China enacts “New Regulations on Cross-Border Data Transfer”

In today’s digital age, cross-border data transfer plays a crucial role in the growth of multinational companies. China has recently enhanced its approach to data governance with the introduction of laws such as “the Cybersecurity Law,” ”the Data Security Law,” and “the Personal Information Protection Law.” These laws establish a solid foundation for data security and privacy. 

Following these laws, the “Regulations on Promoting and Regulating the Cross-Border Transfer of Data” (referred to as “the new regulations”), implemented on March 22, 2024, aim to provide clearer guidelines for safely transferring data internationally. These regulations seek to balance data accessibility with its security and privacy, creating a more supportive environment for multinational corporations in China. This article examines these changes, their impact on enterprises, and outlines necessary compliance actions.

Understanding the classification of data is essential for navigating the new regulations. Here’s a breakdown of key data types:

• Non-sensitive personal information: This includes basic info such as names and email addresses.

• Sensitive personal information: This covers data that could impact personal privacy or financial safety, like passport numbers or health records, where leakage could harm individuals.

• Critical data: This relates to information vital to national security and public welfare. Identification of such data should align with specific national and industry guidelines.

• Other data: This encompasses all data not categorized as personal or critical.

Main Changes and Impact

Exemption clarifications

The new regulations specify exemptions for declaring certain data in international trade and transportation activities. If the data does not contain personal or critical information, it is exempt from cross-border transfer assessments (Articles 3 and 4). This significantly reduces the compliance burden for enterprises engaged in international data transfers.

Threshold adjustments for outbound personal data

Adjustments have been made to the thresholds for assessing and filing outbound transfers of personal and sensitive personal information (Articles 7 and 8). Enterprises are now required to undergo security assessments or obtain personal information protection certification only when transferring large volumes of such data.

Critical data outbound declaration adjustment

Enterprises are not required to declare data as critical for outbound security assessments if it has not been explicitly identified or publicly categorized as such (Article 2), easing the process of identifying and declaring critical data.

Compliance requirements for cross-border data transfer

To clarify the new regulations’ specific requirements, the table below summarizes the compliance responsibilities for different data handlers, potential measures triggered by cross-border data transfers, and applicable exemptions. This guide aims to provide a clear roadmap for enterprises to follow China’s data protection laws while facilitating international data exchanges.

Actions Required

Immediate actions

• Reassess data classification and transfer processes: Enterprises should promptly review their data handling and transfer procedures, especially those that might qualify for exemptions.

• Identify and declare critical data: Following the new regulations, enterprises must classify their data, particularly identifying critical data, and declare accordingly.

Long-term strategies

• Establish cross-border data transfer assessment mechanisms: Enterprises should create mechanisms to assess the security of data being transferred internationally, ensuring compliance with the new regulations.

• Monitor specific regulations in Free Trade Zones: Enterprises within Free Trade Zones should closely observe regulations regarding data transfers not listed on the negative list (Article 6), adjusting their strategies according to the specific zone regulations.

At Wiredcraft, we’re always ahead, ensuring our data practices align with the most current regulations, including China’s updates. Trust in our commitment to safeguard your information with utmost care and transparency.