ISSUING AUTHORITY:

Cybersecurity Administration of China

DATE OF RELEASE:

September 28, 2023

On September 28, 2023, the Cybersecurity Administration of China (“CAC”) released new Regulations on Standardising and Promoting Cross-Border Data Flows (Draft for Comment) (the “Draft Regulations”) for public comment.

The Draft Regulations provide several allowances for the export of “important data” and personal information (“PI”) in specific scenarios; if passed, it could help to reduce uncertainties and compliance burdens for numerous multinational companies (“MNC”) and foreign companies.

The Draft Regulations proposed that companies are exempt from conducting the outbound data security assessment/PI protection certification/the execution and filing of standard contracts if the PI is not collected in the territory of China.

The Drafted Regulation also stipulated that the companies do not need to conduct outbound data transfer security assessment/PI protection certification/the execution and filing of standard contracts, such as:

1. For the “Must-be”purpose of entering into and performing a contract to which an individual is a party, such as cross-border e-commerce, cross-border remittances, air ticket and hotel reservations, visa processing, etc.;

2. The PI of internal employees must be exported to implement human resources management in accordance with the labour rules and regulations and the collective contract signed with employees; or

3. PI must be exported to protect the safety of natural persons' life, health, and property in emergencies. 

The Draft Regulations clarify a couple of issues frequently inquired about by MNC and businesses. Firstly, it states that business and marketing data (other than PI and important data) can be freely transferred. Secondly, data processors are only required to apply outbound data security assessment if such data have been notified or publicly released as important data by relevant departments or regions.

Reference:

国家互联网信息办公室关于《规范和促进数据跨境流动规定（征求意见稿）》公开征求意见的通知