- Commenting on the Measures on Promoting and Regulating Cross-border Data Transfers and the Supporting Guidelines
On the evening of March 22, 2024, the Cyberspace Administration of China (“CAC”) issued the Measures on Promoting and Regulating Cross-border Data Transfers (the “Relaxation Measures”) and the Guidelines for the Application for Security Assessments of Cross-border Data Transfers (Second Edition) and the Guidelines for the Filings of Standard Contracts of Cross-border Transfers of Personal Information (Second Edition) (the “New Guidelines”). The Relaxation Measures and the New Guidelines adjust for the thresholds, methods and procedures for the security assessments for cross-border data transfers (“Security Assessments”) and the filings of standard contracts for cross-border transfer of personal information (“Standard Contract Filings”).
The long-awaited introduction of the Relaxation Measures and the New Guidelines means that a reasonable and practical regulatory system for the export of data (especially personal information) will finally come into shape, and it also means that the national and local cyberspace administrations will have more resources to devote to a wider range of personal information protection law enforcement.
1、Limit the scope of Security Assessments and Standard Contract Filings
The Relaxation Measures clarify the exemption of Security Assessments and Standard Contract Filings (or personal information protection certification, omitted below) for certain data export scenarios, and further delineate the threshold for Security Assessments and Standard Contract Filings.
a) Scenarios that exempt Security Assessments and Standard Contract Filings
The Relaxation Measures clarify the following data export scenarios that do not require Security Assessments or Standard Contract Filings:
1、Export of data (which does not contain important data or personal information) collected and generated in international trade, cross-border transportation, academic cooperation, cross-border manufacturing and marketing activities;
2、After the overseas personal information is transferred to the mainland for processing, it is then provided overseas with no domestic personal information or important data being introduced during the processing;
3、Outbound transfers of personal information (such as cross-border shopping, cross-border delivery, cross-border remittance, cross-border payment, cross-border account opening, air ticket and hotel reservations, visa applications, examination services, etc.) for the purpose of entering into and performing a contract to which the individual is a party;
4、Outbound transfers of employee personal information on the legal basis of necessary cross-border human resource management (please note that this scenario does not include the outbound transfers of job candidates’ personal information);
5、In case of emergency, personal information is exported to protect the life, health, and property safety of natural persons.
6、Data processors in the Pilot Free Trade Zone (FTZ) are subject to a list of outbound data transfers enacted by the Pilot Free Trade Zone in accordance with the laws (combined with the Measures for the Classification and Grading of Cross-border Data Flows in the Lingang Special Area of the China (Shanghai) Pilot Free Trade Zone (for Trial Implementation), Notice on Promulgation of the Standards for Data Classification and Grading by Enterprises in China (Tianjin) Pilot Free Trade Zone it seems to mean that the FTZ is expected to promulgate and implement a more relaxed regulatory regime for data exports, which may be close to a whitelist system).
It is worth noting that the cross-border transfers of personal information in the above scenarios do not only exempt the Security Assessments or Standard Contract Filings requirements, but are also excluded from the number counted for the thresholds for applying for Security Assessments and Standard Contract Filings as described below.
b) Thresholds for Security Assessments and Standard Contract Filings
The Relaxation Measures raise the thresholds for Security Assessments and Standard Contract Filings.
2、Simplification of Standard Contract Filing Procedures
The Relaxation Measures, as well as the new Guidelines, have largely simplified the procedures for Security Assessments and Standard Contract Filings.
a) Extend the validity periods of Security Assessments
The validity periods of the Security Assessments have been extended from the original 2 years to 3 years (calculated from the date of issuance of the assessment results).
At the same time, the Relaxation Measures add a mechanism for applying for an extension of the validity period. If there is no substantial change in the data export activities, the data processor may submit an application to the CAC for an extension of the validity period through the provincial CAC, 60 working days before the expiration of the validity period. If the application is approved, the validity period can be extended by 3 years.
b) Simplify filling materials
According to the New Guidelines, the content of the personal information protection impact assessment report has been simplified. It is no longer required to analyze and discuss: (1) the personal information protection capabilities of the personal information processor, and (2) the personal information protection policies and regulations of the country or region where the overseas recipient is located.
However, the New Guidelines still require enterprises to provide IT-related information such as "the relevant information of the outbound link of personal information, the system platform and data center to store information after the transfer", and other relevant IT information that enterprises are reluctant to provide.
c) Simplify filing methods
According to the New Guidelines, data processors can submit Standard Contract Filings and Security Assessment applications online through the data export filing system, and it is no longer required to submit paper-based materials offline.
In particular, according to the Guidelines on the Use of Data Export Filing System, data processors who file the Security Assessment applications only need to upload the scanned copies of all materials; moreover, the New Guidelines no longer require the processor to submit the original materials of power of attorney, letter of commitment, and standard contracts, which reduces the time spent on the chopping and mailing process of such materials.
3、Regulatory Forecast for Data Export
Although the regulatory procedures for the export of data and personal information have been simplified, compliance obligations for data exporters have not been reduced. Regardless of the volume of the personal information to be exported, processors are required to comply with the requirements for export under the PIPL, no matter whether a Security Assessment or a Standard Contract Filing is required. This includes, but is not limited to, informing and seeking separate consents from relevant individuals, and performing the personal information protection impact assessment.
At the same time, with the implementation of the Relaxation Measures, the CAC will be relieved from the onerous burden of reviewing Security Assessments and Standard Contract Filings, and will carry out more comprehensive and frequent law enforcement (including but not limited to data exports).
Authors
![]() | Xun Yang +86 152 2182 2373 +86 21 3135 8799 xun.yang@llinkslaw.com | ![]() |
![]() | Yuwei Xia Associate | _ |
![]() | Echo Li Associate | _ |




