China introduced a new set of regulations on March 22, 2024 to ease cross-border data flow from the Mainland. With the nation pursuing high-level opening-up to the world, easing cross-border data flow is crucial to facilitating global exchanges and the sharing of capital, information, technology, talent, goods and other resources.
Formerly, all outbound transfer of personal information from China could only proceed using one of Three Mechanisms: obtaining government approval (security assessment); having the outbound transfer certified; or signing and registering the government issued contract (Chinese SCCs).
Most categories of outbound data are exempt from the Three Mechanisms, i.e. not needing government approval or registration, which has been welcomed by foreign enterprises and business communities.
New Rules for Different Outbound Data
Important Data
• Prior approval is needed from the Chinese government.
• Important Data is data that may endanger national security, economic operation, social stability, public health, and safety once it is tampered with, destroyed, leaked, or illegally obtained or used illegally. The definition is broad, and the new rule provides that if companies have not been told that the data is Important Data, they do not need to obtain government approval for the outbound transfer.
Personal Information Transferred by Operators of CIIs
• Prior approval is needed from the Chinese government.
• Critical Information Infrastructure
(or CII) are important network facilities and information systems in the industries of public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, national defence, science and technology as well as those that may seriously endanger national security, national economy and the people’s livelihood, and public interests in case of damage, loss of function or data leakage.
Employees’ Personal Information
• Outbound transfer of employees’ personal information for implementing cross-border human resources management in accordance with the labour rules and regulations formulated in accordance with China law and the collective contract signed in accordance with China law is exempt from the Three Mechanisms.
Personal Information involved in Contract Performance (the Individual being a Party to the Contract)
• Exempt from the Three Mechanisms.
Fewer Than 100,000 Individuals’ Non-sensitive Personal Information (Each Year)
• Exempt from the Three Mechanisms.
Sensitive Personal Information
• Sensitive personal information is personal information that, once leaked or illegally used, can easily lead to the infringement of personal dignity of natural persons or the harm on personal and property safety, including biometrics, religious beliefs, specific identities, medical health, financial accounts, whereabouts, and other information, as well as the personal information of minors under the age of 14.
• Outbound transfer of over 10,000 individuals’ sensitive personal information each year: prior Chinese government approval needed.
• Outbound transfer of fewer than 10,000 individuals’ sensitive personal information each year: signing and registering Chinese SCCs or obtaining certification.
Non-Personal Data
• Exempt from the Three Mechanisms.
Personal Information Originated Outside China
• Exempt from the Three Mechanisms.
Non-sensitive Personal Information of > 100,000 but < 1 Million Individuals (Each Year)
• Signing and registering Chinese SCCs or obtaining certification.
Personal Information of > 1 Million Individuals (Each Year)
• Prior approval is needed from the Chinese government.
Personal Information Transferred from the South of the Mainland to Hong Kong
• The data flow between the South of the Mainland and Hong Kong may proceed after companies enter into and register the government-issued “GBA standard contract.”
• The GBA standard contract can be used regardless of the volume of the outbound data and regardless of whether the outbound data include sensitive personal information.
• However, the GBA standard contract does not allow the transfer of Important Data. Also, this manner of outbound transfer does not allow onward transfer from
Hong Kong. In addition, if there is a data breach, the Hong Kong recipient must report it even though there is no mandatory data-breach reporting under current Hong Kong law.
Data from FTZs
• The free trade zones (FTZs) are preparing lists of data that companies operating in the FTZs can transfer outside of China.
Data Transferred by a Chinese Party to Foreign Law Enforcement or Judicial Body
• Prior approval from the Chinese government is needed.
Key Takeaways
It is important to note that any outbound transfer of personal information must still meet the following requirements:
• The necessity requirement – which means that the outbound transfer must be necessary.
• Proper notice of details of the outbound transfer having been given to the individual, and informed, unbundled, proper consents (Separate Consents) having been obtained from the individual.
• Data transfer impact assessments having been conducted (records of the assessments need to be kept for at least three years).
• Data transfer agreement having been entered into.
Companies should review their compliance requirements in light of the new data rules and select the mechanisms for cross-border data transfer best suited to their needs.