laws have been instrumental, there have been discussions among various stakeholders and institutions regarding certain aspects, particularly the Chinese cross-border data requirements.

For businesses operating internationally in China, navigating these regulations has posed some challenges due to the nuances in the cross-border data transfer rules. In this article, we will explain the existing data transfer mechanisms and possible law relaxations.

Existing cross-border data transfer mechanisms

Data residency requirements by country differ. While some are tougher, some just seem to have the right blend of toughness and ease of application. Before the proposed new amendments, cross-border data transfers outside of China were done in the following steps:

  • Security assessment by the Cyberspace Administration of China (CAC)

The first step was to be assessed by the apex cyberspace monitoring body in China. This applies to the transfer of sensitive personal information outside China, or transferring a large volume of data (currently thresholds are under revision, proposed to be significantly lowered).

  • Having standard contractual clauses

These standardized contracts are pre-approved by the CAC. They can be used for transfers of non-sensitive personal information or smaller data volumes. Although it is less strict compared to the security assessment, it still imposes contractual obligations on both parties to ensure data protection.

  • Professional certification

Obtaining a security certification by a third-party certification institution designated by the CAC. This is suitable for companies with robust data protection practices.

These were the existing cross-border data transfer mechanisms that were criticized for their haziness, especially regarding factors that can lead to the rejection of a data transfer application by the CAC.

Exemptions to the application of the new proposed CBDT mechanisms

Under the current draft of CBDT mechanisms, a company may be exempted from the mechanisms in the following circumstances:

  • Transfer of personal information collected outside of China

This type of personal data gets a direct exemption from the rules of CBDT, as the information was collected outside the borders of the People’s Republic of China.

  • Required to complete a contract

If an organization needs to transfer personal information to fulfill a contract that they are part of, it will not be prevented by the CBDT Mechanisms. The existing mechanisms permit data transfers for transactions like cross-border e-commerce, payments, flight and hotel bookings, and visa applications. This exception is good news for businesses like e-commerce retailers, online travel agencies, booking services, and financial institutions that often have to move data worldwide to meet their contractual commitments

  • No transfer of important data or personal information

As the subtitle implies, if no important or personal data is transmitted in the process of carrying out an international transaction, cross-border manufacturing, or marketing activities, etc. none of the CBDT mechanisms are triggered, and the organization is free to continue with its activities. Essentially, there’s no need to go through the CAC security assessment unless important data is involved. This is a relief for multinational companies, addressing a significant concern. Unlike current regulations where the responsibility lies with the data processor to identify important data, the draft provides clarity, especially when there’s limited guidance on making such determinations.

  • If CBDT is done to preserve some vital interest

If an organization needs to transfer personal information in an emergency to safeguard the health or safety of an individual, they get a pass from the CBDT Mechanisms. This exemption ensures swift action in critical situations without being hindered by regulatory processes.

  • Done in fulfillment of Human Resources Management requirements

When an organization transfers employees’ personal information to HR management in line with employment policies or a collective contract, they are exempt from CBDT Mechanisms. But, the extent of this exemption hinges on how broadly the CAC defines what transfers are deemed ‘necessary.’ In essence, the exemption’s scope is subject to the CAC’s interpretation.

New CAC protection threshold

The recently published changes to the existing CBDT mechanisms, aim to streamline data transfer procedures for smaller businesses and organizations while maintaining stricter controls for large-scale or sensitive data transfers. Here’s a breakdown of the proposed new thresholds businesses must be aware of going into 2024:

  • Data transfers for less than 10,000 individuals

 If the estimated transfer of personal information for individuals outside China within a year is less than 10,000, it will not require a security assessment by the CAC.

  • Data transfers for between 10,000 and 1 million individuals

Standard contract option: If the estimated transfer is between 10,000 and 1 million individuals, a simplified “Standard Contract” procedure approved by the CAC can be used instead of a full security assessment.

  • Data transfers for more than 1 million individuals

If the estimated transfer exceeds 1 million individuals, a mandatory security assessment by the CAC will be required.

  • Sensitive personal information 

A full security assessment remains mandatory for any Chinese cross-border data flow of ++ sensitive personal information exceeding 10,000 individuals.

As you would appreciate, this is a draft proposition that is still under public consultation and has not been implemented. However, they give us a fair representation of what to expect when the new CAC protection threshold has been approved.

Some relaxations expected in 2024

China’s Data localization rules are quite complex, especially because of the haziness surrounding cross-border data flow. However, with the new proposed CBDT mechanism, we expect to see some relaxation in the Laws.

Besides the proposed relaxations hinted at in the new CAC protection threshold draft, we expect to see other relaxations in the laws surrounding data processing, storage, and transfer in 2024. In the recently concluded Central Economic Work Conference (CEWC) in December 2023, officials of the CEWC focused on seeking ways to attract more foreign investments to China in 2024. One of the methods identified was to promptly respond to the requests of foreign companies, which mostly centers on cross-border data transfers. This is a major reason to expect further relaxation in China cross-border transfer in 2024

Furthermore, the renewed desire of the Chinese government to be part of the Digital Economy Partnership Agreement (DEPA) and the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), will see them relax some of their data transfer rules, especially in the free trade zones. These organizations require free data flow among member countries. So, we expect the Chinese government to loosen up their data transfer restrictions to be able to join these organizations.

The DEPA is often regarded as “the first trade agreement to target the digital economy”, and its member states are New Zealand, Singapore, and Chile. This trade agreement aims to boost digital trade, enable cross-border data flow, and create a system of trust in which data is shared equitably and personal and online consumer data is protected. On the other hand, The CPTPP is a free trade agreement comprising seven countries currently.

How InCountry helps global companies with Chinese CBDT

It surely comes as good news to most business leaders that the Chinese government is likely relaxing cross-border data transfer laws in 2024. However, as most expect, these relaxations may only apply in free trade zones. Again, the proposed draft is still going through reviews and may end up a far distance from what the current draft suggests.

With our Data Residency-as-a-Service, companies can store their data in our dedicated servers in China, and access it from any location in the world, thereby eliminating the need for data transfer. And even if you need to transfer your company’s data across borders, our safe and fully encrypted system protects the data while in transit. Besides full data security and easy scalability, businesses can expect to enjoy full compliance with all regulatory standards in China, with our InCountry for China tools that we have leveraged to ensure full data compliance over the years.

Contact us, let’s discuss your needs and show you how much value we can contribute to your business success!