A Game Changer? CAC Proposes an Uphaul of Data Export Regime

On 28 September 2023, the Cyberspace Administration of China (“CAC”) released the draft Regulation for Administering and Promoting Cross-border Data Flow (“Draft Regulation”) for public consultation, which proposes to make substantial changes to the current data export regime.

In this article, we highlight the key provisions and set out our comments. If you would like a copy of the English translation of the Draft Regulation, please contact James Gong at [email protected].

Background

The Personal Information Protection Law (“PIPL”) (for our comments on the PIPL, please click here) provides three routes for personal information processors[1] to export personal information (“PI”). In addition, the Cyber Security Law and the Data Security Law also require security assessment for export of important data, although the scope of important data is yet to be defined. The three routes for data export are as follows (collectively “Data Export Regime”):

  • passing a governmental security assessment (“Governmental Assessment”) that is required for 1) critical information infrastructure (“CII”) operators that export important data and PI; 2) organisations that export important data; and 3) organisations that process PI reaching one of the three threshold amounts[2] (“Thresholds”) specified by the CAC (for our comments on the Governmental Assessment, please click here);
  • attaining a PI protection certification (“Certification”) by an institution accredited by the CAC (for our comments on the Certification Regime, please click here and here); or
  • entering into the standard contractual clauses (“SCCs”) with the overseas PI importers (for our comments on the SCCs, please click here).

The Governmental Assessment regime took effect on 1 September 2022 with a six-month grace period. Since then, many data exporters in China, mostly large multinationals, have filed hundreds of applications with the CAC, but only a handful have since been approved. The assessment process is now expected to take over ten months, and applicants will face multiple rounds of review from the CAC after their initial submission.

Most PI Processors do not reach the Thresholds and are therefore ineligible for the Governmental Assessment. The Certification regime appears to be designed for intragroup PI transfers within large multinational groups or international organisations, and the process is quite complicated. As a result, the SCCs is expected to be the most used data export route for PI Processors.

Regarding filing the SCCs, the CAC requires that all PI exporters should file the signed SCCs and a report of personal information protection impact assessment (“PIPIA”) with the provincial CAC, which took effect on 1 June 2023 also with a six-month grace period ending on 30 November 2023. Effectively, most PI exporters must comply with this requirement, unless they are being certified for PI Protection. A number of PI exporters either have started or are about to start the SCCs filing process.

The filing materials for SCCs are like those for the Governmental Assessment, and therefore the workload for PI exporters choosing to make SCCs filings are no less burdensome at least before the first submission. Companies are expected to incur a substantial amount of cost and resources for the compliance process.

The Data Export Regime has since given rise to extensive concerns amongst multinational companies and commercial delegates over the complex and unpredictable nature of the process, coupled with the uncertainty as to the impact of the regime on cross-border data flows in normal course of business. The Chinese government seems to have recognised such concerns against the backdrop of its policy to boost economic growth post the pandemic.

On 13 August 2023, the central government released a policy statement (“Policy Statement”) to promote foreign investment in China, in which it vows to provide more convenient data export mechanisms for foreign-invested entities (“FIE”). The measures outlined in the Policy Statement include establishing fast tracks for qualified FIEs, improving efficiencies for carrying out SCCs filings and Governmental Assessment, initiating pilot programs in certain areas where a positive list can be formulated to allow free flow of certain types of data, and establishing data export compliance service platforms. However, at that time, it was unclear as to when and to what extent these measures will be implemented.

It seems that the Draft Regulation is published to address the concerns over the current data export regime and to implement that Policy Statement laid down by the central government.


Key Provisions and Comments

  1. Exemptions from Data Export Regime

    The Draft Regulation has set out a range of scenarios where data export will be exempted from the entire Data Export Regime, which we summarise as follows:

    1. New necessity exemptions (para 4)
      • It is necessary to export PI for the purposes of entering into or performing a contract, to which an individual is a counterparty, and the CAC gave examples of cross-border purchases, cross-border remittance, hotel and air ticket booking, visa application, etc.

      Our comments: this should benefit industries of cross-border ecommerce, international payment services, tourism, and other industries, where exporting their customers’ PI is an integral part of the business. To make it clear, the PI exporter should be the other party to the contract. Where the PI exporter does not contract directly with the individuals, then further analysis will be necessary.

      • It is necessary to export employees’ PI for the purposes of HR management pursuant to legally formulated employment rules and policies and collective employment agreement; or

      Our comments: this exemption appears to address the common scenarios where multinationals need to receive PI of their local subsidiaries’ employees. However, the Draft Regulation does not explain how “necessary” is interpreted, if the PI could be processed via alternative systems in China with extra cost incurred, would the data export still be considered necessary?

      Besides, clarification is still needed on whether HR management must be based on both employment rules and policies as well as collective employment contract at the same time. The CAC apparently uses the same wording for HR management legal basis under the PIPL, but the meaning is still being contested.

      Another scenario awaiting clarification is where agency workers’ PI are being exported. As agency workers are not employees of companies that export their PI, should this exemption also apply?

      It is necessary under emergency circumstances to export PI for the protection of a natural person’s life and health as well as financial or proprietary interest.

    2. Exemption for non-PI or non-important data (para 1)
      • The export of non-PI or non-important data is generated from the activities of international trade, academic cooperation, cross-border manufacturing, and marketing.

      Our comments: it is the default position under the Data Export Regime that non-PI and non-important data should not be subject to any export restrictions. Unfortunately, by setting out a series of scenarios, the Draft Regulation may effectively reduce the scope of what is exempt from the Data Export Regime. We tend to view this as unintended, and the default position should still stand.

    3. Falling below a numerical threshold (para 5)
      • The export of PI of less than 10,000 individuals within a year. Note that if the transfer is using consent as legal basis, the consent requirement remains.

      Our comments: this is a major change to the Data Export Regime, in particular, the Governmental assessment. The Thresholds have been amended and replaced with higher ones. However, this provision is also more problematic.

      The first question is what if the actual amount of exported PI in the next year exceeds 10,000? Do the exporters need to make SCCs filings or even apply for Governmental Assessment retrospectively?

      Secondly, how should the one-year period be measured? The Draft Regulation does not provide a starting date for the period. If this means that the one-year period should be measured on a rolling basis, then the exporters must continuously monitor the amount of exported PI in any 12-month period.

      Besides, when calculating the amount of PI, should the PI exported under the above “new necessity exemptions” still be factored in? If so, then the amount threshold may still be met by some PI exporters that may otherwise be exempted.

      Notably, the CAC seems to affirm the position taken in the SCCs that separate consent for the export of PI from individuals is required only when the legal basis is consent. In fact, the Draft Regulation only refers to “consent" instead of “separate consent,” although this is likely to be an inadvertent omission.

    4. Personal information not collected within the PRC (para 3)
      • If the transfer concerns exporting PI not originally collected in the PRC.

      Our comments: this provision effectively exempts from the Data Export Regime export of PI that is collected outside China, which will benefit companies processing such PI in China, e.g., multinationals that are headquartered in China. This confirms and extends the position taken by the CAC for the Governmental Assessment, which only applies to important data and PI collected and generated during operations within China.

    It is a dramatic change of direction for the CAC to exempt a wide scope of data processing activities entirely from the Data Export Regime. However, it is worth pointing out that the PIPL does not authorise the CAC to exempt any PI export activities from all the three routes under the Data Export Regime. The PIPL does allow the CAC to provide for other conditions that PI export activities must meet, but such conditions should ensure that the overseas PI importers meet the PI protection standards under the PIPL. It is not clear on what legal basis under the PIPL the CAC provides for such exemptions.

  2. Exemption form Governmental Assessment

    The Draft Regulation has further amended Thresholds for the Governmental Assessment (para 6). If the exporters expect to export personal data of more than 10,000 and less than 1 million individuals within one year, the exporters must complete SCCs filing or the Certification process; if the exporters expect to export PI of more than 1 million individuals, the Governmental Assessment still applies.  If data export is based on consent, the consent requirement remains.
    Our comments above on the revised numerical thresholds also applies here. Without further clarification on these questions, these newly introduced Thresholds can hardly be implemented. In addition, the changes to the Thresholds do not touch upon sensitive PI, which gives rise to questions as to whether the Threshold relevant to sensitive PI still applies.

    The Draft Regulation clarifies CAC’s position on the Governmental Assessment for important data export. If non-personal data concerned is not designated as ‘important data’ by the relevant authority or region by notices or publication, then the PI exporters are not required to apply for Governmental Assessment for exporting important data. In the absence of clear scope of important data, this will temporarily release the non-personal data exporters from the obligation of filing Governmental Assessment, until the authorities define scope.

  3. Relaxation in free trade zones

The Draft Regulation allows free trade zones to formulate their own negative list of data categories that must be regulated by the Governmental Assessment, SCCs, and Certification upon approval by the provincial level CACs and filing with the central CAC. Outside of such negative lists, data exporters will be exempted from the Data Export Regime. It appears that such negative lists may also extend to important data. If this is implemented and finally rolled out nationally, it might completely replace the Data Export Regime under the existing laws.

Notably, as the negative list regime will substantially amend the current Data Export Regime under the PIPL, this should usually require the National People’s Congress to authorize the State Council to adjust the implementation of the PIPL. In the Policy Statement, the State Council only proposed a positive list of data categories allowed for free cross-border transfer, whilst under the Draft Regulation CAC proposes to further relax the Data Export Regime by introducing a negative list. It is not clear whether the State Council has sanctioned the CAC’s proposal.

Conclusion and Recommendations

The CAC released the Draft Regulation to implement the central government’s policy of boosting economic growth and foreign investment and to address concerns over the burdensome and complex compliance obligations under the current Data Export Regime. 

The Draft Regulation exempts a wide range of data export activities from the entire Data Export Regime and, by amending the Thresholds, significantly reduces the number of data exporters that are required to apply for the Governmental Assessment. 

If the Draft Regulation is implemented as it is, then many data exporters will be released from all or part of their obligations under the current Data Export Regime. However, as pointed out in our comments, the CAC should clarify the key issues that could hinder its implementation and provide a solid legal basis for the proposed changes. 
Considering that the 30 November deadline for SCCs filing is approaching, we hope that the CAC would finalise the Draft Regulation soon, in which case there might not be substantial changes to the draft. 

For companies that are currently preparing for the SCCs filing or Governmental Assessment, as the Draft Regulation has not yet been enacted, we would recommend that they continue their preparation process till the Draft Regulation takes force. 

For companies that have already filed SCCs or applied for Governmental Assessment with the CAC, we would recommend that they liaise with their case handlers for instructions on next steps. We hope that the central CAC could also state its position on this in the finalised regulation. 


[1] A personal information processor ("PI Processor”) is defined as an organisation or individual that independently determines the purposes and means of the processing, akin to the concept of data controller under the General Data Protection Regulation (“GDPR”) of the European Union.

[2] The current thresholds for triggering security assessment by PI Processor are: (i) from 1 January of the preceding year, (a) exporting PI of 100,000 individuals, or (b) exporting sensitive PI of 10,000 individuals; or (ii) processing PI of 1 million or more individuals.

Latest insights

More Insights
graph

UPC in Brief: Unitary Patent Protection Trends: Discrepancies, Statistics, and Language Requirements in 2024

Jul 15 2024

Read More
Generative AI

Does the UK Online Safety Act regulate AI?

Jul 15 2024

Read More
Carabiner

CSDDD is here to stay; the EU clock is ticking for mandatory supply chain due diligence

Jul 12 2024

Read More