On March 22, the Cyberspace Administration of China (CAC) promulgated the Provisions on Promoting and Regulating Cross-border Data Flows (hereinafter referred to as the "Provisions"), which came into force on the date of promulgation.
The relevant person in charge of the Cyberspace Administration of China said that the cross-border flow of data has become the basis for the exchange and sharing of global capital, information, technology, talents, goods and other resource elements. In order to promote the orderly and free flow of data in accordance with the law, stimulate the value of data elements, and expand high-level opening-up, the Provisions optimize and adjust the data export security assessment, standard contracts for personal information export, personal information protection certification, and other data export systems.
The Provisions clarify the criteria for the declaration of security assessment for the export of important data, and provide that if the data processor has not been informed by the relevant departments or regions or publicly released as important data, the data processor does not need to declare the security assessment of the data export as important data.
The "Provisions" stipulate the conditions for data export activities that are exempted from the declaration of security assessment, the conclusion of a standard contract for the export of personal information, and the certification of personal information protection: first, international trade, cross-border transportation, academic cooperation, The data collected and generated in cross-border manufacturing and marketing activities are provided overseas and do not contain personal information or important data; (2) the personal information collected and generated overseas is transferred to the mainland for processing and then provided overseas, and no domestic personal information or important data is introduced in the process of processing; (3) the personal information collected and generated overseas is provided to the overseas after the personal information collected and generated overseas is processed in the country. Fourth, it is necessary to provide personal information to employees overseas for the implementation of cross-border human resources management in accordance with lawfully formulated labor rules and regulations and collective contracts signed in accordance with law, (5) it is truly necessary to provide personal information overseas in order to protect the life, health, and property safety of natural persons in an emergency; (6) data processors other than critical information infrastructure operators have provided less than 100,000 people's personal information (excluding sensitive personal information) overseas since January 1 of that year。
The "Provisions" establish a negative list system for pilot free trade zones. It is proposed that under the framework of the national data classification and hierarchical protection system, the pilot free trade zone may formulate a negative list on its own, and after approval by the provincial network security and information technology commission, it shall be reported to the national cyberspace information department and the national data management department for the record. Data processors in the Pilot Free Trade Zone who provide data outside the negative list may be exempted from applying for security assessments for data export, entering into standard contracts for personal information export, and passing personal information protection certifications.
The Provisions specify the conditions for two types of data export activities that should be subject to security assessment for data export: first, the critical information infrastructure operator provides personal information or important data overseas, and second, the data processor other than the critical information infrastructure operator provides important data overseas, or has provided the personal information of more than 1 million people (excluding sensitive personal information) or the sensitive personal information of more than 10,000 people overseas since January 1 of the same year. At the same time, it clarifies the conditions for data export activities that should conclude a standard contract for the export of personal information or pass the personal information protection certification, that is, data processors other than critical information infrastructure operators have provided the personal information of more than 100,000 people, less than 1 million people (excluding sensitive personal information) or less than 10,000 sensitive personal information overseas since January 1 of that year.
At the same time, the Provisions also stipulate the validity period and extension application for the security assessment of data export, the data security protection obligations and supervision and management responsibilities, and the convergence and application with other provisions on the security management of data export.
Facilitate and regulate regulations for cross-border data flows
Article 1: These Provisions are drafted on the basis of the "Cybersecurity Law of the People's Republic of China", the "Data Security Law of the People's Republic of China", the "Personal Information Protection Law of the People's Republic of China", and other laws and regulations, and on the implementation of data export security assessments, standard contracts for personal information exports, personal information protection certifications, and other data export systems, so as to ensure data security, protect rights and interests in personal information, and promote the orderly and free flow of data in accordance with law.
Article 2: Data handlers shall identify and report important data in accordance with relevant provisions. Where it has not been notified by the relevant departments or regions or publicly released as important data, the data processor does not need to declare the security assessment for data export as important data.
Article 3: Where data collected or produced in activities such as international trade, cross-border transportation, academic cooperation, and cross-border manufacturing and marketing is provided overseas, and does not contain personal information or important data, it is exempt from applying for a security assessment for data export, signing a standard contract for personal information export, and passing personal information protection certification.
Article 4: Where personal information collected or produced by data handlers outside the mainland is transferred to the mainland for processing and then provided overseas, and no domestic personal information or important data is introduced during the processing, they are exempt from reporting a security assessment for data export, entering into a standard contract for personal information export, and passing personal information protection certification.
Article 5: Where data handlers provide personal information overseas and meet any of the following conditions, they are exempt from applying for a security assessment for data export, entering into a standard contract for personal information export, and passing personal information protection certifications:
(1) Where it is truly necessary to provide personal information overseas for the purpose of concluding or performing a contract to which an individual is a party, such as cross-border shopping, cross-border delivery, cross-border remittance, cross-border payment, cross-border account opening, air and hotel reservations, visa handling, examination services, and so forth;
(2) Where it is truly necessary to provide employees' personal information overseas in accordance with the implementation of cross-border human resources management in accordance with lawfully formulated labor rules and regulations and lawfully signed collective contracts;
(3) In emergency situations, it is truly necessary to provide personal information overseas in order to protect the safety of natural persons' lives, health, and property;
(4) Data handlers other than critical information infrastructure operators have provided less than 100,000 people's personal information (excluding sensitive personal information) overseas since January 1 of that year.
"Personal information provided overseas" as used in the preceding paragraph does not include important data.
Article 6: Under the framework of the national data classification and hierarchical protection system, pilot free trade zones may draft on their own a list of data that needs to be included in the scope of security assessments for data exports, standard contracts for personal information exports, and personal information protection certification management (hereinafter referred to as the negative list), and after approval by the provincial-level network security and information technology commission, report to the state internet information department and state data management department for filing.
Data processors in the Pilot Free Trade Zone who provide data outside the negative list may be exempted from applying for security assessments for data export, entering into standard contracts for personal information export, and passing personal information protection certifications.
Article 7: Where data handlers provide data overseas and meet any of the following requirements, they shall report a security assessment for data export to the state internet information department through the provincial-level internet information department for the area where they are located:
(1) Critical information infrastructure operators providing personal information or important data overseas;
(2) Data handlers other than critical information infrastructure operators provide important data overseas, or have provided the personal information of 1 million or more people (excluding sensitive personal information) or the sensitive personal information of 10,000 or more people overseas since January 1 of that year.
Where it falls under the circumstances provided for in Articles 3, 4, 5, or 6 of these Provisions, follow those provisions.
Article 8: Where data handlers other than critical information infrastructure operators provide the personal information of 100,000 or more people, less than 1,000,000 people (excluding sensitive personal information), or less than 10,000 people's sensitive personal information, to the overseas recipient in accordance with law, they shall lawfully conclude a standard contract for the export of personal information with the overseas recipient or pass personal information protection certification.
Where it falls under the circumstances provided for in Articles 3, 4, 5, or 6 of these Provisions, follow those provisions.
Article 9: The validity period for the results of the security assessment for data export is 3 years, calculated from the date on which the assessment results are issued. Where it is necessary to continue to carry out data export activities at the expiration of the validity period and there is no need to re-apply for a security assessment for data export, the data handlers may submit an application to the CAC for an extension of the validity period of the assessment results through the local provincial-level internet information department within 60 working days before the expiration of the validity period. With the approval of the State Internet Information Department, the validity period of assessment results may be extended by 3 years.
Article 10: Where data handlers provide personal information overseas, they shall follow the provisions of laws and administrative regulations to perform obligations such as notification, obtaining individuals' separate consent, and conducting personal information protection impact assessments.
Article 11: Where data handlers provide data overseas, they shall comply with the provisions of laws and regulations, perform data security protection obligations, and employ technical measures and other necessary measures to ensure the security of data exports. Where data security incidents occur or might occur, remedial measures shall be employed, and promptly reported to the internet information departments at the provincial level or above and other relevant regulatory departments.
Article 12: Each region's internet information departments shall strengthen guidance and oversight of data handlers' data export activities, complete and improve systems for security assessments of data exports, and optimize the assessment process;
Article 13: Where the "Measures for Security Assessment of Cross-border Data Transfer" (Decree No. 11 of the Cyberspace Administration of China) promulgated on July 7, 2022, and the "Measures on Standard Contracts for the Export of Personal Information" (Decree No. 13 of the Cyberspace Administration of China) released on February 22, 2023, are inconsistent with these Provisions, these Provisions apply.
Article 14: These Provisions shall come into force on the date of promulgation.
Source: Netinfo China
![Late at night in the summer, the lights were still on in Mr. Zhang's office. It turns out that Mr. Zhang is still working overtime! Under the desk lamp, Mr. Zhang wore glasses and sat upright[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)