On 28 September 2023, the Cyberspace Administration of China (CAC) released draft Provisions on Regulating and Facilitating Cross-Border Data Flow (in Chinese) for a public comment period ending on 15 October 2023.1
This regulation could significantly reduce the compliance burden for multinational corporations (MNCs) in data export from China when it becomes effective because it provides some safe harbors. The draft represents a significant step in allowing some routine data exports for daily business operation or internal human resource management and export of small volume but not important data to be exempted from the existing three required mechanisms for any cross-border data transfer from China, i.e., CAC security assessments, China standard contracts, or licensed organizations’ personal information protection certifications.2
Such safe harbors under the draft provisions include:
- Data (other than personal data or important data) generated from international trade, academic cooperation, cross-border manufacturing, and marketing;
- Personal data that is not collected and generated within the territory of China;
- The following specific categories of personal data used in regular business operation and management:
- Personal data used in cross-border shopping, wire transfers, flight and hotel bookings, and visa processing, etc.;
- Employee personal data that is necessary to export under a legally established human resource management policy or a legally concluded collective contract;
- Personal data that is necessary to export to protect people in emergencies;
- Estimated export of the following small volume personal data:
- Personal data of less than 10,000 people within one year;
- Personal data of not less than 10,000 people but less than 1,000,000 within one year (only the CAC security assessments can be waived); and
- Data that is exported from the free trade zones (FTZs) but is not included in the negative lists published by FTZs.
This development is good news to MNCs with operations or businesses in China because it is an endeavor to facilitate the free movement of data from China, as opposed to tightening data exports from China.
1 An unofficial translation of the provisions prepared by US-China Business Council is available here.
2 The guidance on the licensed certification was updated on 16 December 2022.