China Finalises Exemptions to Cross-Border Data Transfer Rules and Eases Restrictions

Personal Information processors should revisit their policies and agreements to assess whether they can benefit from the relaxed requirements that could ease their compliance burden.

Key Points:

• Exemptions to Data Transfer Mechanisms: The Provisions on Promoting and Regulating Cross-Border Data Flows (Provisions) significantly reduce compliance burdens for companies by introducing exemptions to the cross-border data transfer requirements under the Personal Information Protection Law (PIPL). For example, if the transfer is necessary for performance of a contract or cross-border HR management, or the volume of personal information (PI) transferred is below 100,000 individuals, the transfer is exempt from the requirements for a Data Transfer Mechanism.

• Relaxing the volume thresholds for requiring a Data Transfer Mechanism: The requirement to implement a Data Transfer Mechanism is only triggered if the volume of PI exported exceeds certain thresholds and there is no applicable exemption. The Provisions increase the existing volume thresholds below which a Data Transfer Mechanism is not needed.

• Important Data: Export of “Important Data” also requires a Data Transfer Mechanism to be implemented (specifically, passing a security assessment) and cannot benefit from the newly introduced exemptions. The Cyberspace Administration of China (CAC) and its local departments will publish catalogues of what they consider to be “Important Data. Practically, this means that unless a regulator has notified a personal information processor (PI Processor) that it handles Important Data or a PI Processor believes that the data it processes likely falls within one of the published Important Data catalogues, a PI Processor may assume that it does not handle Important Data.

• Security Assessment: Notwithstanding the exemptions introduced (e.g., contractual necessity, HR management, and transfers of PI belonging to less than 100,000 individuals), PI transfers by a critical information infrastructure operator (CIIO) and transfers of Important Data outside of the PRC will always require a Security Assessment — consistent with the requirements under previous guidance.

Background

On 22 March 2024, the CAC published the final version of the Provisions on Promoting and Regulating Cross-Border Data Flows (see Chinese version) which took effect immediately and follows the draft published for consultation in September 2023. On the same day, the CAC also held a press conference (FAQ) (see Chinese version) on the Provisions and published the second edition of the Security Assessment Filing Guidelines and Filing Guidelines for the SCCs.

Under the PIPL, in order to transfer PI out of the PRC, a PI Processor must, depending on the volume thresholds met, either:

conduct and pass a security assessment;

enter into standard contractual clauses published by the CAC with the overseas recipient (SCCs);

or

obtain a PI protection certification from an agency designated by the CAC (Certification, and together with the Security Assessment and SCCs, the Data Transfer Mechanisms).

The Provisions introduce exemptions to the Data Transfer Mechanisms and relax the existing volume thresholds which trigger the need for a Data Transfer Mechanism.

Source: Latham & Watkins.