Key Takeaways:
On March 22, 2024, the Cyberspace Administration of China (“CAC”) issued the Regulations on Promoting and Regulating Cross-border Data Transfers (the "New CBDT Regulations"). These regulations were released six months after the draft version (the "Draft Regulations") was made available for public comments on September 28, 2023. The New CBDT Regulations follow a similar approach to the Draft Regulations, emphasizing orderly management and appropriate relaxation, while also incorporate necessary adjustments based on the implementation of data export security management in practice.
1. The New CBDT Regulations have established specific scenarios where data export procedures are not required. These scenarios include data exports and transits in situations such as international trade and cross-border transportation that do not involve personal information or important data. The regulations have also added exemptions for high-frequency data outbound activities, such as cross-border shopping, delivery, remittance and payment. Furthermore, the outbound transfer of employee personal information necessary for cross-border human resource management purposes is exempt from data export procedures.
2. The standards for triggering the data export security assessment and standard contract filing of personal information exports have been raised. (1) If personal information from more than 1 million individuals or sensitive personal information from more than 10,000 individuals is provided to overseas entities cumulatively within a year, a data export security assessment must be submitted. (2) If personal information from more than 100,000 but less than 1 million individuals or sensitive personal information from less than 10,000 individuals is provided to overseas entities cumulatively within a year, a standard contract for exporting personal information or personal information protection certification should be obtained.
Compared to the Draft Regulations, the New CBDT Regulations have made several changes. Firstly, a provision on export of sensitive personal information is included as a separate standard to determine whether it triggers government security assessment or filing, following the approach in existing security assessment regulations. Secondly, the threshold for filing of standard contract has been raised from exporting personal information of 10,000 to 100,000 individuals. Thirdly, regarding the calculation of whether the standard has been met, there has been a change in the approach. Previously, the calculation involved projecting the number of exporting personal information for the upcoming year and now it has been changed to the number accumulated in the current year of application. Fourthly, the validity period for data export security assessment results has been extended from 2 years to 3 years and can be extended upon application.
3. The data export security assessment of important data is contingent upon the condition that the data is made available to the public through a catalog or officially notified by relevant departments or regions. If the data is not notified or publicly released as important data by relevant departments or regions, it is not necessary to report it as important data for data export security assessment.
4. Free trade zones have the authority to issue a negative data list. The list specifies the categories of data exports that are subject to government security assessment, standard contract filing or certification. However, the list only applies to the data processors in the relevant free trade zones.
For enterprises that have not yet submitted security assessments or standard contract filing, it is necessary to determine whether an assessment, filing, or certification is required, and to apply in a timely manner. According to the CAC official’s explanation in press conference, if an enterprise has already applied for security assessment or submitted standard contract filing before the implementation of the New CBDT Regulations, but it is not required to undergo the aforementioned procedures according to the New CBDT Regulations, the data processor can proceed with the original procedures or withdraw the application and filing from the provincial-level cyberspace administration where it is located. If an enterprise has not previously passed or partially passed the security assessment, for data export activities that are exempted from the requirement of security assessment according to the New CBDT Regulations, the data processor can provide personal information to overseas entities through the conclusion of standard contracts or certification.
It is notable that the CBDT Regulations still emphasize compliance requirements for data export activities. For instance, when exporting personal information, companies must fulfill requirements such as notification, obtaining separate consent, and conducting personal information protection impact assessments. For important data, data processors are required to identify and report important data in accordance with relevant regulations. The regulations also emphasize the need to strengthen supervision throughout the entire chain and all areas before, during, and after data export activities. They also clarify the reporting requirements for data security incidents occurring overseas. From an enterprise management and compliance perspective, the first step is to determine whether they are exempt or need to adjust the data export procedures. However, this does not mean stepping out of the existing compliance framework and requirements. Instead, companies should continue to complete the process of improving compliance and implementing measures to ensure compliance in relation to cross-border transfer of personal information and important data.
Please find below our detailed analysis.
I Analysis and interpretation of the key aspects of the New CBDT Regulations
The New CBDT Regulations comprise a total of 14 articles, which encompass the following key aspects:
1. Data processors are not obligated to conduct a data export security assessment for the export of important data if the data being processed has not been officially notified or publicly announced as such by relevant departments or regions.
Practically speaking, without official notification or public release of the important data catalog by relevant departments or regions, data processors (i.e. data handlers) face challenges in determining whether they are processing important data. Consequently, it becomes even more difficult to submit a data export security assessment based on this uncertainty. This provision aims to reduce the ambiguity surrounding the identification of important data, thereby facilitating the smooth cross-border transfer of data for enterprises.
Given the significance of important data to national security and public interests, this provision reinforces the importance of data processors identifying and reporting such data in compliance with relevant regulations. For instance, the "Measures for the Security Management of Industrial and Information Systems Data (Trial)" require that data processors in the industrial and information sectors conduct regular data reviews, identify important data and core data based on applicable standards, and establish specific catalogs for their respective units. The national standard "Data Security Technology Data Classification and Grading Rules" (GB/T 43697-2024) was officially released on March 21, 2024. Appendix G of the standard provides guidelines for identifying important data, listing factors to consider for identifying important data in key industries and sectors. Additionally, the "China (Tianjin) Free Trade Pilot Zone Enterprise Data Classification and Grading Standard Specification" issued by the Tianjin Free Trade Zone also includes a catalog for identifying important data. It requires enterprises to conduct internal data classification and grading work and submit the catalog of important data to the competent authority for network data security in the Tianjin Free Trade Pilot Zone. Further attention should be given to the catalogs of important data in various industries and regions to determine if they involve data generated or managed by the enterprises themselves.
2. Data export procedures do not apply to cross-border transfers that do not involve domestic personal information or important data.
The New CBDT Regulations explicitly exempt two types of cross-border transfers that do not involve domestic personal information or important data from the data export procedures:
(1) Common cross-border business activities such as international trade, cross-border transportation, transnational production and manufacturing, marketing, and academic cooperation are exempt from the data export procedures if the exported data does not include personal information or important data. Enterprises can freely engage in these activities abroad.
(2) If personal information collected and generated overseas is transferred to the domestic for processing and then provided to overseas, which is common for outbound enterprises that provide services to overseas users, if no domestic personal information or important data is introduced in the processing process, not impacting the rights and interests of data subjects within our country, there is no need to complete data export procedures.
3. The trigger thresholds and calculation periods for different types of data export procedures have been adjusted.
In contrast to the "Measures for Data Export Security Assessment," which determines the trigger threshold for submitting a data export security assessment based on the quantity of existing data held by data processors, the New CBDT Regulations adopt the cumulative outbound quantity and data types of data processors in the current year as the trigger criteria for different data export procedures. This shift aims to prioritize the risk assessment of exported data, thereby effectively reducing compliance costs for enterprises. Compared to the Draft Regulations, the New CBDT Regulations have made several changes. Firstly, a provision on export of sensitive personal information is included as a separate standard to determine whether it triggers government security assessment or filing. Secondly, the threshold for filing of standard contract has been raised from exporting personal information of 10,000 to 100,000 individuals. Thirdly, regarding the calculation of whether the standard has been met, there has been a change in the approach. Previously, the calculation involved projecting the number of exporting personal information for the upcoming year and now it has been changed to the current year of application. Fourthly, the validity period for data export security assessments has been extended from 2 years to 3 years and can be extended upon application.
Below, we have provided a summary of the types of data export procedures and the criteria that trigger them. These are relevant to critical information infrastructure operators (“CIIO”) and general data processors who provide important data and personal information to overseas entities. This summary aims to help enterprises comprehend their corresponding compliance obligations.

Note: When counting the number of individuals whose personal information being transferred overseas, the number of individuals exempt from the data export procedures under the New CBDT Regulations should be excluded.
4. Certain personal information data export scenarios are exempt from the data export procedures.
In order to address the frequent data transfer needs in practice, as well as the need for multinational companies to transfer employee personal information for cross-border human resource management, the Cross-border Regulations also exempt these data export scenarios from the data export procedures:
(1) when personal information is required to be shared with overseas entities for the purpose of establishing and fulfilling contracts involving individuals, such as cross-border shopping, cross-border delivery, cross-border remittance, cross-border payment, cross-border account opening, flight and hotel reservations, visa processing, and examination services;
(2) when it is necessary to provide employee personal information to overseas entities for the implementation of cross-border human resource management in accordance with labor regulations and collective contracts signed in accordance with the law;
(3) In emergency situations where it is necessary to provide personal information to overseas entities to protect the life, health, and property safety of individuals.
(4) For data processors, excluding critical information infrastructure operators, who have transmitted personal information of fewer than 100,000 individuals (excluding sensitive personal information) to overseas entities since January 1 of the current year.
Regarding the exemption of personal information export in the aforementioned scenarios, the second item is a common concern in practice, particularly regarding how to meet the requirements for exempting the transfer of employee personal information to overseas entities. In comparison with the Draft Regulations, the New CBDT Regulations still lack a clear definition of the scope and criteria for what is considered "necessary” and “cross-border human resource management." Based on previous project experience, the CAC still maintains specific criteria and requirements for determining the "necessary" need for going abroad. It remains to be seen whether these standards and requirements will continue or be relaxed in exemption cases or in the security assessment and filing of projects. This also means that further observation is needed. Thus, if a company has transferred sensitive personal information of less than employees cumulatively, unless the transfer of such sensitive personal information meets the exemption requirements, the company may still be required to enter into a standard contract for personal information export with the overseas recipient or obtain personal information protection certification, as stipulated in Article 8 of the New CBDT Regulations. Therefore, it is still worth paying attention to the subsequent explanation of this matter.
5. Data processors located in free trade zones are also eligible for exemption from the data export procedures when providing data that is not included in the "negative list".
Under the national data classification and grading protection system, free trade zones have the authority to independently create a data list, known as the "negative list," which determines the scope of data export security assessment, standard contracts for export of personal information, and personal information protection certification. This list must be approved by the provincial-level cybersecurity and information committee and filed with the national cyberspace administration and the national data management department.
Data processors located in free trade zones are eligible for exemption from the data export procedures when providing data that falls outside the negative list. However, it's important to note that this exemption only applies to data processors within free trade zones.
Recently, it is worth paying attention to the regulations introduced by different free trade pilot zones to promote data circulation. For example, the Beijing Municipal Bureau of Commerce issued the "Regulations on the Beijing Foreign Investment (Draft for Comments)," which stipulates the "efficient conduct of data export security assessments for important data and personal information, the formulation of a general data list that can flow freely, and the promotion of secure and orderly data circulation."1 The Guangzhou Municipal Administration of Government Services Data Management released the "Guangzhou Data Regulations (Draft for Comments)," which proposes the establishment of a "white list" system for cross-border data transfers2. The Shanghai Municipal Government issued the "Implementation Plan for the Overall Plan for Fully Connecting with International High-standard Economic and Trade Rules and Promoting the High-level Institutional Opening of China (Shanghai) Pilot Free Trade Zone," which mentions exploring the establishment of a legal, secure, and convenient mechanism for cross-border data transfers to enhance the convenience of cross-border data flow. By strengthening the classification guidance for outbound data in relevant industries, releasing sample scenarios, and establishing a cross-border data service center in the Lingang New Area, it facilitates data processors to conduct self-assessment and other security compliance work3.
6. The legal requirements for cross-border data transfer and obligations for handling data security incidents are restated.
Article 10 of the New CBDT Regulations highlights the importance of data processors fulfilling certain obligations when providing personal information to overseas parties. These obligations include notification, obtaining individuals’ separate consent to the cross-border data transfer, and conducting personal information protection impact assessments in accordance with laws and administrative regulations. This requirement aligns with the emphasis on individual’s separate consent in the Draft Regulations. The provision clarifies that the relaxation mainly pertains to the scope of assessments and filings, and does not change the management requirements for cross-border transfer of personal information. Even for companies exempt from assessments or filings, they must still implement the basic obligations for cross-border transfers in their business processes and comply with the corresponding legal requirements.
Article 11 of the New CBDT Regulations emphasizes the protection of data export security. It states that in the event of or potential occurrence of a data security incident, remedial measures should be taken and timely reports should be made to the provincial-level and above cyberspace administration departments and other relevant competent authorities.
Since the implementation of the Cybersecurity Law over six years ago, various supporting rules and law enforcement activities related to cybersecurity have gradually become more comprehensive. In 2023, the CAC also issued the "Management Measures for Reporting Cybersecurity Incidents (Draft for Comments)", which requires network operators to promptly initiate emergency plans for handling cybersecurity incidents. For relatively severe, severe, and extremely severe serious cybersecurity incidents, reports should be made within one hour. The specific reporting process and requirements for cross-border data transfer in the event of a data security incident still need further clarification through practice. These requirements are in line with current operational practices, and it is recommended for companies to establish response plans and internal management requirements.
II Our observations and recommendations
In general, the New CBDT Regulations adjust and optimize the mechanism for data export procedures, facilitate the cross-border data flows and reduce the compliance costs for enterprises while ensuring national data security. Under the guidance of the New CBDT Regulations, enterprises can refer to the following key points to evaluate and improve their compliance in cross-border data transfer scenarios.
1. Evaluating and assessing the applicability of the New CBDT Regulations to enterprises, and determining applicable compliance strategies based on their situations.
(1) For those which have not yet submitted a security assessment or standard contract filing, it is necessary to determine as soon as possible whether a data export security assessment, standard contract filing, or personal information protection certification is required, and to apply as soon as possible. If after reviewing the data export situation, the data processor still needs to complete a data export security assessment or conclude standard contracts for personal information export, they need to update and improve the application materials and submit them as soon as possible, according to "Guidelines for Data Export Security Assessment (Second Edition)" and "Guidelines for Standard Contract for Personal Information Export (Second Edition)" issued by the CAC on the same date of the New CBDT Regulation. Based on CAC official’s explanation during the press conference4, general applications can be submitted through the data export filing system.
(2) Assessing whether to proceed with or withdraw the submitted application for security assessment or standard contract filing. According to CAC official’s explanation during the press conference, if an enterprise has already applied for a data export security assessment, or submitted a filing for a standard contract for personal information export before March 22, 2024, but is not required to carry out the above procedures according to the New CBDT Regulations, the data processor can proceed with the original procedures or withdraw the application and filing from the provincial cyberspace administration department. Although the specific process for withdrawal is not yet clear, it can be confirmed by contacting the relevant responsible officials later.
(3) Assessing the possibility of utilizing alternative methods for data export if the security assessment is unsuccessful or only partially successful. According to CAC official’s explanation during the press conference, if an enterprise fails to pass or partially pass the data export security assessment by March 22, 2024, it can provide personal information to overseas entities through other means, such as entering into standard contract for exporting personal information or obtaining personal information protection certification, if exempt from the data export security assessment under the New CBDT Regulations. However, practical implementation is still needed to confirm whether the data export scenarios or specific data fields that did not pass or were only partially passed during the security assessment would satisfy the relevant requirements of other data export channels.
(4) The validity period of the security assessment passing result has been extended to 3 years, and renewal can be applied for upon expiration. If data processors have already conducted data export security assessments before March 22, 2024, they can continue based on their application. According to the New CBDT Regulations, the validity period of these assessment results is three years from the date of issuance. When the validity period expires and there is a need to continue exporting data without re-applying the security assessment, data processors can apply for a 3-year extension within 60 working days before the expiration of the validity period.
2. Improving internal compliance measures to meet the basic requirements for the cross-border transfer of personal information. While the New CBDT Regulations provide exemptions from data export procedures for certain circumstances, it is important to note that these exemptions do not relieve the compliance obligations for cross-border data transfers. In particular, Article 10 of the New CBDT Regulations emphasizes the general compliance obligations for the outbound transfer of personal information, including fulfilling the notification obligation, obtaining individual consent, and conducting a personal information protection impact assessment. This is also the basic compliance requirement for the outbound transfer of personal information under the "Personal Information Protection Law". When reviewing the process of outbound transfer of personal information, regardless of whether an assessment, standard contract filing, or certification is required, companies still need to assess whether there are compliance gaps and make necessary improvements, while keeping relevant records. This is also a basic requirement for companies to meet future personal information protection compliance audits.
3. Continuously monitoring the updates in the catalog of important data and ensuring the identification and reporting of important data in compliance with the law. According to the New CBDT Regulations, data processors should identify and report important data in accordance with relevant regulations. Even if the data being processed has not been officially notified or publicly announced as such by relevant departments or regions, there is no need to apply for a security assessment for exporting important data. However, considering that different regions and departments will establish a data classification and protection system, and determine the specific catalog of important data for the local area, department, industry, and field, the practice will develop accordingly. Enterprises should still closely follow and continuously pay attention to the identification and reporting requirements for important data based on their own industry, data processing, and business activities.
We will actively monitor the implementation of the New CBDT Regulations and stay updated on any developments.
1.https://sw.beijing.gov.cn/zmhd/dczjj/202309/t20230920_3262661.html
2. http://zsj.gz.gov.cn/hdjlpt/yjzj/answer/29851
3.https://www.shanghai.gov.cn/nw12344/20240205/2af907af61cf4977866b7d377baf5d1d.html
4. https://mp.weixin.qq.com/s/-Y-dY_HL21jHTFQsMbeiVQ
On March 22, 2024, the Cyberspace Administration of China (“CAC”) issued the Regulations on Promoting and Regulating Cross-border Data Transfers (the "New CBDT Regulations"). These regulations were released six months after the draft version (the "Draft Regulations") was made available for public comments on September 28, 2023. The New CBDT Regulations follow a similar approach to the Draft Regulations, emphasizing orderly management and appropriate relaxation, while also incorporate necessary adjustments based on the implementation of data export security management in practice.
1. The New CBDT Regulations have established specific scenarios where data export procedures are not required. These scenarios include data exports and transits in situations such as international trade and cross-border transportation that do not involve personal information or important data. The regulations have also added exemptions for high-frequency data outbound activities, such as cross-border shopping, delivery, remittance and payment. Furthermore, the outbound transfer of employee personal information necessary for cross-border human resource management purposes is exempt from data export procedures.
2. The standards for triggering the data export security assessment and standard contract filing of personal information exports have been raised. (1) If personal information from more than 1 million individuals or sensitive personal information from more than 10,000 individuals is provided to overseas entities cumulatively within a year, a data export security assessment must be submitted. (2) If personal information from more than 100,000 but less than 1 million individuals or sensitive personal information from less than 10,000 individuals is provided to overseas entities cumulatively within a year, a standard contract for exporting personal information or personal information protection certification should be obtained.
Compared to the Draft Regulations, the New CBDT Regulations have made several changes. Firstly, a provision on export of sensitive personal information is included as a separate standard to determine whether it triggers government security assessment or filing, following the approach in existing security assessment regulations. Secondly, the threshold for filing of standard contract has been raised from exporting personal information of 10,000 to 100,000 individuals. Thirdly, regarding the calculation of whether the standard has been met, there has been a change in the approach. Previously, the calculation involved projecting the number of exporting personal information for the upcoming year and now it has been changed to the number accumulated in the current year of application. Fourthly, the validity period for data export security assessment results has been extended from 2 years to 3 years and can be extended upon application.
3. The data export security assessment of important data is contingent upon the condition that the data is made available to the public through a catalog or officially notified by relevant departments or regions. If the data is not notified or publicly released as important data by relevant departments or regions, it is not necessary to report it as important data for data export security assessment.
4. Free trade zones have the authority to issue a negative data list. The list specifies the categories of data exports that are subject to government security assessment, standard contract filing or certification. However, the list only applies to the data processors in the relevant free trade zones.
For enterprises that have not yet submitted security assessments or standard contract filing, it is necessary to determine whether an assessment, filing, or certification is required, and to apply in a timely manner. According to the CAC official’s explanation in press conference, if an enterprise has already applied for security assessment or submitted standard contract filing before the implementation of the New CBDT Regulations, but it is not required to undergo the aforementioned procedures according to the New CBDT Regulations, the data processor can proceed with the original procedures or withdraw the application and filing from the provincial-level cyberspace administration where it is located. If an enterprise has not previously passed or partially passed the security assessment, for data export activities that are exempted from the requirement of security assessment according to the New CBDT Regulations, the data processor can provide personal information to overseas entities through the conclusion of standard contracts or certification.
It is notable that the CBDT Regulations still emphasize compliance requirements for data export activities. For instance, when exporting personal information, companies must fulfill requirements such as notification, obtaining separate consent, and conducting personal information protection impact assessments. For important data, data processors are required to identify and report important data in accordance with relevant regulations. The regulations also emphasize the need to strengthen supervision throughout the entire chain and all areas before, during, and after data export activities. They also clarify the reporting requirements for data security incidents occurring overseas. From an enterprise management and compliance perspective, the first step is to determine whether they are exempt or need to adjust the data export procedures. However, this does not mean stepping out of the existing compliance framework and requirements. Instead, companies should continue to complete the process of improving compliance and implementing measures to ensure compliance in relation to cross-border transfer of personal information and important data.
Please find below our detailed analysis.
I Analysis and interpretation of the key aspects of the New CBDT Regulations
The New CBDT Regulations comprise a total of 14 articles, which encompass the following key aspects:
1. Data processors are not obligated to conduct a data export security assessment for the export of important data if the data being processed has not been officially notified or publicly announced as such by relevant departments or regions.
Practically speaking, without official notification or public release of the important data catalog by relevant departments or regions, data processors (i.e. data handlers) face challenges in determining whether they are processing important data. Consequently, it becomes even more difficult to submit a data export security assessment based on this uncertainty. This provision aims to reduce the ambiguity surrounding the identification of important data, thereby facilitating the smooth cross-border transfer of data for enterprises.
Given the significance of important data to national security and public interests, this provision reinforces the importance of data processors identifying and reporting such data in compliance with relevant regulations. For instance, the "Measures for the Security Management of Industrial and Information Systems Data (Trial)" require that data processors in the industrial and information sectors conduct regular data reviews, identify important data and core data based on applicable standards, and establish specific catalogs for their respective units. The national standard "Data Security Technology Data Classification and Grading Rules" (GB/T 43697-2024) was officially released on March 21, 2024. Appendix G of the standard provides guidelines for identifying important data, listing factors to consider for identifying important data in key industries and sectors. Additionally, the "China (Tianjin) Free Trade Pilot Zone Enterprise Data Classification and Grading Standard Specification" issued by the Tianjin Free Trade Zone also includes a catalog for identifying important data. It requires enterprises to conduct internal data classification and grading work and submit the catalog of important data to the competent authority for network data security in the Tianjin Free Trade Pilot Zone. Further attention should be given to the catalogs of important data in various industries and regions to determine if they involve data generated or managed by the enterprises themselves.
2. Data export procedures do not apply to cross-border transfers that do not involve domestic personal information or important data.
The New CBDT Regulations explicitly exempt two types of cross-border transfers that do not involve domestic personal information or important data from the data export procedures:
(1) Common cross-border business activities such as international trade, cross-border transportation, transnational production and manufacturing, marketing, and academic cooperation are exempt from the data export procedures if the exported data does not include personal information or important data. Enterprises can freely engage in these activities abroad.
(2) If personal information collected and generated overseas is transferred to the domestic for processing and then provided to overseas, which is common for outbound enterprises that provide services to overseas users, if no domestic personal information or important data is introduced in the processing process, not impacting the rights and interests of data subjects within our country, there is no need to complete data export procedures.
3. The trigger thresholds and calculation periods for different types of data export procedures have been adjusted.
In contrast to the "Measures for Data Export Security Assessment," which determines the trigger threshold for submitting a data export security assessment based on the quantity of existing data held by data processors, the New CBDT Regulations adopt the cumulative outbound quantity and data types of data processors in the current year as the trigger criteria for different data export procedures. This shift aims to prioritize the risk assessment of exported data, thereby effectively reducing compliance costs for enterprises. Compared to the Draft Regulations, the New CBDT Regulations have made several changes. Firstly, a provision on export of sensitive personal information is included as a separate standard to determine whether it triggers government security assessment or filing. Secondly, the threshold for filing of standard contract has been raised from exporting personal information of 10,000 to 100,000 individuals. Thirdly, regarding the calculation of whether the standard has been met, there has been a change in the approach. Previously, the calculation involved projecting the number of exporting personal information for the upcoming year and now it has been changed to the current year of application. Fourthly, the validity period for data export security assessments has been extended from 2 years to 3 years and can be extended upon application.
Below, we have provided a summary of the types of data export procedures and the criteria that trigger them. These are relevant to critical information infrastructure operators (“CIIO”) and general data processors who provide important data and personal information to overseas entities. This summary aims to help enterprises comprehend their corresponding compliance obligations.

Note: When counting the number of individuals whose personal information being transferred overseas, the number of individuals exempt from the data export procedures under the New CBDT Regulations should be excluded.
4. Certain personal information data export scenarios are exempt from the data export procedures.
In order to address the frequent data transfer needs in practice, as well as the need for multinational companies to transfer employee personal information for cross-border human resource management, the Cross-border Regulations also exempt these data export scenarios from the data export procedures:
(1) when personal information is required to be shared with overseas entities for the purpose of establishing and fulfilling contracts involving individuals, such as cross-border shopping, cross-border delivery, cross-border remittance, cross-border payment, cross-border account opening, flight and hotel reservations, visa processing, and examination services;
(2) when it is necessary to provide employee personal information to overseas entities for the implementation of cross-border human resource management in accordance with labor regulations and collective contracts signed in accordance with the law;
(3) In emergency situations where it is necessary to provide personal information to overseas entities to protect the life, health, and property safety of individuals.
(4) For data processors, excluding critical information infrastructure operators, who have transmitted personal information of fewer than 100,000 individuals (excluding sensitive personal information) to overseas entities since January 1 of the current year.
Regarding the exemption of personal information export in the aforementioned scenarios, the second item is a common concern in practice, particularly regarding how to meet the requirements for exempting the transfer of employee personal information to overseas entities. In comparison with the Draft Regulations, the New CBDT Regulations still lack a clear definition of the scope and criteria for what is considered "necessary” and “cross-border human resource management." Based on previous project experience, the CAC still maintains specific criteria and requirements for determining the "necessary" need for going abroad. It remains to be seen whether these standards and requirements will continue or be relaxed in exemption cases or in the security assessment and filing of projects. This also means that further observation is needed. Thus, if a company has transferred sensitive personal information of less than employees cumulatively, unless the transfer of such sensitive personal information meets the exemption requirements, the company may still be required to enter into a standard contract for personal information export with the overseas recipient or obtain personal information protection certification, as stipulated in Article 8 of the New CBDT Regulations. Therefore, it is still worth paying attention to the subsequent explanation of this matter.
5. Data processors located in free trade zones are also eligible for exemption from the data export procedures when providing data that is not included in the "negative list".
Under the national data classification and grading protection system, free trade zones have the authority to independently create a data list, known as the "negative list," which determines the scope of data export security assessment, standard contracts for export of personal information, and personal information protection certification. This list must be approved by the provincial-level cybersecurity and information committee and filed with the national cyberspace administration and the national data management department.
Data processors located in free trade zones are eligible for exemption from the data export procedures when providing data that falls outside the negative list. However, it's important to note that this exemption only applies to data processors within free trade zones.
Recently, it is worth paying attention to the regulations introduced by different free trade pilot zones to promote data circulation. For example, the Beijing Municipal Bureau of Commerce issued the "Regulations on the Beijing Foreign Investment (Draft for Comments)," which stipulates the "efficient conduct of data export security assessments for important data and personal information, the formulation of a general data list that can flow freely, and the promotion of secure and orderly data circulation."1 The Guangzhou Municipal Administration of Government Services Data Management released the "Guangzhou Data Regulations (Draft for Comments)," which proposes the establishment of a "white list" system for cross-border data transfers2. The Shanghai Municipal Government issued the "Implementation Plan for the Overall Plan for Fully Connecting with International High-standard Economic and Trade Rules and Promoting the High-level Institutional Opening of China (Shanghai) Pilot Free Trade Zone," which mentions exploring the establishment of a legal, secure, and convenient mechanism for cross-border data transfers to enhance the convenience of cross-border data flow. By strengthening the classification guidance for outbound data in relevant industries, releasing sample scenarios, and establishing a cross-border data service center in the Lingang New Area, it facilitates data processors to conduct self-assessment and other security compliance work3.
6. The legal requirements for cross-border data transfer and obligations for handling data security incidents are restated.
Article 10 of the New CBDT Regulations highlights the importance of data processors fulfilling certain obligations when providing personal information to overseas parties. These obligations include notification, obtaining individuals’ separate consent to the cross-border data transfer, and conducting personal information protection impact assessments in accordance with laws and administrative regulations. This requirement aligns with the emphasis on individual’s separate consent in the Draft Regulations. The provision clarifies that the relaxation mainly pertains to the scope of assessments and filings, and does not change the management requirements for cross-border transfer of personal information. Even for companies exempt from assessments or filings, they must still implement the basic obligations for cross-border transfers in their business processes and comply with the corresponding legal requirements.
Article 11 of the New CBDT Regulations emphasizes the protection of data export security. It states that in the event of or potential occurrence of a data security incident, remedial measures should be taken and timely reports should be made to the provincial-level and above cyberspace administration departments and other relevant competent authorities.
Since the implementation of the Cybersecurity Law over six years ago, various supporting rules and law enforcement activities related to cybersecurity have gradually become more comprehensive. In 2023, the CAC also issued the "Management Measures for Reporting Cybersecurity Incidents (Draft for Comments)", which requires network operators to promptly initiate emergency plans for handling cybersecurity incidents. For relatively severe, severe, and extremely severe serious cybersecurity incidents, reports should be made within one hour. The specific reporting process and requirements for cross-border data transfer in the event of a data security incident still need further clarification through practice. These requirements are in line with current operational practices, and it is recommended for companies to establish response plans and internal management requirements.
II Our observations and recommendations
In general, the New CBDT Regulations adjust and optimize the mechanism for data export procedures, facilitate the cross-border data flows and reduce the compliance costs for enterprises while ensuring national data security. Under the guidance of the New CBDT Regulations, enterprises can refer to the following key points to evaluate and improve their compliance in cross-border data transfer scenarios.
1. Evaluating and assessing the applicability of the New CBDT Regulations to enterprises, and determining applicable compliance strategies based on their situations.
(1) For those which have not yet submitted a security assessment or standard contract filing, it is necessary to determine as soon as possible whether a data export security assessment, standard contract filing, or personal information protection certification is required, and to apply as soon as possible. If after reviewing the data export situation, the data processor still needs to complete a data export security assessment or conclude standard contracts for personal information export, they need to update and improve the application materials and submit them as soon as possible, according to "Guidelines for Data Export Security Assessment (Second Edition)" and "Guidelines for Standard Contract for Personal Information Export (Second Edition)" issued by the CAC on the same date of the New CBDT Regulation. Based on CAC official’s explanation during the press conference4, general applications can be submitted through the data export filing system.
(2) Assessing whether to proceed with or withdraw the submitted application for security assessment or standard contract filing. According to CAC official’s explanation during the press conference, if an enterprise has already applied for a data export security assessment, or submitted a filing for a standard contract for personal information export before March 22, 2024, but is not required to carry out the above procedures according to the New CBDT Regulations, the data processor can proceed with the original procedures or withdraw the application and filing from the provincial cyberspace administration department. Although the specific process for withdrawal is not yet clear, it can be confirmed by contacting the relevant responsible officials later.
(3) Assessing the possibility of utilizing alternative methods for data export if the security assessment is unsuccessful or only partially successful. According to CAC official’s explanation during the press conference, if an enterprise fails to pass or partially pass the data export security assessment by March 22, 2024, it can provide personal information to overseas entities through other means, such as entering into standard contract for exporting personal information or obtaining personal information protection certification, if exempt from the data export security assessment under the New CBDT Regulations. However, practical implementation is still needed to confirm whether the data export scenarios or specific data fields that did not pass or were only partially passed during the security assessment would satisfy the relevant requirements of other data export channels.
(4) The validity period of the security assessment passing result has been extended to 3 years, and renewal can be applied for upon expiration. If data processors have already conducted data export security assessments before March 22, 2024, they can continue based on their application. According to the New CBDT Regulations, the validity period of these assessment results is three years from the date of issuance. When the validity period expires and there is a need to continue exporting data without re-applying the security assessment, data processors can apply for a 3-year extension within 60 working days before the expiration of the validity period.
2. Improving internal compliance measures to meet the basic requirements for the cross-border transfer of personal information. While the New CBDT Regulations provide exemptions from data export procedures for certain circumstances, it is important to note that these exemptions do not relieve the compliance obligations for cross-border data transfers. In particular, Article 10 of the New CBDT Regulations emphasizes the general compliance obligations for the outbound transfer of personal information, including fulfilling the notification obligation, obtaining individual consent, and conducting a personal information protection impact assessment. This is also the basic compliance requirement for the outbound transfer of personal information under the "Personal Information Protection Law". When reviewing the process of outbound transfer of personal information, regardless of whether an assessment, standard contract filing, or certification is required, companies still need to assess whether there are compliance gaps and make necessary improvements, while keeping relevant records. This is also a basic requirement for companies to meet future personal information protection compliance audits.
3. Continuously monitoring the updates in the catalog of important data and ensuring the identification and reporting of important data in compliance with the law. According to the New CBDT Regulations, data processors should identify and report important data in accordance with relevant regulations. Even if the data being processed has not been officially notified or publicly announced as such by relevant departments or regions, there is no need to apply for a security assessment for exporting important data. However, considering that different regions and departments will establish a data classification and protection system, and determine the specific catalog of important data for the local area, department, industry, and field, the practice will develop accordingly. Enterprises should still closely follow and continuously pay attention to the identification and reporting requirements for important data based on their own industry, data processing, and business activities.
We will actively monitor the implementation of the New CBDT Regulations and stay updated on any developments.
1.https://sw.beijing.gov.cn/zmhd/dczjj/202309/t20230920_3262661.html
2. http://zsj.gz.gov.cn/hdjlpt/yjzj/answer/29851
3.https://www.shanghai.gov.cn/nw12344/20240205/2af907af61cf4977866b7d377baf5d1d.html
4. https://mp.weixin.qq.com/s/-Y-dY_HL21jHTFQsMbeiVQ
