On September 28, 2023, the Cyberspace Administration of China (“CAC”) issued the Provisions on Regulating and Facilitating Cross-Border Data Flow (Draft for Comments) (“Draft Rules”) for public comment, with a deadline of October 15, 2023. If formally adopted, the Draft Rules will result in significant changes to the application of data export regulation in China. This article briefly assesses the impact of the Draft Rules on enterprises’ data exports and suggests some next steps.
I. The Export of Important Data
According to Article 2 of the Draft Rules, if a data processor has not been notified by the competent authorities or local government that the data to be exported is important data, or that the data to be exported was not publicly issued as important data, it does not need to apply for a data export security assessment. This reduces the burden of assessing important data exports for organizations in the current situation where the scope of “important data” remains unclear.
II. Personal Information Exports
(1) Data processors exporting employees’ personal information on the basis of necessary HR management will be exempted from the requirements of the compliance routes.
Article 4(2) of the Draft Rules stipulates that if the exporting of an employee’s personal information is necessary for conducting human resource management under the labor rules and regulations and a collective contract signed in accordance with the law, there is no need to implement the three data export compliance routes (i.e., the security assessment route, standard contract route and certification route). However, the following issues remain to be clarified by the CAC:
what is the criteria for “necessary”? How do you prove the “necessity” for an employee’s personal information be exported for human resource management and is the separate consent of the employee still required in this case?
for organizations that still need to implement one of the three data export compliance routes, do they need to include the exempted scenario of being “necessary for human resource management” in the assessment report?
(2) Data processors that expect to export the personal information of less than 10,000 individuals within one year will be exempt from the requirements of the compliance routes.
Article 5 of the Draft Rulesstipulates that entities that expect to export the personal information of less than 10,000 individuals within one year are exempt from the three data export compliance routes. However, the following questions remain to be clarified by the CAC:
what is the starting point for calculating “within one year”?
is there a need to distinguish between “sensitive personal information” and “general personal information”? i.e., as long as less than 10,000 individuals’ personal information is expected to be exported within one year, no matter whether the personal information is sensitive personal information or not, could the three data export compliance routes be exempted?
when calculating the amount of exported personal information, should the quantity of an employee’s personal information exempted by Article 4(2) be included?
(3) Data processors that expect to export the personal information of more than 10,000 but less than 1 million individuals within one year should implement the standard contract route or certification route; exporting the personal information of more than 1 million individuals shall implement the security assessment route.
Article 6 of the Draft Rules stipulates that data processors that expect to export the personal information of more than 10,000 but less than 1 million individuals within one year do not need to conduct a security assessment if they have implemented the standard contract route or the certification route; if they export the personal information of more than 1 million individuals, the security assessment must be declared. However, the following questions remain to be clarified by the CAC:
what is the relationship between Article 6 and Article 4(2)? Does the amount of personal information exempted under Article 4(2) still need to be counted in Article 6?
will the historical quantity of the data exported set out in the Measures for Data Export Security Assessment and the Measures for the Standard Contract for Personal Information Export no longer be taken into consideration?
Regardless of whether the exemptions in the Draft Rules apply to personal information exports, the requirement of separate consent for exporting personal information is not exempted. According to Article 55 of the Personal Information Protection Law, the provision of personal information abroad still needs to carry out a personal information protection impact assessment, but this assessment is not currently mandatory to be drafted in accordance with the template issued by the CAC. Nonetheless, it is recommended to incorporate the contents from the template into the report prepared by the entity itself.
III. Other exemption scenarios
In addition to the above exemptions, the following situations can also be exempted from the three data export compliance routes: (i) exporting data generated from international trade, academic cooperation, cross-border production and manufacturing, and marketing activities that do not contain personal information or important data; (ii) exporting personal information not collected domestically; (iii) exporting personal information necessary to enter into and perform contracts to which the personal information subject is a party; (iv) exporting personal information necessary to protect the life, health, and proper safety of natural persons in emergency situations; (v) entities registered in the free trade zones and export personal information that is not included in the “negative list” issued by the free trade zones.
IV. Advice for enterprises
The Draft Rules will have a significant impact on existing data export compliance mechanisms. We suggest that enterprises closely monitor the release of the Draft Rules and take the following steps:
(1)assess the impact of the Draft Rules on their ongoing data export compliance work in conjunction with the new thresholds in the Draft Rules. Specifically, estimate the amount of personal information expected to be exported within one year and further assess whether the data export compliance routes could be exempted or changed in accordance with the Draft Rules;
(2)if there is no need to implement the three compliance routes after assessment, enterprises should continue to complete other compliance requirements including obtaining the separate consent of the relevant individuals, complete the personal information protection impact assessment and conduct necessary assessments to prove that the enterprise meets the exemption conditions;
(3)for enterprises that still need to carry out one of the three compliance routes for data export after assessment, they should continue to complete the corresponding work;
(4)pay close attention to the legislative developments of the Draft Rules, especially the interpretation of Article 3 and Article 4 of the Draft Rules, so as to determine whether their data exports could meet the exemptions;
(5)enterprises in free trade zones should pay attention to the release of the “negative list” for data exports.