想必各位已经留意到,就在上上周五,2024年3月22日,《促进和规范数据跨境流动规定》(以下称“数据出境新规”或“新规”)以及配套的《数据出境安全评估申报指南(第二版)》(以下称“CBDT-SA指南(第二版)”)和《个人信息出境标准合同备案指南(第二版)》(以下称“SCC备案指南(第二版)”)发布并生效。新规篇幅不大,共14个条文,但对中国数据出境监管作出了重大调整,将对公司数据出境项目规划与执行产生较大影响。基于此,结合对新规内容的理解、分析,我们对新规要点及其后续适用建议提示如下:
You may notice that two Fridays ago, on March 22, 2024, the Provisions on Facilitating and Regulating Cross-border Transfer of Data (hereinafter referred to as the "Provisions") along with the accompany Guide to Declaration for Data Cross-border Transfer Security Assessment (Second Version) (hereinafter referred to as the "CBDT-SA Guide") and Guide to the Filing of Standard Contract for Cross-border Transfer of Personal Information (Second Version) (hereinafter referred to as the "SCC Guide") are formally issued and effective. The Provisions only consist of 14 articles, but it makes significant adjustments to the current data outbound supervision, which may have a big impact on the data outbound project planning and implementation of your company. Based on our understanding and analysis of the Provisions, we would like to provide the following key points and application suggestions for your kind reference:
新规要点提示
Key Points of the Provisions
1. 数据出境新规的全称为《促进和规范数据跨境流动规定》,此前2023年9月28日公布的征求意见稿全称为《规范和促进数据跨境流动规定》(以下称“9.28征求意见稿”),“促进”字样调整于“规范”之前,松绑之意显现,也是新规整体基调的体现。
The full name of the Provisions is “the Provisions on Facilitating and Regulating Cross-border Transfer of Data”, and the full name of the draft version issued on September 28, 2023 is “the Provisions on Regulating and Facilitating Cross-border Transfer of Data” (hereinafter referred to as the "Draft Provisions"). You may see the “facilitation” is adjusted before the "regulation", which indicates the regulator’s attitude of reducing restrictions on data flow, also sets the overall tone of the Provisions.
2. 重要数据识别以相关部门、地区告知或者公开发布为准,未被告知属于重要数据,或不在公开发布的重要数据目录中的,不作为重要数据处置,相应的数据出境无需申报CBDT-SA。但请公司垂注,新规明确数据处理者的“自主识别重要数据”和“配合申报重要数据”义务,在重要数据问题上,企业需要做好相应的义务履行合规留痕工作。(参见新规第二条)
The identification of important data is based on notification or public release by relevant departments or regions. If data has not been notified as important or is not included in the publicly released list of important data, the export of such data does not require CBDT-SA. We would note that the Provisions clearly define the obligations of data processors to "independently identify important data" and "cooperate with the declaration of important data", and on the issue of important data, enterprises need to do a good job of fulfilling the corresponding obligation and document the compliance work. (see Article 2 of the Provisions)
3. 新规明确了一般数据(非重要数据、非个人信息)的出境活动无需履行CBDT-SA、订立SCC、通过认证等出境前置程序。(参见新规第三条)
The Provisions clarify that general data (non-important data, non-personal information) outbound activities do not need to perform CBDT-SA, sign SCC, pass certification and go through other outbound pre-procedures. (see Article 3 of the Provisions)
4. 新规对“境外个人信息入境后再出境”进行了更明确的规定,将9.28征求意见稿第三条提及的“不是在境内收集产生的个人信息向境外提供”细化规定为“
在境外收集和产生的个人信息传输至境内处理后向境外提供,处理过程中没有引入境内个人信息或者重要数据
”。此前,对于“来料加工”问题,监管实务的口径一度为“只要对入境的个人信息有加工分析等处理行为,处理后的个人信息再次出境,即构成个人信息出境,应当履行出境前置程序”。此次新规强调“来料加工中是否额外使用境内个人信息或重要数据”,纯粹的针对入境个人信息本身的加工分析等处理行为(即使加工分析等行为也产生了衍生个人信息),其后的再次出境也不受出境前置程序约束。(参见新规第四条)
Regarding “foreign personal information inbound then outbound”, the Provisions provide more explicit rules by detailing “personal information not collected in mainland China is provided abroad” mentioned Article 3 of the Draft Provisions to “
where the personal information collected and generated by a data processor located abroad is transferred to China for processing and then provided overseas
”. Previously, for the issue of "inbound processing", the regulatory practice was "as long as there is processing behavior such as processing and analysis of inbound personal information, and if the personal information processed leaves China again, it constitutes personal information outbound, and the outbound pre-procedure should be performed". The current Provisions emphasizes "whether additional domestic personal information or important data is used in the processing of inbound foreign information”, thus purely processing, such as processing and analysis of inbound personal information itself (even if such processing and analysis also produce derived personal information), the subsequent outbound will not be subject to the outbound pre-procedure. (see Article 4 of the Provisions)
5. 四种情形下的个人信息出境被完全豁免出境前置程序,具体为:(1)订立、履行合同所确需;(2)人力资源管理所确需;(3)紧急状况保护自然人所确需;(4)非CIIO当年累计出境不满10万人个人信息(不包含敏感个人信息,以下称“SPI”)。提请注意:
Outbound pre-procedures for the personal information outbound are completely exempted in the following 4 scenarios: (1) where it is necessary to conclude or perform a contract; (2) where it is necessary for human resources management; (3) where it is necessary to protect individuals in emergencies; (4) non-critical information infrastructure operators have provided overseas personal information of less than 100,000 people (excluding sensitive personal information, hereinafter referred to as “SPI”) in accumulation of the current year. Please note that:
1) 新规用“确需”替代了9.28征求意见稿的“必须”表述,我们认为是“松绑”的表现。
The Provisions replace the expression of "must" in the Draft Provisions with "really necessary", which we believe this is a sign of "loosening restrictions".
2) 订立、履行合同所确需情形下,新规列举了较为丰富的个人事务活动场景(跨境购物、跨境寄递、跨境汇款、跨境支付、跨境开户、机票酒店预订、签证办理、考试服务等)。对于“个人作为一方当事人的合同”,不建议简单通过“签署合同将个人信息出境列为合同义务”的方法达成“订立、履行合同所确需”情形,而应当相对严格地分析并评价出境个人信息在该情形下是否“确有需要”出境,出境必要性应具备合理性、满足常识理解并服务于合同目的实现。
Under “where it is necessary to conclude or perform a contract” circumstance, the Provisions list a wealth of personal affairs activities (cross-border shopping, cross-border delivery, cross-border remittance, cross-border payment, cross-border account opening, air ticket hotel reservation, visa processing, and examination services). For the "contract of an individual as a party", it is not recommended to reach scenario “where it is necessary to perform a contract" by simply "signing the contract and listing the outbound of personal information as the contractual obligation". The suggested way is to strictly analyze and evaluate whether the outbound of personal information is "really necessary" in this situation. The necessity of outbound should be reasonable, meet common sense understanding, and serve the realization of the contract purpose.
3) “确需”的认定,并无细化标准,企业可自行构建,但可能在监管检查、个人信息保护合规审计等活动中面临“挑战”,在获得进一步CAC咨询反馈或者指示前,建议对“确需”的把握应予审慎。
There is no detailed standard for the identification of "really necessary", and enterprises can establish their own, but they may face "challenges" in regulatory inspections, personal information protection compliance audits and other activities. Before obtaining further CAC consultation feedback or instructions, it is advisory to interpret "really necessary" cautiously.
4) 非CIIO当年累计出境人数不满10万情形,企业需要对当年出境规模做好“预估”和“监测”,如可能超出临界值,需要提前预留时间用于前置程序工作开展。此外,需要注意,“不满10万人个人信息”中的个人信息,不得包含SPI。
For the scenario “non-critical information infrastructure operators provide overseas personal information of less than 100,000 people in accumulation of the current year”, enterprises need to "estimate" and "monitor" the outbound scale of the current year. If it is possible to exceed the critical value, it is necessary to reserve time in advance for the pre-procedure work. In addition, please note that personal information in the "personal information of less than 100,000 people" must not contain SPI.
(参见新规第五条see Article 5 of the Provisions)
6. 自贸区可执行“负面清单”机制。“负面清单”是指,在清单上的需要履行出境前置程序,清单之外的则自由跨境流动(无需履行前置程序要求),且从文义理解而言,重要数据出境亦可能执行“自贸区豁免”(理论上可能,实践中我们认为重要数据纳入“负面清单”的可能性较大)。根据我们了解到的信息,以上海为典型,相关政府部门正在积极推动相关清单的制定和发布,但工作方向仍是“示范案例”“正面清单”,“负面清单”固然对企业有利且更具可执行性,但地方政府可能会有较大承压(地方需要自负责任,且“负面清单”需要由省级网络安全和信息化委员会批准,通俗而言,需要省级一把手签字通过)。对于自贸区“负面清单”,我们建议予以“审慎的乐观观望”,后续中央和地方在“负面清单”问题上,可能仍会有较长时间的“拉扯”与“审慎变通做法”。(参见新规第六条)
Pilot free trade zones can implement the "negative lists" mechanism, which refers to the requirement of fulfilling outbound pre-procedures for data on the list and free cross-border flow for data outside the list (no outbound pre-procedures required). Additionally, based on textual interpretation, "exemption of pilot free trade zones” may also be applied to the cross-border flow of important data (in theory, it is possible, but in practice, we believe that important data is more likely to be included in the "negative lists"). Per our knowledge, taking Shanghai as a typical example, relevant government departments are actively promoting the formulation and release of relevant lists, but the direction of work is still "demonstration cases" and "positive lists". Although the "negative lists" are beneficial to enterprises and more enforceable, local governments may have greater pressure (local governments need to take responsibility for themselves, and the "negative lists" needs to be approved by the provincial cybersecurity and information technology committee. To put it simple, it needs to be signed by the provincial governor.). For "negative lists" of pilot free trade zones, we suggest holding an attitude of "cautiously optimistic and waiting and seeing", as there may still be a longer period of "pulling" and "prudent flexibility" between central and local governments on the issue of “negative lists”. (see Article 6 of the Provisions)
7. CBDT-SA触发情形调整为符合如下条件之一:
The CBDT-SA triggering situations are adjusted to meet one of the following conditions:
1) 重要数据出境均触发CBDT-SA。
Any outbound of important data will trigger CBDT-SA.
2) CIIO个人信息出境触发CBDT-SA。
Outbound of personal information of CIIO will trigger CBDT-SA.
3) 非CIIO当年累计出境100万人以上个人信息(不含SPI)。
Non-critical information infrastructure operators provide overseas personal information of more than 1000,000 people in accumulation of the current year (not containing SPI).
4) 非CIIO当年累计出境1万人以上SPI。
Non-critical information infrastructure operators have provided overseas SPI of more than 10,000 people in accumulation of the current year.
5)如果触发“境外个人信息入境后再出境”(新规第四条)
和“三种豁免情形”(新规第五条(一)至(三)部分内容),以及自贸区“负面清单”(新规第六条)情形,则上述1)-4)情形无需进行CBDT-SA。
If triggering "foreign personal information inbound then outbound" (Article 4 of the Provisions) and "3 exemption situations" (Article 5 (1) to (3) of the Provisions), as well as the pilot free trade zone "negative lists" (Article 6 of the Provisions) situation, then above 1) -4) situations do not need to carry out CBDT-SA.
(参见新规第七条see Article7 of the Provisions)
8. 订立SCC或通过认证触发情形调整为如下:
Triggering situations of concluding SCC or pass certification are adjusted to the followings:
1) 非CIIO当年累计出境10万人以上、不满100万人个人信息(不含SPI)。
Non-critical information infrastructure operators provide personal information (not containing SPI) of more than 100,000 but less than 1 million individuals overseas in accumulation of the current year.
2) 非CIIO当年累计出境不满1万人SPI。
Non-critical information infrastructure operators provide SPI of less than 10,000 in accumulation of the current year.
3) 如果触发“境外个人信息入境后再出境”(新规第四条)和“三种豁免情形”(新规第五条(一)至(三)部分内容),以及自贸区“负面清单”(新规第六条)情形,则上述1)-2)情形无需订立SCC或通过认证。
If triggering "foreign personal information inbound then outbound" (Article 4 of the Provisions) and "3 exemption situations" (Article 5 (1) to (3) of the Provisions), as well as the pilot free trade zone "negative lists" (Article 6 of the Provisions) situation, then above 1) -2) situations do not need to conclude SCC or pass certification.
(参见新规第八条see Article 8 of the Provisions)
9. CBDT-SA有效期延长为3年,且可到期前申请延长有效期(到期并不直接触发重新评估),相较于《数据出境安全评估办法》第十四条规定进行了“松绑”。(参见新规第九条)
The validity period of CBDT-SA is extended to 3 years, and the validity period can be extended before the expiration (expiration does not directly trigger reassessment), which reduces the requitements compared with Article 14 of the Measures for Data Cross-border Transfer Security Assessment. (see Article 9 of the Provisions)
10. 新规重申告知、单独同意、PIA三项义务。目前实践中,企业需要在CBDT-SA和SCC备案中向CAC提供单独同意证明材料,此次CBDT-SA指南(第二版)中明确“涉及个人信息出境的,需提供履行《个人信息保护法》第三十九条规定的情况说明及佐证材料,包括告知义务和取得个人的单独同意等,若属于《个人信息保护法》第十三条第一款第二项至第七项规定情形的,不需取得个人同意”。SCC备案指南(第二版)中并未明确该等内容,但“举重明轻”来看,SCC备案也可执行同意之外的其他合法性基础,当属应有之义。我们认为,“个人信息出境单独同意”有望松绑,具体执行可嗣后观望。(参见新规第十条,CBDT-SA指南(第二版))
The Provisions reaffirm the three obligations of notification, separate consent and outbound PIA. In current practice, enterprises need to provide separate consent proof materials to CAC in the CBDT-SA and SCC filing, and the CBDT-SA Guide clearly states that "If personal information is involved to be transferred overseas, it is necessary to provide information and supporting materials for fulfilling Article 39 of the PRC Personal Information Protection Law, including the obligation to inform and obtain individual’s separate consent, etc. If it falls under the circumstances stipulated in Article 13, Paragraph 1, Item 2 to Item 7 of the PRC Personal Information Protection Law, it is not necessary to obtain individual’s consent". This is not explicitly stated in the SCC Guide, considering that declaring a CBDT-SA is always stricter than SCC filing, it could be justified that the SCC filing can also enforce other legal bases than consent. We believe that the "separate consent of personal information outbound" is expected to be loosened, and the specific implementation can be observed later. (see Article 10 of the Provisions andCBDT-SA Guide)
11. 数据处理者对出境数据有保护和保障义务,以及特定的监管报告机制。但相应的监管报告机制目前无实践机制,通俗而言,“出了问题找数据处理者,通常为境内提供方,其甚至可能需要对境外接收方的行为负责”。(参见新规第十一条)
Data processors have obligations to protect and safeguard outbound data, as well as specific regulatory reporting mechanisms. However, the corresponding regulatory reporting mechanism currently has no practical mechanism. In other words, "when there is a problem, the data processor, usually the domestic provider, will be the first responsible person and it may even be responsible for the behavior of the overseas recipient." (see Article 11 of the Provisions)
12. 地方CAC对新规执行进行“前中后”全流程监管,实践而言,企业需要重点关注监管主动检查、投诉举报和个人信息保护合规审计等引发的监管风险传导。对于是否适用新规予以出境前置程序豁免或义务松绑需要做好前置合规改造和留痕自证。(参见新规第十二条)
Local CAC conducts whole-process supervision of before, during, and after the event on the implementation of the Provisions. In practice, enterprises need to focus on the regulatory risk transmission caused by the active regulatory inspection, complaint reporting and compliance audit of personal information protection, etc. As to whether the Provisions are applicable for the pre-procedure exemption or the obligation relief, enterprises need to make compliance reform and document evidence for self-proof. (see Article 12 of the Provisions)
13. 新规明确其优先于《数据出境安全评估办法》《个人信息出境标准合同办法》的适用。对于新规之前的既已申报的安全评估/SCC备案(尤其是未获通过或部分通过的申报案例)如何处理,新规答记者问(https://www.cac.gov.cn/2024-03/22/c_1712776611649184.htm)予以澄清,简单可总结为:已经完成的,尊重既成事实;未完成的,新规引发前置程序选择变化的,按照新规要求执行;新规引发前置程序豁免的,企业自行决策(继续执行原程序,或申请撤回原程序)。(参见新规第十三条、第十四条以及答记者问第14问)
The Provisions clearly takes precedence over the application of the Measures for Data Cross-border Transfer Security Assessment and the Measures for the Standard Contract for Cross-border Transfer of Personal Information. As for the handling of submitted CBDT-SA and SCC filing cases, especially for those cases which has not been approved or are partially approved, the official Q&A (https://www.cac.gov.cn/2024-03/22/c_1712776611649184.htm) has responded: if the pre-procedures are completed, the relevant stakeholders will respect the results; if the pre-procedures are not completed and the Provisions cause changes in the selection of pre-procedures, the requirements of the Provisions hall be implemented; if the Provisions trigger the exemption of the pre-procedure, the enterprise may make its own decision (continue to proceed with the original procedure, or apply to withdraw the original procedure). (see Article 13 and 14 of the Provisions and Q14 of the official Q&A)
14. 提请重点阅看新规《答记者问》,一共16个问题,对新规部分内容理解、后续执行实操进行了回答,包括CIIO认定、当年累计人数如何计算、线上申报系统路径等。
We recommend reading the official Q&A (16 questions), which answers the understanding of some of the contents of the Provisions and the follow-up implementation, including CIIO identification, how to calculate the cumulative number of people in the current year, and the path of the online declaration system.
15. 提请仔细阅看《数据出境安全评估申报指南(第二版)》和《个人信息出境标准合同备案指南(第二版)》,第二版的CBDT-SA指南和SCC备案指南在内容上与新规进行了衔接、申报表和报告模板也进行了相应调整,整体而言都有显现的“松绑”变化(如,有些旧版指南要求“详细说明”的内容,第二版中调整为“简要说明”)。
We recommend reading CBDT-SA Guide and SCC Guide. These 2 Guides have been connected with the Provisions in contents, and the declaration form and report template have been adjusted accordingly. In general, a trend of “easing compliance burdens” could be tasted (for example, the old version of the Guide required "detailed explanation" for some items, which the current Guide requires "brief explanation").
仍待澄清的问题
Issues to Be Further Clarified
1. 《答记者问》问题5对“个人信息、SPI是什么”进行了回答,但回答是对法条原文的重述,无法解决实务中长期存在的“个人信息/SPI认定”问题。如,SPI脱敏后,是否仍然属于SPI?再如,个人信息认定应当从“提供方”还是“接收方”角度进行?
In the official Q&A, the answer to Q5 "What is personal information and SPI?" is a restatement of the original law, which cannot solve the long-standing problem of "identification of personal information /SPI" in practice. For example, after SPI is desensitized, does it still belong to SPI? For another example, should personal information be identified from the perspective of the "provider" or the "recipient"?
2. “在境外收集和产生的个人信息”和“境内个人信息”的含义仍不明确。“境外直采+服务器位于境外”模式是否属于在境外收集个人信息?
The meaning of "personal information collected and generated overseas" and "domestic personal information" remains unclear. Does the mode of "overseas direct collection + server located overseas" belong to the collection of personal information overseas?
3. 对“为订立、履行个人作为一方当事人的合同所必需”如何理解,是否个人信息主体必须为合同的“签约主体”?如保险合同下的被保险人、跨境电商下的收货人等“第三人”是否可以纳入?
How to understand "necessary for the conclusion and performance of the contract to which the individual is a party", and whether the personal information subject must be the "contracting party" of the contract? Can "third parties" such as the insured under the insurance contract and the consignee under cross-border e-commerce be included?
4. 人力资源管理所确需情形下,目前新规条文仅豁免“员工个人信息”,对于招聘场景下的候选人、外包人员、实习人员、派遣人员等,字面而言难以纳入,且员工能否涵盖关联方的员工,也有待监管进一步释明和澄清。
In the case of actual need of human resource management, the current Provisions only exempts "employee personal information", which is literally difficult to include candidates in the recruitment scenario, outsourcing personnel, interns, dispatched personnel, etc. , and whether employees can cover employees of related parties needs to be further clarified by regulatory authorities.
5. “订立SCC”是否必然导向SCC备案?典型场景为“数据处理者仅向境外提供1个人的SPI”,根据新规第八条和《答记者问》问题12,该场景触发订立SCC或者通过个人信息保护认证,但根据《个人信息出境标准合同备案指南(第二版)》“一、适用范围”的规定,又不同时满足SCC备案触发条件,基于此,“数据处理者仅向境外提供1个人的SPI(假设不属于新规规定的豁免前置程序的情形)”,是否可以理解为“需要签署SCC,但无需进行SCC备案”?
Does "conclusion of SCC" necessarily lead to SCC filing? The typical scenario is "the data processor only provides the SPI of 1 person overseas (assuming that the case does not fall under the pre-procedure exemption under the Provisions)". According to Article 8 of the Provisions and Q12 of the official Q&A, this scenario triggers the conclusion of SCC or the certification of personal information protection, while, according to the provisions of "I Application Scope" of the SCC Guide, this scenario does not simultaneously meet the triggering conditions for SCC filing. Based on this, can "the data processor only provides the SPI of 1 person overseas" be understood as "need to sign the SCC, but no need to do the SCC filing"?
6. 境外访问境内个人信息模式下,如何判断当年的人数?是看境外接收方访问权限对应的人数,还是看境外接收方实际访问的人数?进一步地,如果以“访问权限对应人数”为准,每一个“1月1日起”的当年,是看新增人数还是看全部人数?
Under the mode of overseas access to domestic personal information, how to judge the number of people in the current year? Should we use the number of people corresponding to the access rights of overseas recipients, or the number of people actually visited by overseas recipients? Further, if the "number of people corresponding to access rights" prevails, for each year as of "January 1", shall we use the number of newly added or all the people?
新规适用建议
Suggestions for Applying the Provisions
1. 结合自身情况(出境场景、出境数据量预估、具体出境数据字段等)和CAC咨询反馈情况,评估自身出境场景能否豁免(重点评估新规第三条、第四条、第五条、第六条、第七条、第八条的适用情况)。就新规适用判断,可参考我们总结的下表:
Assess the company’s own data outbound scenario based on specific circumstances (e.g. outbound scenario, intended data outbound volume, specific data fields being exported) as well as feedback provided by CAC to determine whether such outbound scenarios could be eligible for exemptions granted by the Provisions (with a particular focus on evaluating the applicability of Article 3, 4, 5, 6, 7, and 8 of the Provisions).
For the judgment of the application of the Provisions, you can refer to the following table that we summarized:
2. 经评估,原CBDT-SA可“降级”为SCC备案、认证路径的,或者可予以出境前置程序豁免的,可在咨询CAC后进行相应决策(延续原程序、调整出境路径或向省级网信办撤回申请),请注意对相关评估、咨询、决策过程的留痕。
After evaluation, if the original CBDT-SA can be "downgraded" to the SCC filing and certification path, or can be exempted from the pre-procedures, the corresponding decision can be made after consulting the CAC (continuation of the original procedure, adjustment of the outbound path or withdrawal of the application to the provincial CAC). Please pay attention to document the relevant assessment, consultation and decision-making process.
3. 无论“降级”、豁免与否,务必做好相应的自评估和其他合规改造工作安排,并对相关工作开展、合规论证等做好扎实的留痕自证工作,例如数据资产盘点、出境场景梳理、分类分级、出境数据范围评估、重要数据识别、CIIO身份识别、同意之外合法性基础的选择、单独同意的获得、出境情形下个人信息保护影响评估报告撰写等。
Regardless of "downgrade", exemption or not, it is necessary to make corresponding arrangements for self-assessment and other compliance reform work, and do a solid job of self-certification with documentation of relevant work and compliance demonstration. Relevant may include, without limitation, data asset inventory, outbound scenario sorting, classification and grading, outbound data scope assessment, important data identification, CIIO identification, choice of legal basis other than consent, obtaining separate consent, and drafting of impact assessment report on personal information protection for the outbound scenarios.
4. 尽快与境外接收方和/或总部就新规内容、可能影响以及既有项目应对策略等进行沟通(尤其是对后续潜在的出境路径变化、提交文件变化等进行解释说明)。
Communicate as soon as possible with overseas recipients and/or headquarters on the contents of the Provisions, possible impacts, and coping strategies for ongoing projects (in particular, explaining potential subsequent changes in outbound path, changes in prepared documents for submission, etc.).
以上供参考。就新规理解、执行与项目开展,欢迎随时与我们沟通,后续我们将就新规内容及其仍存在的疑问进行同业沟通和监管咨询。
We hope the above is helpful. Please feel free to reach us on the understanding and implementation of the Provisions, and the project development suggestions. Going forward, we will conduct industry communication and regulatory consultation on the contents of the Provisions and pending issues.
Bi_CBDT新规要点提示、待澄清问题与适用建议(3月24日通用版)
作者:数据的朋友来源:数据的朋友

想必各位已经留意到,就在上上周五,2024年3月22日,《促进和规范数据跨境流动规定》(以下称“数据出境新规”或“新规”)以及配套的《数据出境安全评估申报指南(第二版)》(以下称“CBDT-SA指南(