The Practical Impact of China's New Data Export Rules on Overseas Data Transfer

April 05, 2024 | BY

Susan Mok

Casper Sek of Jingtian & Gongcheng examines in detail the long-awaited final version of important new provisions governing the cross-border transfer of data

Summary


|
  • Handlers of personal information face a number of regulatory and business challenges
  • Following a long development period, new provisions have been issued which relax restrictions on overseas data transfer where national security issues are not involved
  • Companies will be able to avoid certain onerous processes in many cases
  • However, where special personal information is involved, data transfer remains tightly controlled

After keeping the market waiting for nearly half a year, the Cyberspace Administration of China ("CAC") unveiled the Provisions for Facilitating and Regulating the Cross-Border Flow of Data (促进和规范数据跨境流动规定) (the "Provisions") on the evening of March 22, 2024. At the same time, the CAC also released the Guidelines for Filing for Security Assessments of Overseas1 Transfers of Data (Second Edition) (数据出境安全评估申报指南 (第二版) and the Guidelines for the Record Filing of Standard Contracts for the Overseas Transfer of Personal Information (Second Edition) (个人信息出境标准合同备案指南 (第二版) (together the "Updated Guidelines"). The promulgation of the Provisions reflects the CAC's recognition of a series of regulatory challenges and business difficulties faced by data/personal information ("PI") handlers. These have been brought about by the existing legal management regime of overseas data transfer, and the optimization and reshaping of the existing mechanisms of overseas data transfer, namely Data Export Security Assessment, Standard Contract for the Overseas Transfer of PI, and PI Protection Certification (collectively the "Data Export Mechanisms"). That optimization has taken place without changing the regulatory framework for cross-border data transfer established by the three major laws in this area, namely the Cybersecurity Law (中华人民共和国网络安全法), the Data Security Law (中华人民共和国数据安全法), and the Personal Information Protection Law (中华人民共和国个人信息保护法("PIPL") (collectively the "Three Major laws"). The Provisions relax the restrictions on overseas data transfer to facilitate routine overseas data transfer that is not related to national security in the daily operations of the companies by exempting and alleviating certain compliance obligations and burdens of data handlers.

1 . Key Changes Brought about by the Provisions

This premium content is reserved for
China Law & Practice Subscribers.

  • A database of over 3,000 essential documents including key PRC legislation translated into English
  • A choice of newsletters to alert you to changes affecting your business including sector specific updates
  • Premium access to the mobile optimized site for timely analysis that guides you through China's ever-changing business environment
For enterprise-wide or corporate enquiries, please contact our experienced Sales Professionals at +44 (0)203 868 7546 or [email protected]