Top of page

Article China: New Rules on Cross-Border Data Transfers Released

On March 22, 2024, the Cybersecurity Administration of China (CAC) released the Provisions on Facilitating and Regulating Cross-Border Data Flow. Effective immediately, the new provisions ease the requirements for outbound cross-border data transfers provided by previous CAC rules, especially the Measures of Security Assessment for Outbound Data Transfer issued on July 7, 2022 (2022 Measures) and the Measures for the Standard Contract for Outbound Transfer of Personal Information issued on February 22, 2023 (2023 Measures).

The 2022 Measures require a mandatory CAC data security assessment for transferring out of China any “important data” or personal information under specified circumstances. (2022 Measures art. 4.) The 2023 measures prescribe circumstances under which a Standard Contract for Outbound Transfer of Personal Information (Standard Contract) must be concluded. (2023 Measures art. 4.)

Important Data

The 2022 Measures broadly define the term “important data” as “any data that, once tampered with, damaged, leaked or illegally obtained or used, may endanger national security, economic operation, social stability, and public health and safety.” (2022 Measures art. 19.)

While reiterating the obligations of data processors in identifying and declaring important data pursuant to relevant regulations, the new provisions provide that if any data is not announced or published by the authorities as important data, data processors are not required to apply for the security assessment for such data. (Provisions art. 2.)

Exempted Data Transfers

Under the new provisions, outbound cross-border transfers of personal information (excluding important data) under the following circumstances are exempted from the requirements of data security assessment, Standard Contract, or personal information protection certification:

    • Transferring personal information for the purpose of concluding or performing a contract to which the individual is a party, such as a contract for cross-border shopping, shipping, payment, air ticket and hotel reservations, a visa application, or examination services.
    • Transferring personal information of employees for the purpose of cross-border human resources management.
    • Transferring personal information in an emergency for the purpose of protecting the life, health, and property safety of a natural person.
    • A data processor other than a critical information infrastructure operator (CIIO) transferring personal information of less than 100,000 individuals (excluding sensitive personal information) in a calendar year. (Id. art. 5.)

The new provisions also expressly exempt data that are collected and generated during international trade, cross-border transportation, academic cooperation, and transnational production, manufacturing, and marketing activities, if such data do not include personal information or important data. (Id. art. 3) Personal information collected and generated outside of China that had been transferred to and processed in China is also exempted, provided that no personal information or important data from the territory of China was introduced in the course the processing. (Id. art. 4.)

 Non-Exempted Data Transfers

The provisions set out thresholds that will trigger the requirements of the CAC data security assessment, Standard Contract, and personal information protection certification, where the data to be transferred do not qualify any of the exemptions prescribed by the new provisions.

For non-exempted data transfers, the CAC data security assessment is required if a CIIO transfers overseas any personal information or important data overseas. For data processors other than a CIIO, if they transfer overseas any important data, or the personal information of more than one million individuals (excluding sensitive personal information) or the sensitive personal information of more than 10,000 individuals on a cumulative basis in a calendar year, the CAC data security assessment is required. (Id. art. 7.)

The Standard Contract or personal information protection certification is required if a data processor other than a CIIO transfers overseas the personal information of more than 100,000 but less than one million individuals (excluding sensitive personal information) or the sensitive personal information of less than 10,000 individuals on a cumulative basis in a calendar year. (Id. art. 8.)

Free Trade Zones (FTZs)

China’s pilot FTZs are authorized by the new provisions to create their own lists of data that require data security assessment, conclusion of the standard contract, or the personal information protection certification (“negative list”). A data processor located in the FTZ is exempted from these requirements when transferring data that is not on the FTZ’s negative list. (Id. art. 6.)

Laney Zhang, Law Library of Congress
May 14, 2024

Read more Global Legal Monitor articles.

 

About this Item

Title

  • China: New Rules on Cross-Border Data Transfers Released

Online Format

  • web page

Rights & Access

Publications of the Library of Congress are works of the United States Government as defined in the United States Code 17 U.S.C. §105 and therefore are not subject to copyright and are free to use and reuse.  The Library of Congress has no objection to the international use and reuse of Library U.S. Government works on loc.gov. These works are also available for worldwide use and reuse under CC0 1.0 Universal. 

More about Copyright and other Restrictions.

For guidance about compiling full citations consult Citing Primary Sources.

Credit Line: Law Library of Congress

Cite This Item

Citations are generated automatically from bibliographic data as a convenience, and may not be complete or accurate.

Chicago citation style:

Zhang, Laney. China: New Rules on Cross-Border Data Transfers Released. 2024. Web Page. https://www.loc.gov/item/global-legal-monitor/2024-05-13/china-new-rules-on-cross-border-data-transfers-released/.

APA citation style:

Zhang, L. (2024) China: New Rules on Cross-Border Data Transfers Released. [Web Page] Retrieved from the Library of Congress, https://www.loc.gov/item/global-legal-monitor/2024-05-13/china-new-rules-on-cross-border-data-transfers-released/.

MLA citation style:

Zhang, Laney. China: New Rules on Cross-Border Data Transfers Released. 2024. Web Page. Retrieved from the Library of Congress, <www.loc.gov/item/global-legal-monitor/2024-05-13/china-new-rules-on-cross-border-data-transfers-released/>.