Felicia Wang
At the end of March 2024, China’s Cyberspace Administration (“CAC”) issued new rules, which are aimed at facilitating cross-border data transfer from China and easing the regulatory burdens in this regard for companies in China. If foreign startups and their operations in China carry out the necessary review, they will likely be able to benefit in various ways from the New Provisions when exporting data from China.
The new rules, the Provisions on Promoting and Regulating Cross-Border Data Flow (“New Provisions”), had been indicated by China’s CAC six months earlier already, when the CAC on 28 September 2023 had published a first draft (“2023 Draft”). After months-long anticipation, the New Provisions then came into effect in March of 2024 with almost identical content as the 2023 Draft, but also some fine changes.
The most important changes brought about by the New Provisions are twofold:
Compared with the 2023 Draft, the New Provisions have fine-tuned the above-mentioned scenarios in which exporters of data from China shall be exempted from the necessity of conducting a CBDT mechanism prior to a cross-border data transfer. This now results in fewer exemptions than previously indicated by the 2023 Draft.
Exemptions from CBDT-mechanisms
Under China’s data regime, there are generally three possible mechanisms that may form the legal basis for the export of data from China to overseas, the CBDT-mechanisms:
The New provisions now set out various scenarios in which an exporter of data from China does not have to undergo any of these CBDT-mechanisms when transferring data to overseas. These scenarios include, among others:
From our practical experience in advising foreign startups on their operations in China, the above scenarios will cover a good share of the frequently occurring data flows from China to foreign startups. The exemptions will, therefore, greatly relieve foreign startups from the administrative burdens of the CBDT-measures. Whether or not a foreign startup may enjoy the benefits of any of the above-mentioned scenarios, however, will still be a matter of internal review.
Clarity on “important data”
In the context of cross-border transmission, this means that if one was never notified by a branch of the competent authorities in this aspect and has not found any reference to its type of data in any of the existing regulations or lists on the scoping of important data, one will not have to conduct a data export security assessment prior to exporting the respective data.
Given that this clarity requires that a data handler exhausts the existing regulations and lists on the scoping of important data, however, one will still have some review to undertake. This necessity is also stressed by the New Provisions. The number of regulations and lists in this regard is, however, at this point already growing which will need to be attended to and examined carefully. So, in general, the exposure and risks associated with this topic still remain for foreign startups.
Overview of thresholds
As discussed above, the New provisions often work with thresholds when determining whether data may be freed from the necessity to undergo a CBDT-mechanism prior to its export from China. Besides, these thresholds were fine changed in the New Provisions compared with the 2023 Draft.
For all foreign startups and their entities on the ground in China, we, therefore, prepared the below an overview of thresholds. The overview also contains a comparison of the fine changes between the 2023 Draft and the New Provisions for those foreign startups that had already studied the 2023 Draft.
* Companies that qualify as a critical information infrastructure operator (CIIO) will be subject to the data security assessment if they export any amount of personal information, although this will likely be of less practical relevance for foreign startups.
The New Provisions will likely provide very welcome reliefs for foreign startups and their entities on the ground in China on their way to be compliant with China’s CBDT rules.
Foreign startups will still have to identify and quantify the data they and/or their local Chinese entities handle in China. Once they have diligently done this, they may be able to benefit from many of the reliefs provided in the New Provisions. This will then greatly reduce their administrative burdens when it comes to preparing and conducting legally compliant cross-border data transfers from China.
It should be noted, however, that all other laws and regulations dealing with the processing of data in China (e.g., obtaining consent from the data subjects) remain unchanged and will have to be complied with both by the foreign startup, in case of extra-territorial reach, and their entities on the ground of China.
Felicia Wang
Kai Kim (né Schlender)
Dr. Michael Tan