New Chinese Rules Relax Compliance on Data Export
By Maarten Roos ([email protected]), Chloe Liu ([email protected])
Last year September, the Cybersecurity Administration of China (CAC) issued draft rules that proposed to exempt many companies from burdensome filing requirements with regard to the export of personal information. Last Friday, the CAC finally published the Provisions on Promoting and Regulating Cross-border Data Flow, which became effective immediately.
The Provisions deal with a number of topics, including the export of general data: security assessments for the export of important data are only required if relevant departments or regions have determined such data as important data. Moreover, CAC filings and security assessments are not required for non-personal data collected and generated in international trade, cross-border transport, academic cooperation, transactional manufacturing and marketing.
The biggest impact of the Provisions relates to new thresholds for CAC filing and CAC security assessments. Certain data export activities are now exempted from CAC filing, CAC Security Assessment and Certification. This includes if the data export is
- for the purpose of concluding and performing a contract with an individual, such as air ticket/hotel reservation, shopping and delivery.
- for the purpose of conducting HR management in accordance with the employment rules, regulations, and the applicable law.
The Provisions also set new thresholds with regard to filing requirements depending on the number of data subjects whose personal information are exported:
From 1 January of the given year | Procedure |
Accumulatively export personal data of less than 100,000 people (excluding sensitive personal data). | Exemption |
Accumulatively export personal data of more than 100,000 people, but less than 1 million people (excluding sensitive personal data). | SCC filing |
Accumulatively export sensitive personal data of less than 10,000 people (excluding HR data). | SCC filing |
Accumulatively export personal data of more than 1 million people. | Data Security Assessment |
Accumulatively export sensitive personal data of more than 10,000 people. | Data Security Assessment |
The above thresholds do not apply for Critical Information Infrastructure Operators (CIIO), which are subject to other standards.
Finally, even if no filing is required, all companies that export personal information must still complete a Privacy Impact Assessment (as per the Personal Information Protection Law, PIPL), and obtain separate consent from data subjects.
R&P’s data privacy team supports international clients on compliance with China’s extensive framework on data privacy. For more information on how the new Provisions will impact your business, please contact the authors, or your usual contact at R&P.