China Finalizes Rules To Ease Data Export Compliance Burden

• Published date: 02 April 2024
• Subject Matter: Corporate/Commercial Law, Government, Public Sector, International Law, Compliance, Inward/ Foreign Investment, Corporate and Company Law, International Trade & Investment
• Law Firm: WilmerHale
• Author: Mr Lester Ross, Kenneth Zhou and Tingting Liu

On March 22, 2024, the Cyberspace Administration of China ("CAC") promulgated the final version of the Provisions on the Promotion and Regulation of Cross-Border Data Flows (the "Final Provisions"),¹ bringing to conclusion the consultative process initiated with the release of the draft version on September 28, 2023.² A discernible shift in nomenclature'from "Regulation and Promotion" to "Promotion and Regulation"'within the Final Provisions signifies, at least nominally, a strategic pivot toward prioritizing the facilitation of international data flows over stringent control and restrictions. This would be consistent with the old and new State Council's 24-article liberalizations.³

Notably, the preface in the Final Provisions states that the CAC formally approved the Provisions on November 28, 2023. The rationale for the subsequent four-month delay in publication remains unclear, despite widespread anticipation since the draft fueled an expectation that the Final Provisions would substantially alleviate the compliance burdens confronting countless enterprises engaged in cross-border data transactions. The promulgation of the Final Provisions appears to coincide strategically with the date of the high-profile China Development Forum, sending a positive signal to multinationals ("MNCs"), CEOs and international investors that China is committed to foster a more hospitable environment to attract foreign investment, as indicated in various policy documents.

The Final Provisions significantly soften the existing data export compliance rules by 1) carving out certain common data export scenarios from all filing requirements; 2) raising the thresholds for triggering filing obligations; 3) narrowing down the scope of Important Data; and 4) establishing a more flexible policy space for exercising negative-list management in free trade zones ("FTZ") where many foreign-invested enterprises are registered.

Compliance Requirements Predate the Final Provisions:

To look back, the current data export security compliance regime is underpinned by three alternative pillars: a (i) mandatory CAC-led data export security assessment when certain thresholds are crossed (initial reviews to be conducted by CACs at the provincial level and final review to be conducted by CAC at central level), (ii) PI standard contract clauses ("SCC") filing with CACs at the provincial level, or (iii) PI protection certification ("PIPC") by third party professional PI protection certification firms...