With the optimization of cross-border data rules, where do outbound enterprises go?

On September 28, the Cyberspace Administration of China (CAC) issued the Provisions on Regulating and Facilitating Cross-border Data Flows (Draft for Comments) (the "Draft") for public comment. The Consultation Paper clarifies the doubts of enterprises in the practice of the Measures for Security Assessment of Cross-border Data Transfer, personal information protection certification, standard contract filing and other relevant regulations, and clears up the difficulties in the supervision of cross-border data transfer, so as to respond to the concerns of the international trade market about the cross-border regulatory environment for data in mainland China. Guided by the optimization of rules for cross-border data flows, the Consultation Paper is conducive to the further integration of the mainland into global high-standard trade agreements and plays a positive role in the significant growth of the mainland's digital trade in the future. In order to cope with the optimization of regulatory rules, it is recommended that data export enterprises focus on improving their own data security capabilities and personal information protection capabilities, "reduce the burden without reducing responsibility", and communicate with the regulator more if they do not understand the policy, so as to avoid the occurrence of security risks in data export.

1. Introduction to the provisions

(1) Applicability of provisions

In terms of rank, the Consultation Paper is a departmental regulatory document formulated by the Cyberspace Administration of China, and the higher-level laws are the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law (hereinafter referred to as the "PIPL"). In accordance with the principle that "the new law is superior to the old law", Article 11 of the Consultation Paper provides that "if the relevant provisions such as the Measures for Security Assessment of Cross-border Data Transfer and the Measures for Standard Contracts for Cross-border Transfer of Personal Information are inconsistent with these Provisions, these Provisions shall prevail." In practice, the Consultation Paper provides detailed provisions on the applicable thresholds for application assessment, standard contracts and certification specifications, and how to connect with the aforementioned provisions may require further clarification by the regulatory authorities.

(2) Stipulate the basic content

The full text of the Draft for Comments consists of 11 articles and 1,267 words. The clarification and refinement of the compliance path for cross-border data transfer in the Consultation Paper are mainly reflected in the following four aspects:

1. Whitelist system (exemption from the application for security assessment of data export, the conclusion of a standard contract for personal information export, and the certification of personal information protection, hereinafter referred to as the "review obligation"): exempts the necessity review of data export in certain scenarios, including: data of non-important data and non-personal information, contract performance, human resource management of multinational enterprises, emergency risk avoidance, entry and re-exit of overseas data, and security assessment of data export that does not need to be declared as important data.
2. Clarification of the declaration threshold: from focusing on the number of people who have left personal information in the past two years to focusing on the number of people who are expected to leave the country in the next year, and the counting threshold has been optimized, and it is expected that the personal information of less than 10,000 people will be exported within one year, and the review obligation will be exempted.
3. Negative List System (Special Provisions for Free Trade Zones): Free Trade Zones are given the right to take the lead in the export of data on a pilot basis, and can formulate a negative list on their own, and after reporting to the regulatory authorities for approval and filing, the export of data outside the negative list can be exempted from prior review.
4. Part consistent with the original system: Where state organs and critical information infrastructure operators are involved in providing personal information and important data overseas, and where sensitive information and sensitive personal information involving the party, government, military, and secret-related units are provided overseas, the existing provisions are to be followed.

2. Interpret article by article

Article 1: Non-personal information and non-important data in typical scenarios are not to be included in the outbound supervision

Key points explained

It is reiterated that the objects of supervision for data export are only "important data" and "personal information", and if the data export does not include the two, it can be exported in a legal and orderly manner. Core data and state secrets are not within this scope, core data cannot be exported, and the security of state secrets is implemented in accordance with the relevant provisions of the National Security Law.

Suggestions for coping

• This article is limited to activities such as international trade, academic cooperation, cross-border manufacturing and marketing, and it is recommended not to extrapolate excessively outside the definition of the scenario. Communicate with regulators as necessary to determine consistency of understanding.
• In practice, attention should be paid to identifying the shared academic data that does not involve important data, state secrets, or intelligence, and caution should be exercised in applying exemption provisions in such scenarios to avoid endangering national security and the public interest.
• In practice, marketing activities in the FMCG industry often use "personal information", which includes not only precision marketing for clear personal information subjects, but also targeted analysis and marketing of specific groups of people using data obtained after processing such as de-identification. According to the PIPL, if personal information is anonymized, it no longer falls within the scope of personal information, so enterprises need to accurately determine whether the anonymization requirements have been fully met.

Article 2: Clarify the criteria for identifying important data to be included in the security assessment of data export

Key points explained

The DSL clarifies that the competent authority of the industry shall formulate a catalogue of important data in the industry, which is further explained in the Consultation Paper, that is, it is clear that if it has been identified as important data by relevant regulators, it must be declared for security assessment, and if other data has not been identified as important data for the time being, it shall not be declared and assessed as important data.

Suggestions for coping

For the time being, relevant enterprises are not required to declare the assessment of important data export. At the same time, it is necessary to pay attention to changes in regulatory policies, communicate with regulatory authorities in a timely manner, and understand the latest important data identification rules and catalogs.

Article 3: Exemption from the obligation to review the entry and re-exit of personal information not collected within the territory

Key points explained

Exemption basis: The subject matter of supervision in this article is personal information, and does not include important data or other data. The exemption under this article is based on "other conditions stipulated by the CAC" in Article 38 of the PIPC.

【Basic Understanding】There has always been controversy over the regulation of transit data.

• The PIPL adopts a principle of territoriality, regardless of whether personal information is collected or generated within the territory:

  - "This Law shall apply to the processing of personal information of natural persons within the territory of the People's Republic of China" (Article 3)

  - "Where personal information processors truly need to provide personal information outside the territory of the People's Republic of China due to business needs" (Article 38)

• The Measures for Security Assessment of Cross-border Data Transfers only stipulate the regulatory requirements for data processors to provide important data and personal information collected and generated in the course of operations within the territory of the People's Republic of China (Article 2) to the outside world, and transit data has become a blank area in the regulatory requirements for cross-border exports.
• On this basis, the Consultation Paper further clarifies the exemption of transit data and points out the direction for relevant enterprises.

Suggestions for coping

In practice, data transit situations are more complex, and it is necessary to screen in detail whether personal information in transit has not been processed at all.

Article 4: Exemption from the obligation of review in three cases

Key points explained

There are three arguments for the exemption under this article: one is the other conditions stipulated by the CAC under Article 38, Paragraph 4 of the Law; The other is the exemption from Article 72 of the Law on the Handling of Personal Information by Natural Persons for Personal or Family Affairs; It was also suggested that there might be a conflict between this article and the superior law. The situation of divergent opinions needs to be further explained and clarified by the regulators.

Suggestions for coping

• In the above circumstances, the determination of the necessity of outbound personal information is delegated from supervision to enterprises, allowing enterprises to make their own judgments, that is, there is a certain tolerance for judgment errors. Enterprises can make judgments based on the guiding principles of "necessity principle", "limited to the minimum scope to achieve the purpose of processing", "minimum time necessary to achieve the purpose of processing", and "adopt a method that has the least impact on the rights and interests of individuals" as proposed in the PIPL. At the same time, enterprises should enjoy reasonable commercial judgment and interpretation of the specific application of the above principles.
• In practice, the determination of necessity is still a common difficulty, which needs to be further clarified by the regulator and accurately identified by the industry through practical cases. At the same time, enterprises should not relax their responsibilities for the implementation of personal information protection obligations in cross-border scenarios.

Articles 5 & 6: Clarify the logic of calculating outbound personal information

Key points explained

Article 7: Exemption from the review obligation outside the negative list of the free trade zone

Key points explained

The exemption is based on other conditions stipulated by the CAC under Article 38(4) of the PRC. It is also a refinement of Article (14) of the Opinions on Further Optimizing the Foreign Investment Environment and Increasing the Efforts to Attract Foreign Investment, which states that "foreign-invested enterprises shall establish green channels and form a general data list that can flow freely" (the mechanism has been changed from a "white list" to a "black list" for the sake of implementation). Through the "blacklist" mechanism, the relevant regulatory authorities in the FTZ are allowed to explore relaxed data export measures, build the FTZ into a digital trade demonstration zone, realize the hierarchical and classified supervision of cross-border data flow, meet the diversified outbound needs of enterprises in the FTZ, give full play to their industrial advantages in digital trade, and make the FTZ an important channel for digital trade and cross-border data activities.

Article 8: The rules for the export of data by state organs and CIIO remain unchanged

Key points explained

• When handling sensitive information, state authorities should ensure that it is not misused or leaked to external forces.
• CIIOs usually include telecom operators, financial institutions, energy companies, etc., who hold a large amount of personal information and important data, such as the financial status data of bank customers, the communication data of telecom users, and key data reflecting the energy supply and distribution of the mainland, etc., and the security of these data is of paramount importance to both the state and the individual.
• Once the sensitive information and sensitive personal information of the party, government, military, and secret-related units are leaked, it may pose a serious threat to national security and social stability.
• The above-mentioned rules on cross-border data transfer remain unchanged, reflecting the regulator's great concern for the cross-border security of important data, sensitive information, and sensitive personal information related to national security and social public interests. Units involved shall adhere to the bottom line, strictly implement exit requirements, and ensure that security risk incidents caused by data export do not occur.

Article 9 & 10: Clarification of the responsibilities and obligations of the parties

Key points explained

From the requirements of the responsibilities and obligations of all parties, we can see a fundamental change in the mainland's regulatory thinking on data export, from "paternalistic supervision" to "self-discipline supervision".

• In documents such as the Measures for Security Assessment of Cross-border Data Transfer, if the CAC finds that an outbound activity that has passed the assessment does not meet the requirements for outbound security management, it shall notify the data processor in writing to terminate the outbound activity.
• In the Consultation Paper, the Cyberspace Administration of China (CAC) expands its supervisory responsibilities to local cyberspace administrations, and the regulatory logic is as follows: risk-oriented-rectification-oriented. However, if the enterprise has a bad attitude and refuses to rectify or the exit security incident causes serious consequences, it will still face the penalty of stopping the exit activities.

3. How should enterprise customers respond to data export needs?

For outbound enterprises, the issuance of the Consultation Paper is obviously a good thing. We recommend that enterprises pay close attention to the future trends of the Consultation Paper: if there is no official document issued before November 30, 2023, it is recommended that enterprises first prepare the relevant materials for exit review in accordance with the original rhythm, and communicate with the local provincial cyberspace administration to determine whether they need to submit the materials as soon as possible, so as to avoid compliance risks after the end of the rectification period for the filing of standard contracts; If a document has been officially issued before the end of November, it can reorganize its own outbound scenarios, data, systems and links in accordance with the requirements of the document, select appropriate exit routes, and fulfill various legal obligations for data export. Specific countermeasures are as follows:

(1) "Reducing the burden but not reducing the responsibility"

Enterprises that are exempt from the review obligation to export personal information shall still perform the personal information protection obligations stipulated in the PIPL, and the compliance obligations include:

• "Notification-Consent" Obligation (PIPL Article 39)
• Personal Information Protection Impact Assessment (PIA) in the Context of Cross-border Data Transfer (PIPL) (Articles 55 and 56 of the PIPL)
• Personal Information Protection Compliance Audit (PIPL Articles 54 and 64)
• Other obligations to protect personal information, such as security regulations, classified management, encryption technology, emergency plans, security training, and reporting obligations in the event of a security incident (Articles 51 and 57 of the PIPL)
• Signing of legal documents (Articles 20, 21 and 23 of the PIPL)

(2) Focus on increasing their own capacity to protect personal information

With the release of the regulatory requirements for personal information protection audits, some people believe that the regulatory hotspot has shifted from data export to personal information protection compliance audits. However, the author believes that with the formation of a closed loop of the personal information protection supervision mechanism, we can see the requirements of the supervision on the overall protection "aspects" such as the personal information protection management capabilities, technical measures, and operation platforms of enterprises from the "points" of self-assessment of data export and personal information protection compliance audit, and at the same time, the requirements from the external form of supervision to the improvement of the core security capabilities of data processors, and the most important point is the construction of enterprises' personal information protection capabilities.

Therefore, we recommend that enterprises take the compliance of data export as an opportunity to use the popular Saas-based self-assessment tool to sort out, investigate and evaluate the basic situation of their data export, rectify the problems found in a timely manner, adjust the data export plan, and improve the personal information protection management system, technical system and operation system. By improving our personal information protection capabilities, we will consolidate our roots and respond to the compliance issues of the PIPL with a solid foundation.

(3) Communicate more with regulators

For enterprises that are already in the process of preparing for application assessment and standard contract filing, it is recommended to communicate with the regulator and select an appropriate exit route based on the current compliance work progress.

For data that may involve important data, but has not been notified by the relevant departments or regions or publicly released as important data, it may not be used to apply for the security assessment of data export in accordance with Article 2 of the Draft for Comments. However, enterprises should pay attention to the formulation of important catalogs by industry authorities and regions in a timely manner, and adjust and implement the important data protection obligations stipulated in the Data Security Law as soon as possible once it is identified as important data.

In practice, where the Consultation Paper fails to provide detailed explanations, it is also necessary to consult the local provincial cyberspace administration in a timely manner and listen to regulatory opinions and suggestions.