23 April 2024

Since the launch of the Personal Information Protection Law and the Data Security Law in 2021, the People’s Republic of China (“PRC”) has adopted a series of legal requirements regarding cross-border data flow.

To legitimise transfers of personal information (“PI”) from the PRC to overseas:

  • enterprises handling large data volumes, “important data, or identified as “critical information infrastructure operators” were required to pass a data export security assessment (“DESA”) led by the Cybersecurity Administration of China (“CAC”); and
  • other enterprises were required to conclude a standard contract with the overseas recipient on cross-border PI transfers (“SCC”) and conduct a filing for the standard contract (“SCC Filing”), or obtain a PI protection certification issued by a specialised institution (with DESA and SCC Filing, “Compliance Requirements”).

However, due to ambiguities in the triggers for the above requirements, and the lack of guidance on the conditions within and applicability of the Compliance Requirements, many enterprises relied on SCC Filing for compliance purposes or did not complete the required processes while waiting for additional official guidelines.

On 22 March 2024 (“Effective Date”), CAC officially released the Provisions on Facilitating and Regulating Cross-border Data Flows (促进和规范数据跨境流动规定) (“New Regulations”), with immediate effect. While the New Regulations maintain the existing basic mechanisms and systems for regulating enterprises’ cross-border data flow, they clarify the implementation of and coherence among the relevant systems and requirements, narrow the scope of DESA, and appropriately relax the conditions for outbound data transfers. This may accordingly ease enterprises’ compliance burden in cross-border data flow and boost the digital economy by facilitating cross-border data flow.

The CAC also released on the Effective Date the Guide to Applications for Security Assessment of Outbound Data Transfers (Second Edition) (数据出境安全评估申报指南(第二版)) and the Guide to the Filing of the Standard Contract for Outbound Transfer of Personal Information (Second Edition) (个人信息出境标准合同备案指南(第二版)) setting out the updated requirements for the methods, procedures, and materials for application for DESA and SCC Filing. The New Regulations clarify that its provisions shall prevail in case of any discrepancy with existing rules on DESA and SCC. It is therefore important for enterprises with intensive cross-border data flow to better understand the developments brought by the New Regulations in the cross-border data transfer regulatory regime.

This article highlights the major changes under the New Regulations, summarises the channels and requirements of outbound data transfers for different types of entities and data, and sets out the exemption conditions. We aim to provide an easy-to-use roadmap for enterprises’ reference in finding solutions for different scenarios of cross-border data flow in their operations and in navigating China’s complex cross-border data flow regime.