On March 22, the Cyberspace Administration of China introduced the Regulations on Promoting and Regulating Cross-border Transfer (referred to as “the Regulations” as below), which took immediate effect upon issuance.
The Regulations draw upon the legal framework established by three pivotal laws in the sector: the Cybersecurity Law of China, the Data Security Law of China, and the Personal Information Protection Law of China. Their objective is to enhance the current management system governing cross-border data transfer, thereby facilitating an orderly and lawful flow of data, harnessing the value of data assets, and fostering greater openness to the global community.
Comprising 14 articles, the Regulations elucidate numerous scenarios where stakeholders may benefit from facilitation or even exemption from cross-border data security assessments, cross-border personal information standard contracts, and personal information protection certifications. Key provisions of the regulation include:
Declaration Criteria Clarification: It delineates criteria for cross-border data security assessments, stipulating that if data processors have not been informed by relevant authorities or regions, or if their data has not been designated as key data, they are not required to undergo cross-border data security assessments.
Exemption Scenarios: The Regulations outline exemption scenarios for various activities, including international trade, academic cooperation, and transnational manufacturing and marketing activities, provided that they do not involve personal information or key data. Additionally, exemptions are granted for specific circumstances such as emergency situations requiring the protection of life, health, and property safety.
Reporting Requirements: It specifies reporting requirements for certain cross-border data activities, particularly those involving critical information infrastructure operators and data processors intending to transfer important data overseas or process personal information on a large scale.
Conditions for Standard Contracts and Certification: Conditions for concluding personal information exit standard contracts or obtaining personal information protection certification are clarified, particularly for data processors handling significant volumes of personal information.
Furthermore, the Regulations institute a negative list system for pilot free trade zones. Under this system, pilot free trade zones may establish their own negative lists within the framework of the national data classification and protection system. Once approved by regional cyberspace and information regulators and reported to national regulators, data processors in these zones may be exempted from certain cross-border data transfer requirements when transferring data outside the negative list.
In essence, the Regulations represent a significant step towards enhancing oversight and facilitating cross-border data transfer in line with evolving legal frameworks and technological advancements. They aim to strike a balance between promoting data flow and safeguarding data security and privacy.
