China Eases Regulation Of Outbound Data Flow Fact Sheet On The Provisions To Promote And Regulate Cross-Border Data Flow

• Published date: 02 April 2024
• Subject Matter: International Law, Privacy, Technology, Data Protection, International Trade & Investment, Security
• Law Firm: Global Law Office
• Author: Global Law Office

On March 22, 2024, the Cyberspace Administration of China ("CAC"), China's data protection regulator, released the finalized Provisions on Regulating and Promoting Cross-Border Data Flows ("Provisions"). To everyone's surprise, the long-awaited Provisions were actually approved by the CAC on November 28th, 2023. The Provisions take effect immediately upon issuance. Coincidentally, the China Development Forum will be held in Beijing on March 24 and 25, 2024 and will be attended by more than 800 CEOs of global industry giants.

Regulatory Mechanism

The Provisions does not change the existing regulatory mechanism of outbound data transfer. That is, data processors outbound transferring data should apply for the CAC's security assessment ("Security Assessment"), or file for record with the provincial office of the CAC the Chinese standard contractual clauses they sign with the foreign data recipients ("CN SCC Filing"), or obtain the personal information protection certification("Certification"). Comparing with the threshold prior to the Provisions, the Provisions sets it higher, which will reduce the administrative procedural burden of the MNC data processors in outbound transferring data and personal information.

Along with the publication of the Provisions, the CAC simultaneously released the updated guidelines for the Security Assessment and the CN SCC Filing pursuant to the Provisions and is offering some apparent convenience to help data processors navigate the regulatory mechanism. For example, the CAC is launching online the Data Outbound Transfer Reporting System at https://sjcj.cac.gov.cn. Data processors applying to Security Assessment and CN SCC Filing can now submit their applications online. Data processors applying for Certification can go to the Personal Information Protection Certification Administration System at https://data.isccc.gov.cn. However, the CAC will maintain the offline submission channels at its provincial offices for submissions by the Critical Information Infrastructure Operators ("CIIOs") or by other applicants for whom the online submission is not appropriate. It remains to be seen which applicants will fall into this category.

In addition, the CAC also announces the inquiry channels for the regulatory mechanism. At the central authority level, for Security Assessment, the consultation hotline is (8610) 5562 7135 and the inquiry email address is sjcj@cac.gov.cn; for CN SCC Filing, the consultation hotline (8610) 5562 7565 and the inquiry email address bzht@cac.gov.cn; for Certification, (8610) 8226 1100 and data@isccc.gov.cn. Provincial channels will remain in place. The same inquiry channels will also take whistleblower reports. Since release of the draft of the Provisions, there were difficulties getting responses from the query channels. It would be nice if...