A Game Changer? CAC Proposes an Uphaul of Data Export Regime

1. Exemptions from Data Export Regime

   The Draft Regulation has set out a range of scenarios where data export will be exempted from the entire Data Export Regime, which we summarise as follows:

   1. New necessity exemptions (para 4)
      • It is necessary to export PI for the purposes of entering into or performing a contract, to which an individual is a counterparty, and the CAC gave examples of cross-border purchases, cross-border remittance, hotel and air ticket booking, visa application, etc.

      Our comments: this should benefit industries of cross-border ecommerce, international payment services, tourism, and other industries, where exporting their customers’ PI is an integral part of the business. To make it clear, the PI exporter should be the other party to the contract. Where the PI exporter does not contract directly with the individuals, then further analysis will be necessary.

      • It is necessary to export employees’ PI for the purposes of HR management pursuant to legally formulated employment rules and policies and collective employment agreement; or

      Our comments: this exemption appears to address the common scenarios where multinationals need to receive PI of their local subsidiaries’ employees. However, the Draft Regulation does not explain how “necessary” is interpreted, if the PI could be processed via alternative systems in China with extra cost incurred, would the data export still be considered necessary?

      Besides, clarification is still needed on whether HR management must be based on both employment rules and policies as well as collective employment contract at the same time. The CAC apparently uses the same wording for HR management legal basis under the PIPL, but the meaning is still being contested.

      Another scenario awaiting clarification is where agency workers’ PI are being exported. As agency workers are not employees of companies that export their PI, should this exemption also apply?

      It is necessary under emergency circumstances to export PI for the protection of a natural person’s life and health as well as financial or proprietary interest.

   2. Exemption for non-PI or non-important data (para 1)
      • The export of non-PI or non-important data is generated from the activities of international trade, academic cooperation, cross-border manufacturing, and marketing.

      Our comments: it is the default position under the Data Export Regime that non-PI and non-important data should not be subject to any export restrictions. Unfortunately, by setting out a series of scenarios, the Draft Regulation may effectively reduce the scope of what is exempt from the Data Export Regime. We tend to view this as unintended, and the default position should still stand.

   3. Falling below a numerical threshold (para 5)
      • The export of PI of less than 10,000 individuals within a year. Note that if the transfer is using consent as legal basis, the consent requirement remains.

      Our comments: this is a major change to the Data Export Regime, in particular, the Governmental assessment. The Thresholds have been amended and replaced with higher ones. However, this provision is also more problematic.

      The first question is what if the actual amount of exported PI in the next year exceeds 10,000? Do the exporters need to make SCCs filings or even apply for Governmental Assessment retrospectively?

      Secondly, how should the one-year period be measured? The Draft Regulation does not provide a starting date for the period. If this means that the one-year period should be measured on a rolling basis, then the exporters must continuously monitor the amount of exported PI in any 12-month period.

      Besides, when calculating the amount of PI, should the PI exported under the above “new necessity exemptions” still be factored in? If so, then the amount threshold may still be met by some PI exporters that may otherwise be exempted.

      Notably, the CAC seems to affirm the position taken in the SCCs that separate consent for the export of PI from individuals is required only when the legal basis is consent. In fact, the Draft Regulation only refers to “consent" instead of “separate consent,” although this is likely to be an inadvertent omission.

   4. Personal information not collected within the PRC (para 3)
      • If the transfer concerns exporting PI not originally collected in the PRC.

      Our comments: this provision effectively exempts from the Data Export Regime export of PI that is collected outside China, which will benefit companies processing such PI in China, e.g., multinationals that are headquartered in China. This confirms and extends the position taken by the CAC for the Governmental Assessment, which only applies to important data and PI collected and generated during operations within China.

   It is a dramatic change of direction for the CAC to exempt a wide scope of data processing activities entirely from the Data Export Regime. However, it is worth pointing out that the PIPL does not authorise the CAC to exempt any PI export activities from all the three routes under the Data Export Regime. The PIPL does allow the CAC to provide for other conditions that PI export activities must meet, but such conditions should ensure that the overseas PI importers meet the PI protection standards under the PIPL. It is not clear on what legal basis under the PIPL the CAC provides for such exemptions.

2. Exemption form Governmental Assessment

   The Draft Regulation has further amended Thresholds for the Governmental Assessment (para 6). If the exporters expect to export personal data of more than 10,000 and less than 1 million individuals within one year, the exporters must complete SCCs filing or the Certification process; if the exporters expect to export PI of more than 1 million individuals, the Governmental Assessment still applies.  If data export is based on consent, the consent requirement remains.
   Our comments above on the revised numerical thresholds also applies here. Without further clarification on these questions, these newly introduced Thresholds can hardly be implemented. In addition, the changes to the Thresholds do not touch upon sensitive PI, which gives rise to questions as to whether the Threshold relevant to sensitive PI still applies.

   The Draft Regulation clarifies CAC’s position on the Governmental Assessment for important data export. If non-personal data concerned is not designated as ‘important data’ by the relevant authority or region by notices or publication, then the PI exporters are not required to apply for Governmental Assessment for exporting important data. In the absence of clear scope of important data, this will temporarily release the non-personal data exporters from the obligation of filing Governmental Assessment, until the authorities define scope.

3. Relaxation in free trade zones

The Draft Regulation allows free trade zones to formulate their own negative list of data categories that must be regulated by the Governmental Assessment, SCCs, and Certification upon approval by the provincial level CACs and filing with the central CAC. Outside of such negative lists, data exporters will be exempted from the Data Export Regime. It appears that such negative lists may also extend to important data. If this is implemented and finally rolled out nationally, it might completely replace the Data Export Regime under the existing laws.

Notably, as the negative list regime will substantially amend the current Data Export Regime under the PIPL, this should usually require the National People’s Congress to authorize the State Council to adjust the implementation of the PIPL. In the Policy Statement, the State Council only proposed a positive list of data categories allowed for free cross-border transfer, whilst under the Draft Regulation CAC proposes to further relax the Data Export Regime by introducing a negative list. It is not clear whether the State Council has sanctioned the CAC’s proposal.