China’s New Regulations for Cross-Border Transfers

Introduction

On March 22, 2024, the Cyberspace Administration of China (CAC) published its new “Regulations on Cross-Border Data Flows.” The regulations aim to ease the often-heavy compliance burden faced by companies with operations in China.

Effective immediately, the regulations loosen constraints on cross-border data transfers by outlining new exemptions from previously mandated transfer mechanisms under China’s Personal Information Protection Law (PIPL) and create higher thresholds for the requirement to undergo a CAC-led security assessment with outbound cross-border transfers. The adoption of these regulations indicates a broader effort by the Chinese government to ensure adequate data privacy protections while also fostering greater foreign investment.

Exemptions from Transfer Mechanisms

Pursuant to the “Regulations on Cross-Border Data Flows,” certain cross-border transfers of data are completely exempted from prior PIPL requirements.

• Employee Data: The transfer of employee data is exempt from all transfer mechanism requirements, regardless of the data’s volume, so long as a company maintains compliance with certain Chinese employment laws and regulations.
• Non-sensitive Personal Information: When an outbound transfer involves the personal information of fewer than 100,000 individuals to overseas entities since January 1st of the current year by noncritical information infrastructure operators, no transfer mechanism requirements apply.
• Emergency Situations: Outbound transfers of personal information when necessary to protect the life, health, and property of natural persons in an emergency situation are exempted.
• Contract Performance: When an outbound transfer of an individual’s personal information is necessary for the performance or execution of a contract involving cross-border shopping, courier services, payments, account openings, ticket bookings, or visa applications, the transfer is exempted so long as the individual is a party to the contract.
• Industry-Specific: Outbound transfers of data collected in China and related to international trade, cross-border transportation, academic collaborations, and cross-border manufacturing/sales are exempted, so long as no important data or personal information is involved.
• Data Generated Outside China: When an outbound transfer involves personal information that is collected and generated outside of China, transmitted to domestic locations inside China for processing, then again transferred outbound, the transfer is exempted. This applies only when no domestic personal information or other important data is introduced during the domestic processing.

Higher Thresholds

Previously, the PIPL set relatively stringent thresholds for the requirement that companies go through a CAC-led security assessment when engaging in cross-border transfers. Pursuant to the new regulations, the transfer of between 100,000 and 1 million individuals’ personal information will still require the filing of Standard Contractual Clauses (SCC) but no longer trigger a security assessment. Additionally, when a transfer involves the sensitive personal information of fewer than 10,000 individuals (calculated from January 1st of the current year), entities must file SCCs, but again do not need to go through a security assessment.

It is important to note that these relaxed threshold requirements only apply to “noncritical information infrastructure handlers.” For entities operating in “critical information infrastructures,” the transfer requirements will remain unchanged. A critical information infrastructure is one that once compromised, may seriously endanger national security, the national economy, people’s livelihoods, and public interests. These infrastructures include industries and fields such as energy, transportation, and national defense.

Closing

Please reach out to our Data Privacy & Cybersecurity team with any questions regarding these changes. For more detailed information on China’s new regulations and whether they will affect you, visit the International Association of Privacy Professionals website.

Disclaimer

This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Hall Booth Smith, P.C. and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.