On September 28, 2023, the Chinese government’s Cyberspace Administration released the Provisions on Regulating and Facilitating Cross-Border Data Flows (Draft for Comments), which will be open for feedback until October 15, 2023. This release represents a significant change in China’s regulations regarding cross-border data. These provisions have been developed based on the experience gained from cross-border data regulation work in the past year and outline the general direction of future regulation policies.

Despite consisting of only 11 articles, the document signifies a substantial shift in the regulatory approach of the authorities. The Provisions aim to strike a balance between “regulation” and “promotion,” indicating a clear adjustment in China’s policy for cross-border data regulation based on the lessons learned from previous experiences. This adjustment acknowledges the feedback from businesses, recognizing that the previous regulations imposed excessive compliance costs and impeded the effective implementation of regulatory measures.

According to the current version of the Provisions, the following notable changes are identified:

  1. Clarification of certain issues: Cross-border data transfers that do not involve personal information and key data will not require prior approval for overseas transfer. Data processors are not required to undergo a security assessment for outbound data that has not been designated as key data by relevant departments or publicly announced as such.
  2. Exemptions for common outbound scenarios: Exemptions are granted for fulfilling contractual obligations in cross-border e-commerce, payment institutions, and business travel platforms. The management of human resources, following multinational companies’ unified arrangements and judgments of necessity, is also exempt. Additionally, exemptions are provided for emergency situations to protect individual interests.
  3. Increased threshold for security assessment: The security assessment is only mandatory when providing personal information to overseas recipients exceeding one million individuals within a year. For cross-border personal information transfers ranging from ten thousand to less than one million individuals, standard contract filing or certification is sufficient. Quantities below ten thousand individuals are exempt from such requirements.
  4. Allocating space for special regulations in free trade zones: The pilot free trade zones are required to create a separate list of regulations (referred to as the Negative List) which outlines the circumstances under which cross-border data transfers will require a security assessment, a standard contract, or personal information protection certification. Data that does not fall within the scope of the Negative List can be transferred abroad without undergoing a security assessment, establishing a standard contract, or obtaining personal information protection certification.
  5. Striking a balance between pre-regulation and post-regulation: Instead of prioritizing pre-regulation over in-process regulation or post-regulation, the Provisions aim to achieve a balanced approach to regulation throughout various stages. In certain scenarios outlined in the Provisions where pre-regulation measures are not required (such as security assessments, standard contracts, or certifications), the Provisions do not exclude the possibility of in-process regulation or post-regulation.

However, while understanding these measures aimed at reducing burdens, foreign stakeholders should not interpret them as signals of decreased data protection requirements. On the contrary, the purpose of these regulatory adjustments is to ease compliance burdens for businesses while maintaining data protection requirements, thus promoting the comprehensive implementation of regulatory measures. Exemptions for certain scenarios or the streamlining of prior approvals are not intended to weaken regulatory intensity regarding cross-border data activities by businesses. Rather, they are based on the varying security risks present in different scenarios. Differentiated regulation is employed to encourage businesses to comply with regulations.

Policy adjustments are still ongoing, and the official document may undergo changes. Although the new draft indicates the general direction of regulatory policy adjustments, specific policies are still being refined. Further modifications may be made after the official documents are issued to reconcile any conflicts between the Provisions and existing legislation and to provide further clarification on certain issues.