China unveils new regulations to streamline cross-border data transfer assessment
Published: Mar 23, 2024 01:13 AM
data security File photo

File photo

China has introduced new regulations aimed at refining its data security assessment standards for cross-border data transfers, the Cyberspace Administration of China (CAC) announced on Friday. These new rules specify the conditions under which data exports do not require a security assessment, and a negative list mechanism for free trade zones (FTZs).

The regulations outline exemptions for data that does not need to be declared for cross-border transfer assessments and establishes a negative list mechanism within FTZs. FTZs are now permitted to draft their negative lists, and data not included on these lists can be transferred internationally without declaration, marking the latest effort to improve the business environment for foreign investors.

Cross-border data flows have become fundamental to the global exchange and sharing of resources such as capital, information, technology, talent, and goods. A CAC spokesperson also highlighted the regulations' intent to promote lawful, orderly, and free data movement.

The new rules are aimed at unlocking the value of data as a factor of production and expanding the level of high-quality openness. The regulations optimize existing systems for cross-border data transfer, including safety assessments, standards for personal information transfer contracts, and certification for personal information protection.

The new regulations have clarified the criteria for cross-border data activities that are exempt from declaration, which includes data collected or generated during international trade, cross-border transport, academic cooperation, transnational production, and marketing activities that do not involve personal information or critical data.

Personal information collected and provided overseas and processed in China that does not involve domestic personal or critical data is also exempted from declaration. Additionally, some situations involving contracts, labor regulations, emergency situations, and operators of non-critical information infrastructure who provide no more than 100,000 non-sensitive personal information records abroad within a year are free from declaration.

The regulations also allow FTZs to draft their own negative lists within the national data classification and protection framework. Upon approval from provincial cybersecurity and information committees and filing with national management departments, data processors within FTZs can transfer data not included on these negative lists overseas without the need for security assessment declarations or certification.

The regulations also specify the conditions under which data transfers do require a security assessment, focusing on critical information infrastructure operators and data processors that provide significant data or personal information of more than 1 million individuals or sensitive personal information of more than 10,000 individuals.

The regulations also clarify the conditions for establishing standard contracts for personal information transfer abroad or for obtaining personal information protection certification, which is aimed at non-critical information infrastructure operators who transfer personal information of more than 100,000 but less than 1 million individuals or sensitive personal information of less than 10,000 individuals.

Also, the regulations address the validity and extension of data transfer security assessments, data security protection obligations, supervisory responsibilities, and integration with other data transfer security management provisions, marking a significant step in China's efforts to manage the complexities of data security in the era of digitalization.