With China’s relaxation of cross-border data transfer requirements still in draft form – how should MNCs in China approach their data exports?
China recently released a set of draft rules which purport to relax some of the burdensome requirements on data exports. Amidst a yearslong tightening of data security laws and an anti-espionage campaign over the summer, the move was widely welcomed by foreign businesses as a signal that regulators were willing to temper national security objectives with the need to support economic growth. With the rules still in draft form, we explain their significance and how companies should respond until they are finalised and effective.
What are the key changes proposed in the draft rules?
On 28th September 2023, the Cyberspace Administration of China released the draft version of the Provisions on Regulating and Promoting Cross-Border Data Flows for public comment. They establish exemptions for a number of key data export activities, as well as adjust the thresholds by which the three main mechanisms for cross-border data transfer (government assessment, standard contract and certification) become mandatory.
Among other proposals, the following data export activities are exempted from the cross-border data transfer mechanisms:
What this means for data exports from China?
A significant number of foreign companies will benefit from reduced compliance burdens, particularly those operating in B2B industries with smaller amounts of personal information. The exemptions covering employee data and contract performance reflect a recognition that certain cross-border business activities present a relatively low risk to national security. Notably, the draft rules maintain that “important data” must undergo a security assessment before being provided abroad, but only where it has been expressly identified by the relevant authorities as such.
Furthermore, whereas previous rules mandated regulators to determine whether data exports were truly “necessary”, the draft rules suggest that companies are to make this determination for themselves. This important change in wording reflects a regulatory shift from ex ante supervision (i.e. mandatory government approval before data export) towards ex post scrutiny (i.e. permitting some data flows subject to continued scrutiny). This should help to relieve administrative burdens on both the regulators and the wider business community.
How should MNCs respond in the interim?
Though it was anticipated that the draft rules would become effective before November 30 2023 (the deadline of the grace period for data exporters to file their standard contract with the authorities where the original thresholds have been triggered), they have yet to be finalised at the time of writing. Nonetheless, we expect the final version to be released in the coming months which retains many of the draft’s key features.
In the meantime, companies should closely assess their position under the draft rules’ proposed thresholds and exemptions. This includes estimating the volume of data likely to be transferred overseas within the one-year timeframe. Furthermore, implications may vary based on the current progress of a company’s existing government assessments or standard contract filings, for example:
Lastly, it is worth underlining the remaining requirements for cross-border data transfer that companies will still need to adhere to after the draft rules come into force, including:
Overall, the draft rules represent a positive development in China’s data governance regime. Restrictions on cross-border data transfer have long been a cause for concern for MNCs operating in China. By reducing the compliance burden and permitting a wider range of cross-border data flows, this will provide a significant boost to foreign investment in China.
Looking forward, the draft rules also authorise China’s free trade zones to develop their own “white lists” for data exports that are exempt from the cross-border data transfer mechanisms. This could see the incremental growth of permitted categories of data to be exported with ease from China’s free trade zones, which may eventually be adopted on a regional or national level.
As ever, it remains important to keep abreast of regulatory and policy developments in this fast-moving space, as well as to ensure that existing data compliance protocols are fit for purpose.
Please feel free to reach out to us if you would like to discuss the impact of China’s data compliance requirements on your company.
This is a joint publication from Rouse and our strategic partner Lusheng.
Rouse’s global Digital & Commercial Services line supports brand and technology companies to navigate the evolving digital landscape and deliver commercial objectives. Our business-driven advice enables clients to effectively manage IP, legal and regulatory risks to successfully deliver their next round of innovation.