What you should know before the cross-border transfer of personal information in China

Monday 13 January 2025

Jihong Chen

Zhong Lun, Beijing

chenjihong@zhonglun.com

Jian Chen

Zhong Lun, Beijing

chenjianbj@zhonglun.com

China’s legislative regime on cross-border data transfer

The Chinese data protection regime, comprised of the Cybersecurity Law of the People’s Republic of China (CSL), the Data Security Law of the People’s Republic of China (DSL), the Personal Information Protection Law of the People’s Republic of China (PIPL) and the Provisions on Facilitating and Regulating Cross-border Data Flows (Provisions), along with extensive supplementary implementing regulations, exerts a comprehensive influence on data protection regulations with extraterritorial implications and significant impacts on companies conducting business in China, with a particular emphasis on the supervision of cross-border data transfers (CBDT). Companies engaged in the processing of personal information (PI) of individuals residing within the territory of China during business operations may be subject to regulatory oversight, regardless of whether they are physically established in China.

Specifically, pursuant to Article 38 of PIPL, where a PI handler really needs to provide PI outside the territory of the People's Republic of China (PRC) due to business or other needs, it shall meet one of the following conditions:  

  • pass the security assessment organised by the Cyberspace Administration of China (the ‘CAC Security Assessment’);
  • enter into a contract with the overseas recipient under the standard contract formulated by the CAC (the ‘CN SCCs’); and/or
  • be certified by a specialised agency for protection of PI in accordance with the provisions of the CAC (‘Certification’).

The regulatory regime for CBDT has been established and restructured with the release of following law and regulations:

  • the Measures for the Security Assessment of Outbound Data Transfer (the ‘Measures for the Security Assessment’), effective as of 1 September 2022;
  • the Measures for the Standard Contract for Cross-border Transfer of PI (the ‘Measures for CN SCCs’) by the CAC along with its annex of the Standard Contract for Cross-border Transfer of PI (the ‘CN SCCs’), effective as of 1 June 2023; and
  • the Announcement on the Implementation of PI Protection Certification by the State Administration for Market Regulation and CAC, with its annex Rules for the Implementation of PI Protection Certification, effective as of 4 November 2022; and
  •  the Practice Guideline for Cybersecurity Standards-Specification for Security Certification of Cross-Border Transfers of PI V2.0 (‘Specification V2.0’) by the National Information Security Standardization Technical Committee, effective as of 16 December 2022.

The Provisions, officially issued by CAC and took effect on 22 March 2024.

Reconstruction of the compliance mechanism for CBDT

In the past two years, the three CBDT compliance mechanisms, comprising the CAC Security Assessment, CN SCCs and the Certification, have been formed in China. However, there are widespread problems in practice, such as low evaluation triggering thresholds, long evaluation cycles, difficulty in evaluating necessity and difficulty in implementing separate consent. Against this background, with the goal of stabilising the economy and promoting development, the Provisions facilitated cross-border data transfer, reduced companies’ compliance burden and reconstructed the compliance mechanism for CBDT.

Mandatory rules: CAC Security Assessment

Article 4 of the Measures for the Security Assessment explicitly outlines the mandatory triggering conditions for the CAC Security Assessment, and the CAC Security Assessment regime aims at ensuring national security and public interests.

Optional path: CN SCCs

In addition to the CAC Security Assessment, Article 38 of the PIPL specifies that data handlers may enter into contracts with the overseas recipients in accordance with the standard contract formulated by the CAC. Essentially, CN SCCs is a mechanism to implement the principle of equivalent protection outlined by PIPL. Considering the potential differences and deficiencies in PI protection legislation or enforcement in the country or region where the overseas recipient is located, CN SCCs converts the basic requirements of PI protection outlined by PIPL and related law and regulations into specific contractual terms that legally binding and enforceable for overseas recipient.

Optional path: certification

To the extent that it is not mandatory to conduct security assessment of outbound PI transfer, data handlers may also choose to conduct PI protection certification through designated institutions. The certification is a voluntary certification recommended by CAC. Once certified, it serves as a lawful approach for CBDT activities within the scope of certification. Additionally, certification constitutes a long-term mechanism, which means that if there are no substantial changes to the certified CBDT activities, it can serve as a basis for continuous CBDT activities within a certain period.

New chapter in CBDT regulation and practice

The Provisions have reconstructed the previously established compliance mechanism for CBDT defined by the Measures for the Security Assessment and the Measures for CN SCCs. In terms of regulatory approach, there is a shift from a regulation-focused to a promotion-focused framework. Based on the Provisions, there are several substantive changes to the CBDT regulatory framework.

Clarified several key issues

Regarding the data collected and generated in activities such as international trade, cross-border transport, academic cooperation, transnational manufacturing and marketing, if it does not contain PI or key data, it is not required to apply for security assessment for data to be provided abroad, to conclude a standard contract for PI to be provided abroad, or to obtain the certification for PI protection. Moreover, if the data has not been informed by relevant departments or regions, or has not been officially declared as key data, the data handler is not obligated to apply for security assessment for the data to be provided abroad as key data.

Exempted scenarios of Article 38 of PIPL

Under any of the following circumstances, it is exempt from applying for security assessment for PI (excluding key data) to be provided abroad, or to conclude a standard contract for PI to be provided abroad or to pass the certification for PI protection:

  • Data transit transmission: Where data handlers transfer personal information collected and generated overseas after being processed domestically without involving domestic PI or key data in the process.
  • Contract performance: For the establishment or performance of contracts to which individuals are parties, where providing PI to overseas is necessary, such as cross-border shopping, cross-border delivery, cross-border remittance, cross-border payment, cross-border account opening, air ticket and hotel reservation, visa handling and examination services, etc.
  • Human resources management: In implementing cross-border human resource management based on legally formulated labor rules and collective contracts, where it is necessary to provide employee PI to overseas.
  • Personal Interests Protection: In emergency situations to protect the life, health, and property safety of natural persons, where it is necessary to provide PI to overseas.
  • Where a data handler other than a CIIO (critical information infrastructure operator) provides abroad the PI (excluding sensitive PI) of not more than 100,000 individuals accumulatively as of 1 January 2024.

Scenarios subject to security assessment

Provisions adjusted the scenarios subject to security assessment:

  • where a CIIO provides PI or key data abroad (regardless of quantity);
  • where any data handler other than a CIIO provides key data abroad; and
  • where any data handler other than a CIIO provides, as of 1 January 2024, provides PI (excluding sensitive PI) of not less than one million individuals or sensitive PI of not less than 10,000 individuals in aggregate to overseas parties.

Applicable Scenarios for Standard Contract or Certification for PI Protection

Provisions adjusted the applicable scenarios for standard contract or certification for PI protection:

  • where any data handler other than a CIIO provides abroad the PI (excluding sensitive PI) of not less than 100,000 but not more than one million individuals, accumulatively as of 1 January 2024; and
  • where any data handler other than a CIIO provides abroad sensitive PI of not more than 10,000 individuals, accumulatively as of 1 January 2024.

Special policies of the free trade zones (FTZs)

The Provisions leave space for the special policies in the FTZs. FTZs may formulate lists of data that need to be included in the scope of administration of security assessment for the data to be provided abroad, standard contracts for PI to be provided abroad and certification for PI protection (the ‘Negative List’), which shall be filed with the national cyberspace administration and the national data administration for the record upon approval by the cyberspace administration at the provincial level. Cross-border transfers of data not on the Negative List are exempted from declaring a security assessment for providing data abroad, concluding a standard contract for providing PI abroad or passing certification for PI protection.

Substantive compliance obligations of data handlers have not been reduced

Although the Provisions provide for several exempted scenarios, it should be noted that the substantive compliance obligations of data handlers under laws such as the DSL and the PIPL have not been reduced. The key concerns are as follows:

  • inform and obtain separate consent in the cross-border transfer of personal information and conduct a Personal Information Protection Impact Assessment (PIPIA);
  • implement the obligations of data security protection, take technical measures and other necessary measures to ensure the safety of outbound data. Where a data security incident occurs or may occur, remedial measures shall be taken and timely reports shall be made to the provincial CAC and other relevant competent departments; and
  • regulatory authorities will strengthen the supervision of the whole life cycle of the data cross-border transfer, and if there is a substantial risk in the data cross-border transfer or a data security incident occurs, the data handler will be required to make rectification and eliminate the risks. Those who refuse to make rectifications or cause serious consequences will be held accountable according to the law.

Other regulatory tools on cross-border data transfers

Relevant laws and regulations also established CBDT regulatory system for specific circumstances are as follows:

Cybersecurity Review and Data Security Review

According to the Cybersecurity Review Measures (amended), the purchase of network products and services by a CIIO and the data processing activities carried out by an online platform operator, which affects or may affect national security, shall be subject to a cybersecurity review in accordance with the present Measures.

According to the DSL, the state establishes a data security review system, under which data processing activities that affect or may affect national security shall be reviewed for national security.

Approval system for providing domestic data at the request of foreign judicial or law enforcement authorities

Pursuant to Article 36 of the DSL, the competent authorities of the PRC are required, in accordance with relevant laws, international treaties and agreements entered into or acceded to by China or based on the principles of equality and mutual benefit, to handle requests made by foreign judicial or law enforcement authorities seeking data provision. No organisation or individual within the territory of the PRC is permitted to provide data stored within the country to foreign judicial or law enforcement authorities without the explicit approval of the competent authorities of China. Consequently, a specialised mechanism for regulating the outbound data transfer in the legal and law enforcement sectors has been established, commonly known as China's Blocking Provision.

Regulations on special types of data

Special types of data such as healthcare big data, human genetic resources and personal financial information may not be freely transferred overseas. Where it is necessary to transfer such data overseas, special requirements on each type of information shall be applied.

  • Healthcare big data: The Administrative Measures on Standards, Security and Services of National Healthcare Big Data (for Trial Implementation) outlines that healthcare big data shall be securely stored in reliable servers within the PRC. Security assessment and review must be undertaken before such data to be transferred abroad.
  • Human genetic resources: The Regulation on the Administration of Human Genetic Resources of the PRC outlines the provision or disclosure of human genetic resources information to overseas recipient thereby shall not pose a threat to public health, national security or public interest; otherwise, a security review organised by the administrative department of science and technology shall be passed, and such information shall be submitted for backup and filed for record with the administrative department of science and technology under the State Council.
  • Personal financial information: The Personal Financial Information Protection Technical Specification outlines personal financial information shall be stored, processed and analysed within the PRC, when there is a necessity to share with overseas entities (including the headquarter, parent company or branches, subsidiaries and other affiliated institutions), strict protective measures shall be implemented. Prior to any overseas transfer, a comprehensive security assessment is mandatory.

Furthermore, for certain types of data, such as natural resources and automobile data, if identified as key data, security assessment shall be conducted when it is necessary to transfer such data overseas.

  • Natural resources: The Management Measures for Data Security in the Field of Natural Resources provides key data collected and generated by data processors within the PRC shall be stored within the PRC, and where there is a genuine need to provide such data outside the territory, the data processors shall conduct the security assessment.
  • Automobile data: The Certain Provisions on Automobile Data Security Management (Trial) provides key data shall be stored within the PRC in accordance with the law, and if it is really necessary to provide it outside the PRC due to business needs, it shall be subject to a security assessment.

Export control over the data falls under controlled items

Moreover, China exercises export control over the data which falls under controlled items and is related to the safeguarding of national security and interests and the fulfillment of international obligations in accordance with the law.

International Bar Association 2024 © Privacy policy Terms & conditions Cookie Settings Harassment policy

International Bar Association is incorporated as a Not-for-Profit Corporation under the laws of the State of New York in the United States of America and is registered with the Department of State of the State of New York with registration number 071114000655 - and the liability of its members is limited. Its registered address in New York is c/o Capitol Services Inc, 1218 Central Avenue, Suite 100, Albany, New York 12205.

The London office of International Bar Association is registered in England and Wales as a branch with registration number FC028342.