Long awaited, on July 7, the Chinese Cyberspace Administration (CAC) issued the “Measures for Cross-border Data Transfer Security Assessment” (the “Measures”). Since China issued its Data Security Law (DSL) and the Personal Information Protection Law (PIPL) last year, businesses have been waiting for further clarification along five key pillars (cf. framework below) – among them also the “cross-border data transfer”.
In a global and increasingly digitized world, the flow of data across borders has become a reality for businesses and governments. In China, for instance, the digital economy in 2020 officially accounted for already 38.6% of GDP. In recent years, therefore, all three major trading and regulatory blocs – the EU, the U.S. and China – have started developing respective legislation to protect privacy and ensure a seamless use of data in their respective markets. On China’s approach to cross-border, The World Bank Group (WBG) has classified it as a “limited transfer model” and ranks it among the strictest in the world.
Therefore, cross-border data security compliance has become a crucial area for international businesses to monitor and set respective measures in place. To be compliant with the respective regulations, they for instance need to understand the regulatory implications for the different types of data they generate, understand where data need to cross borders within often internationally configured and complex company set-ups, and manage the – at times – conflicting regulations that apply to the respective regulatory bloc.
The newly issued “Measures” on cross-border data flow that take effect on 1st September 2022 are part of China’s effort to establish its own data security mechanism, and fit within the broader regulatory architecture of China. First and foremost, they are intended to “standardize the export of data from China” and “protect personal information, safeguard national security, and public interest”.
Starting September 1st, foreign and domestic companies in China alike must apply for approval with the CAC in these three cases:
when transferring any data from “Critical Information Infrastructure Operators” (CIIOs) out of the country
when exporting any type or amount of “Important Data”
when exporting above a certain threshold of “Personal Information” (incl. “Sensitive Personal Information”)
Detailed definitions of “Important Data” will be published by the different industrial regulators respectively. The approval by the CAC takes about 2 months and is valid for two years. Moreover, data receivers abroad bear an extraterritorial legal duty of protecting the received Chinese data in accordance with Chinese laws.
Compared with the last draft from October 2021, the “Measures” feature both “good” and “bad” news for foreign businesses.
Positively, for instance, the CAC has relaxed the regulation on cross-border transfers of “Personal Information”. The CAC’s approval is required only once companies have transferred a certain amount of “Personal Information” accumulatively in the past two years. Moreover, a negative decision by the authorities can now be re-submitted for re-assessment with the CAC.
On the other hand, and maybe most surprisingly, the final “Measures” state that companies need to rectify their practice within 6 months even for cross-border data transfer activities that took place before the “Measures” enter into force.
Adding to the Cybersecurity Law enacted in 2017 requiring all companies based in China to take measures to protect their cybersecurity as well as the Personal Information Protection Law (PIPL) that institutes China’s first-time comprehensive governance of personal information, this latest piece of new data regulation is just the latest puzzle piece to implement the Chinese government’s strategy for better unlocking data as a “factor of production” on the foundation of a comprehensive regulatory framework. So undoubtedly, if not already, data compliance in general will bind more resources of foreign business in and dealing with China in the future.
