SMEs may not need to sign the standard contract or conduct the filing at local CAC


On September 28, 2023, the Cyberspace Administration of China (the “CAC”) released a Notice of the Cyberspace Administration of China on Seeking Public Comments on the Provisions on Regulating and Promoting Cross-border Data Flow (Exposure Draft, the “Draft”). This new Draft may hugely release the pain points of the international SMEs in China regarding cross-border data transfer. We summarized the takeaways of the new Draft as follows.


1.    SMEs may not need to sign the standard contract or conduct the filing at local CAC


Based on Art. 6 of the Draft, companies with cross-border transfer of personal information activities do not need to apply for security assessment, conclude a standard contract or pass the certification for personal information protection (the “Mechanism Requirements"), if they will provide abroad personal information of less than 10,000 individuals within one year. Accordingly, it is estimated that many SMEs will not need to conduct the filing procedure at local CAC as regulated in the PRC Measures on the Standard Contract for Outbound Transfer of Personal Information (the “Measures”). 


2.    Companies do not need to assume having important data 


Per Art. 2 of the Draft, companies do not need to apply for security assessment for important data if the data has not been explicitly announced or declared as important data by Chinese authorities. Given that the definition of important data has been unclear in China (e.g., whether the data during operation such as the machine data may fall under the important data), this topic has always been a big concern of international companies as the current legal legislation imposes plenty of obligation on companies with important data. With this Draft, it is a big burden relief for companies as it is an obligation of Chinese governments, instead of the companies, to take the initiative to identify important data. Unless being informed by the government authorities, companies do not need to assume having important data anymore. 


3.    Other exemption situations to Mechanism Requirements


In addition to the situation mentioned above, CAC clarified exemptions situations of cross-border data transfer in the Draft under which companies do not need to fulfill the Mechanism Requirements as follows: 


  • 3 situations regulated in Art. 13 of the Personal Information Protection Law, where the personal data is provided abroad to conclude or perform a contract with an individual such as cross-border shopping, cross-border remittance, air tickets and hotel booking, and visa processing, etc., for the human resources management, or to protect the life, health and property safety of natural persons in an emergency.  
  • Data not included in the negative list made by the Pilot free trade zones. The Draft endows the right for the Pilot free trade zones to make the negative list and upon the approval of the CAC, the data not included in the negative list could be exempted from the obligation of fulfilling the Mechanism Requirements. 
  • Data other than personal information and important data to be provided abroad generated in such activities as international trade, academic cooperation, transnational manufacturing and marketing.
  • Personal data that is not collected or generated within the territory of China. In Art. 3 PIPL, if the personal data is processed in the PRC, it shall be subject to the PIPL. The definition for processing is quite broad including the collection, storage, using and etc. The Draft limits the cross-border transfer situation. 


4.    Conclusion  


In the spirit of the Opinions of the State Council on Further Optimizing the Environment for Foreign Investment and Increasing Efforts to Attract Foreign Investment (the “Opinions”) promulgated by the PRC State Council on July 25, 2023, the newly Draft is surely a reflection to the opinions of international companies to ease the burden especially the SMEs in China. However, there are still some uncertainties to clarify before or even after its formal promulgation.  For examples:


  • When will this Draft be issued? According to the Measures, companies should complete rectification regarding cross-border transfer of personal data within 6 months upon the effective date, i.e., November 30, 2023. Without the effective Draft, companies that do not conduct the filing at local CAC could be deemed as non-compliant.  
  • Will companies still need to issue the personal information protection assessment report aka, the PIA report? Currently the report is drafted based on the template issued by the CAC as part of the filing procedure. It is not clear if the report is still required if there is no requirement on the signing of the standard contract and the filing.
  • Will the contents be changed? 


Regardless of the uncertainties, the Draft is undoubtedly a positive signal for international companies in China and we suggest the international companies should keep in touch with the latest legislation and enforcement development.   


Anyway, we will always keep you updated and please do not hesitate to contact us if you are interested in any of those topics and we are excited to discuss it with you!


Beijing, October 16, 2023