Relaxation of China’s Cross-Border Data Transfer Regulations in March 2024

In March 2024, China's Cyberspace Administration (CAC) introduced new rules to streamline cross-border data transfers and alleviate regulatory burdens for companies in China. Felicia Wang, Startup Manager at Swissnex in China asked Kai Kim and Dr. Michael Tan, Lawyers at Taylor Wessing law firm, to explain how startups can leverage the benefits of these New Provisions.

What exactly are the important changes?

At the end of March 2024, China’s Cyberspace Administration (“CAC”) issued new rules, which are aimed at facilitating cross-border data transfer from China and easing the regulatory burdens in this regard for companies in China. If foreign startups and their operations in China carry out the necessary review, they will likely be able to benefit in various ways from the New Provisions when exporting data from China.

The new rules, the Provisions on Promoting and Regulating Cross-Border Data Flow (“New Provisions”), had been indicated by China’s CAC six months earlier already, when the CAC on 28 September 2023 had published a first draft (“2023 Draft”). After months-long anticipation, the New Provisions then came into effect in March of 2024 with almost identical content as the 2023 Draft, but also some fine changes.

The most important changes brought about by the New Provisions are twofold:

  • Exemptions from CBDT-mechanisms
    For one, the New Provisions provide for various, very practical, scenarios under which exporters of data from China are freed from the obligation to conduct one of the currently mandatory three cross-border data transfer mechanisms (“CBDT-mechanisms”).
  • Clarity on “important data”
    For another, the New Provisions provide more certainty as to when data processed in China or from China shall be considered as “important data” though uncertainties and risks associated with this topic still remain.

Compared with the 2023 Draft, the New Provisions have fine-tuned the above-mentioned scenarios in which exporters of data from China shall be exempted from the necessity of conducting a CBDT mechanism prior to a cross-border data transfer. This now results in fewer exemptions than previously indicated by the 2023 Draft.

 

Exemptions from CBDT-mechanisms

Under China’s data regime, there are generally three possible mechanisms that may form the legal basis for the export of data from China to overseas, the CBDT-mechanisms:

  1. a mandatory data security assessment with the competent cybersecurity and informatization department;
  2. the conclusion and filing of a standard contract between the data handler in China and the recipient abroad; or
  3. obtaining a personal information protection certification issued by a specialized third-party agency.

 

The New provisions now set out various scenarios in which an exporter of data from China does not have to undergo any of these CBDT-mechanisms when transferring data to overseas. These scenarios include, among others:

  • Exporting personal information necessary for the conclusion or performance of a contract, to which the subject of certain data (e.g., an individual) is a party. Examples of the fields of these contracts are: cross-border shopping, cross-border mailing, cross-border remittance, cross-border payment, cross-border account opening, flight ticket and hotel booking, visa application, and examination services.
  • Exporting personal information necessary for cross-border HR management (e.g., transferring employee information from China to the overseas headquarters), provided that this is carried out in accordance with legally established labor rules and collective contracts.
  • Exporting personal information in cases where it is necessary for protecting the life, health, or property of natural persons in emergencies.
  • Exporting non-sensitive personal information of fewer than 100,000 data subjects within one calendar year, provided that the data exporter is not a critical information infrastructure operator (CIIO). Compared with the 2023 Draft, the New Provisions significantly expanded this scenario, as they increased the threshold by ten times, from 10,000 data subjects to 100,000 data subjects. However, the New Provisions also inserted tighter guardrails, as they limited this scenario to non-sensitive personal information. In the case of sensitive personal information (e.g., bank account information, whereabouts, biometric information), a CBDT mechanism will still be required unless other exemptions provided for under the New Provisions may apply.
  • Re-exporting personal information from China that was previously generated or collected overseas and transferred to China (e.g., personal information shared from the overseas headquarters with its China subsidiary). The New Provisions did, however, also, in this case, add new guardrails compared with the 2023 Draft. Specifically, the New Provisions added the requirement that this scenario should not apply if the relevant data contains personal information that originated in China or important data.

From our practical experience in advising foreign startups on their operations in China, the above scenarios will cover a good share of the frequently occurring data flows from China to foreign startups. The exemptions will, therefore, greatly relieve foreign startups from the administrative burdens of the CBDT-measures. Whether or not a foreign startup may enjoy the benefits of any of the above-mentioned scenarios, however, will still be a matter of internal review.

 

Clarity on “important data”

In the context of cross-border transmission, this means that if one was never notified by a branch of the competent authorities in this aspect and has not found any reference to its type of data in any of the existing regulations or lists on the scoping of important data, one will not have to conduct a data export security assessment prior to exporting the respective data.

Given that this clarity requires that a data handler exhausts the existing regulations and lists on the scoping of important data, however, one will still have some review to undertake. This necessity is also stressed by the New Provisions. The number of regulations and lists in this regard is, however, at this point already growing which will need to be attended to and examined carefully. So, in general, the exposure and risks associated with this topic still remain for foreign startups.

Overview of thresholds

As discussed above, the New provisions often work with thresholds when determining whether data may be freed from the necessity to undergo a CBDT-mechanism prior to its export from China. Besides, these thresholds were fine changed in the New Provisions compared with the 2023 Draft.

For all foreign startups and their entities on the ground in China, we, therefore, prepared the below an overview of thresholds. The overview also contains a comparison of the fine changes between the 2023 Draft and the New Provisions for those foreign startups that had already studied the 2023 Draft.

* Companies that qualify as a critical information infrastructure operator (CIIO) will be subject to the data security assessment if they export any amount of personal information, although this will likely be of less practical relevance for foreign startups.

 

 

What does it imply to foreign startups that seek to be compliant with the Chinese business and legal environment?

The New Provisions will likely provide very welcome reliefs for foreign startups and their entities on the ground in China on their way to be compliant with China’s CBDT rules.

Foreign startups will still have to identify and quantify the data they and/or their local Chinese entities handle in China. Once they have diligently done this, they may be able to benefit from many of the reliefs provided in the New Provisions. This will then greatly reduce their administrative burdens when it comes to preparing and conducting legally compliant cross-border data transfers from China.

It should be noted, however, that all other laws and regulations dealing with the processing of data in China (e.g., obtaining consent from the data subjects) remain unchanged and will have to be complied with both by the foreign startup, in case of extra-territorial reach, and their entities on the ground of China.