The broad and vague scope of China’s data export controls has become a critical challenge for international companies that need to share and process their data across different continents. This is particularly the case after the promulgation of the PRC Data Security Law, effective as of September 1, 2021, which stipulates the transmission of important data from China to be subject to prior clearance with the PRC regulators (i.e., the so-called data export security assessment procedures, as clarified by subsequent legislation).
Thus, not only the export of personal information, but also the export of any other business data could potentially trigger PRC data export control procedures requiring either prior approval by or filing with the PRC regulators.
Breakthrough in the air
The business community has been hoping that lawmakers and regulators would take a more business-friendly approach to facilitating cross-border transmission of data. This expectation seemed to have been addressed by the Chinese regulator last year. On September 28, 2023, the Cyberspace Administration of China (“CAC”) issued its draft Rules on the Regulation and Facilitation of Cross-Border Transfer of Personal Information (“September Draft”). The September Draft substantially reduces the burden on a company to conduct data export-related procedures by offering procedural exemptions in the following cases:
(a) data generated or derived from international trade, academic collaboration, cross-border manufacturing arrangements and marketing activities that do not include personal information or important data,
(b) personal information that is not generated or derived from China,
(c) provision of personal information in order to perform contractual obligations, such as cross-border purchases, cross-border money transfers, flight and hotel reservations, and visa applications,
(d) provision of employees’ personal information in accordance with relevant labor laws and regulations and collective contracts for the purpose of personnel management,
(e) in emergencies where it is necessary to protect the life and property of data subjects,
(f) export of up to 10,000 data subjects’ personal information within one year,
(g) data that are not explicitly categorized or notified to be as important data by the authorities.
The above exemptions constitute a sharp U-turn in the regulatory stance and could potentially solve the challenges faced by international companies operating in China and needing to exchange data with head offices outside of China. As a direct result of the September Draft, for example, many companies will no longer have to worry about how to identify and manage important data when transmitting their business data outside of China. Also, many companies will very likely no longer have to undergo the filing procedures for their standard contractual clauses (SCCs) with overseas data recipients.
Since the statutory deadline for the latter was November 30, 2023, the September Draft should have become final and effective by that date in order to make the exemptions meaningful. However, this hope does not come true as the official launch of the September Draft did not take place by the end of November 2023 as expected. In general, this means that companies will still have to follow the currently valid compliance routes (i.e. SCCs filing or export security assessment clearance).
Regional efforts
Hopes then shifted to a potential regional breakthrough. For many years, China has launched various pilot free trade zones (FTZs) and regional schemes to test the waters of various policy liberalizations with different focuses. Facilitating cross-border data transmission has become an area of focus for both business community and policymakers in recent years. While there have been some new efforts, they do not seem to have brought real breakthroughs as expected by the business community.
Below is a brief summary of the relevant highlights of recent regional rules.
(i) Greater Bay Area rules
On December 10, 2023, the CAC promulgated the Implementation Guidelines for Standard Contracts on Cross-Border Transfer of Personal Information in the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland China, Hong Kong), which aims to facilitate data transmission between mainland cities in the Greater Bay Area and Hong Kong. Under these guidelines, a simplified SCC filing procedure will apply to the transmission of personal information between the two sides, regardless of the volume of the transmission. However, these guidelines do not go that far because (a) the topic of important data is not addressed at all, which is a trickier topic in daily data practice; and (b) personal information transmitted to Hong Kong under these guidelines may not be further transmitted to other regions. This frustrates the hope of making the Greater Bay Area scheme as a spring board to more easily transmit data outside of China, e.g., to Europe or the US.
(ii) Tianjin FTZ rules
On February 5, 2024, the Tianjin Municipal Bureau of Commerce and the Tianjin Free Trade Zone Administration issued their Standard Specifications for Classification and Grading of Enterprise Data in the China (Tianjin) Pilot Free Trade Zone, which addresses a very practical topic, i.e. data classification and the scope of sensitive data to be regulated like important data. These specifications apply to companies within the Tianjin FTZ and provide a more detailed list of data that shall qualify as important data.
Irrespective of the details provided, the description of the scope of important data remains vague and may even lead to further confusion. For example, high-value R&D data relating to industrial competitiveness and security, supply chain data concerning national security are defined as important data. Thus, from a practical point of view, these specifications do not really move things forward.
(iii) Shanghai FTZ rules
The China (Shanghai) Lingang Pilot Free Trade Zone Administration issued its draft Management Measures for Classification and Grading of Cross-border Data Transfer in the Lingang Special Area (“SH Measures”) on February 8, 2024 for trial implementation for one year ending February 7, 2025. As part of the overall opening-up plan for the Shanghai FTZ issued a few days earlier, the SH Measures, among various sections addressing data sharing and facilitation of cross-border transmission, state that the Lingang FTZ shall formulate a list of important data to facilitate the management of data export. Although this list is indispensable for companies to practically benefit from any envisaged data export facilitation, it is still in progress at the time of writing, which means that the real breakthrough is yet to come.
The outlook
Although there have been various positive signs of light at the end of the tunnel, there are unfortunately still no rules on facilitating data export that are implementable and could really benefit most international companies. Not surprisingly, authorities at the national level tend to take a more cautious approach in order to balance national security concerns, which always have a much higher priority.
We believe that more hope could be placed on local rules, as “regional piloting and breakthrough” has always been a pragmatic approach taken by China since its opening up in the late 1980s. Among the currently available local (piloting) rules, we believe that the SH Measures will be the most promising, based on the following considerations:
(a) The Yangtze River Delta is the most preferred location for foreign investment, particularly in manufacturing and banking. Shanghai has a strong desire and support from Beijing to make itself business-friendly to the outside world, where easier data cross-border transmission is a must. In this context, the SH Measures explicitly mention automobile, banking, shipping and life science as the key industries where data export demands should be satisfied with priority.
(b) Different from the rules at the national level or in other locations, where the list of important data is to be drawn up by various industry watchdogs, the Shanghai Lingang FTZ Administration is tasked under the SH Measures to formulate such a list for its FTZ. This single agency task will be much more efficient compared with cross-departmental initiatives.
(c) Interestingly, the SH Measures stipulate that they are not only applicable to companies incorporated within the Lingang FTZ. Companies carrying out cross-border data transmission within the Lingang FTZ, regardless of their place of registration, will also be blessed by these measures. This seems to imply a possibility of structuring one’s data flow via the Lingang FTZ, which may further facilitate its data export to data recipients outside of China.
(d) Article 15 of the SH Measures seems to indicate the intention of the Lingang FTZ Administration to offer a “safe harbor” mechanism where digitalized facilitation may be introduced to allow easier data export by companies upon filing such export with the Lingang FTZ Administration.
Certainly, all of the above is based on our analysis of the current SH Measures, which will be further substantiated by more detailed rules and data lists. It is recommendable to stay in touch with our experts, who are keeping a close eye on the latest development and working closely with the various associations and regulators to provide companies with a practical and actionable solution to facilitate cross-border data transmission.
The European view
Data transfers have been a major issue under the GDPR for many years. At the latest since the Schrems II ruling by the ECJ, the transfer of personal data to China has been difficult. Unlike for other Asian countries such as Japan or Korea, there is no adequacy decision by the EU Commission that would allow data to be transferred to China without additional protective measures. Solutions such as the Data Privacy Framework for the USA are not in sight. This leaves only the known transfer mechanisms for data transfer to China, such as the EU Transfer Standard Contractual Clauses (“EU Transfer SCC”; Art. 47 GDPR) or the exemptions pursuant to Art. 49 GDPR, which are, however, interpreted narrowly and often do not represent a suitable solution.
In one practically relevant case - the transfer of employee data of European employees to HQs in China - there have recently been signs of a more liberal approach by the supervisory authorities. Depending on the case, a limited transfer of employee data to Chinese HQs is considered possible if this data is (or has to be) processed in China for the purposes of central HR management. However, the legal situation remains unclear. The (parallel) conclusion of EU Transfer SCCs, the implementation of a Transfer Impact Assessment (TIA) and measures such as encryption, pseudonymization or (where possible) anonymization remain standard measures that must be considered to flank data transfers and reduce risks for objections and sanctions, as the adequacy of the Chinese level of data protection continues to be viewed critically.
European companies will take note of the current developments in China with great interest, as they point to certain simplifications in international data transfers in the future. Any simplification is welcome in order to reduce the constantly growing complexity of global data protection management, particularly in international corporate groups. Whether the Chinese Data Transfer Rules will serve as the new “gold standard” for global data protection management systems, remains to be seen.
