On 28 September 2023, the Cyberspace Administration of China (CAC) issued the Draft Provisions on Regulating and Promoting Cross-border Data Transfers (the Draft Exemption Rules), which potentially loosens up certain requirements for the cross-border transfer of personal information.
Under Article 38 of the Personal Information Protection Law and its implementing rules, companies transferring personal information out of China are required to fulfil one of the following: a) apply for and pass the security assessment by the CAC; b) sign and file the standard contract with the provincial counterpart of the CAC; or c) obtain the certification from an approved institution (the Channel Option Requirement).
In addition, data handlers who meet the threshold or transfer important data per the Measures for Security Assessment of Data Cross-border Transfer must apply for security assessments. The other two options are not available to them.
Draft Exemption Rules
The Draft Exemption Rules released on 28 September provide clarification and exemptions to these requirements in certain situations. Among these situations, the following are worth noting:
- Data that is not notified or publicly released as important data by authorities can be transferred without security assessment.
- If personal information was not collected within China and is provided outside of China, the data handler is not required to fulfil the Channel Options Requirement.
- The Channel Options Requirement is exempted in the following circumstances:
- if it is necessary to provide personal information out of China in order to enter into or perform a contract the individual is party to, such as cross-border shopping, cross-border remittances, flight and hotel bookings, visa processing, etc;
- if it is necessary to transfer employees' personal information out of China for human resources management implementation in accordance with employment policies or signed collective employment contract established or concluded in line with the law; or
- if it is necessary to transfer personal information out of China to protect the life, health and property safety of natural persons in emergency situations.
- If it is anticipated to transfer personal information of fewer than 10,000 individuals’ out of China within one year,, the Channel Option Requirement is exempted. The consent of individuals, however, must be obtained when consent is the lawful basis for the cross-border transfer of personal information.
- Pilot free trade zones may explore establishing a negative list mechanism for the free flow of data, and only data that falls within this negative list is subject to the Channel Option Requirement.
The public can comment on the Draft Exemption Rules until 15 October 2023. Given the shortness of this period and the fact that the filing of standard contract deadline of existing transfers are on 1 December, the rules could take effect in time to exempt companies from contract filing.
While these are draft provisions, their introduction indicates China’s intent to ease restrictions on the cross-border transfer of data transfer. The impact of this initiative remains to be seen pending the final form of this draft legislation.
The full text can be found here.
For more information on these draft rules and data transfer regulations in China, contact your CMS client partner or local CMS experts: