An In-depth Analysis of China’s Network Data Security Regime Part III: Cross-Border Data Transfer and Platform Data Protection

In late September 2024, the State Council of China published the Administrative Regulation on Network Data Security (“Regulation”), effective January 1, 2025. This Regulation establishes a comprehensive framework for regulating cross-border data transfers and platform data protection, introducing a robust set of compliance requirements.

This is the third article in our series, focusing on the Regulation’s key provisions related to cross-border data transfer and platform data protection, along with our analysis of its implications.

If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected].

Background

China’s regulatory landscape for cross-border data transfers has undergone significant evolution in recent years. The Personal Information Protection Law (“PIPL”), alongside the Cybersecurity Law (“CSL”) and the Data Security Law (“DSL”), forms the backbone of the data export regime. The PIPL outlines three primary routes for Personal Information Processors (“PI Processors”) to export Personal Information (“PI”), while the CSL and DSL mandate security assessments for exporting important data (refer to the first article in this series for the definition of important data). These routes, collectively referred to as the “Data Export Regime,” are:

1. Governmental Security Assessment (“Governmental Assessment”):

Required for:

• Critical Information Infrastructure (“CII”) operators exporting important data or PI.
• Organizations exporting important data.
• Organizations processing PI exceeding thresholds (“Thresholds”) set by the Cyberspace Administration of China (“CAC”). In 2022, the CAC clarified these Thresholds through the Measures for the Security Assessment of Data Export.

2. PI Protection Certification (“Certification”): Issued by CAC-accredited institutions, though this mechanism remains non-operational in practice.

3. Standard Contractual Clauses (“SCCs”): PI exporters must enter SCCs with overseas PI importers and submit signed SCCs along with a Personal Information Protection Impact Assessment (PIPIA) to the provincial CAC, as outlined in the 2023 Measures on the Standard Contract for the Export of Personal Information.

However, practical implementation of the Data Export Regime has revealed gaps and challenges. In response, the CAC issued the Regulation for Promoting and Administering Cross-Border Data Flows (“New Data Export Regulation”, see our comments on this regulation here) in March 2024, which replaced previous Thresholds and introduced exemptions allowing PI to be transferred across borders without adhering to the Data Export Regime under specific circumstances:

• Contractual Necessity: PI transfers necessary for concluding or performing contracts to which the data subject is a party.
• HR Management: PI transfers of employees’ data for cross-border human resources management, per legally formulated labour rules or signed collective contracts.
• Emergency Situations: PI transfers to protect the life, health, or property of natural persons in emergencies.

Additionally, the PIPL imposes specific obligations on large online platform service providers—defined as PI processors operating significant platforms with large user bases and complex business models. These obligations include:

• Organizational Management: Establishing internal compliance policies and an independent oversight body with external members to monitor PI protection.
• Transparency, Fairness, and Impartiality: Formulating platform rules adhering to these principles, specifying PI processing norms and obligations for platform-based providers.
• Supervision: Suspending services to platform providers violating PI processing laws.
• Social Responsibility Reports: Regularly publishing reports on PI protection for public scrutiny.

However, the lack of clear criteria for identifying large online platforms and implementing these obligations has created practical ambiguities, which the Regulation seeks to address.

Key Provisions and Observations

I. Cross-Border Data Transfer

Chapter V of the Regulation consolidates and refines rules on cross-border transfers of PI and important data, aligning with the New Data Export Regulation while introducing additional exemptions. Key provisions include:

1. Cross-Border Transfer of PI

The Regulation maintains the three routes for PI export under the PIPL and introduces six exemptions for transfers exempt from the Data Export Regime.

(a) Three Routes:

• Governmental Assessment: Required for CII operators, organizations exporting important data, or those exceeding CAC-defined Thresholds.
• Certification: Attaining a PI protection certification from a CAC-accredited institution, though not yet operational.
• SCCs: Entering SCCs with overseas PI importers, with submission of signed SCCs and a PIPIA to the provincial CAC.

The Regulation does not explicitly redefine Thresholds, indicating that those in the New Data Export Regulation remain applicable.

(b) Six Exemptions:

The Regulation allows PI to be freely transferred across borders in the following scenarios:

• Contractual Necessity: Transfers necessary for contract conclusion or performance. Unlike the New Data Export Regulation, which listed specific scenarios (e.g., cross-border shopping, payments, or visa applications), the Regulation omits these examples, suggesting a broader scope of application.
• HR Necessity: Transfers of employee PI for cross-border HR management, limited to legally formulated labour rules or collective contracts, excluding job candidates’ data.
• Vital Interest: Transfers in emergencies to protect life, health, or property, though rarely applied in corporate operations. In practice, the CAC has interpreted that this exemption does not apply to the PI export of job candidates and other non-employees.
• Legal Obligations: A new exemption for transfers required to fulfil statutory duties under Chinese law.
• International Treaties: A new exemption for transfers compliant with international treaties or agreements, such as judicial assistance under the Hague Evidence Convention.
• Other Conditions: A catch-all exemption, including cases where PI exports fall below the New Data Export Regulation’s Thresholds (e.g., less than 100,000 individuals’ non-sensitive PI annually).

2. Cross-Border Transfer of Important Data

The Regulation reinforces CSL and DSL requirements, mandating a Governmental Assessment for exporting important data. Exported data must align with the purposes, methods, scope, types, and scale specified during the assessment. Non-personal data is not considered important unless designated by authorities, easing compliance for non-personal data exporters.

II. Platform Data Protection

Chapter VI of the Regulation outlines data protection obligations for all online platform service providers, with additional requirements for large platforms. It also provides clarity on identifying large platforms, though some ambiguities persist.

1. Obligations of All Online Platform Service Providers

(a) Supervision Obligations:

• Platforms and smart terminal device manufacturers with pre-installed applications must define data security obligations for third-party providers via platform rules or contracts, extending PIPL requirements to all platforms.
• Platforms offering application distribution services must establish verification rules, conduct data security checks, and take action (e.g., warnings, suspension, or termination) against non-compliant applications.

(b) Automated Decision-Making:

• Platforms using automated decision-making for information push must provide clear, accessible opt-out options and allow users to refuse notifications or delete personalized tags.

(c) Recommended Practices:

• Platforms are encouraged to purchase cyber data damage compensation liability insurance and adopt national network identity authentication for real-name registration.

2. Obligations of Large Online Platform Service Providers

(a) Identification of Large Platforms:

The Regulation defines large platforms as those meeting three criteria:

• User Numbers: Over 50 million registered users or 10 million monthly active users.
• Business Complexity: Complex business types, though no clear standard exists.
• Social Impact: Significant impact on national security, economic operations, or vital interests, pending regulatory clarification.

(b) Social Responsibility Reports:

• Large platforms must publish annual PI protection reports, detailing:
  • PI protection measures and effectiveness.
  • Handling of data subject rights requests.
  • Performance of the independent PI protection oversight body.

(c) Transparency, Fairness, and Impartiality:

• These principles now extend to algorithmic and data processing activities. The Regulation lists prohibited behaviours, including:
• Misleading, fraudulent, or coercive data processing.
• Unjustified restrictions on user data access.
• Unreasonable differential treatment of users.
• Other activities violating laws or regulations.

Conclusion and Recommendations

The Regulation represents a pivotal advancement in China’s data governance framework, refining cross-border data transfer rules and platform obligations while addressing some ambiguities. However, unresolved questions, such as criteria for business complexity and social impact, necessitate ongoing monitoring of regulatory guidance.

For Enterprises with Cross-Border Data Needs:

•  Review and align data export practices with the Regulation’s updated requirements, leveraging exemptions where applicable.

For Online Platforms:

• Assess user numbers against the 50 million registered or 10 million monthly active user thresholds.
• Monitor forthcoming regulatory guidance on business complexity and social impact.
• Establish robust internal governance policies to ensure compliance with applicable obligations.

By proactively adapting to the Regulation, businesses can navigate China’s evolving data security landscape effectively.