On March 22, 2024, China issued a decree on the development and regulation adjustments of cross-border data flows. This is a significant legal document guiding the regulation and establishment of information and personal data protection when processed or transferred across borders in China.
In the global digital economy, cross-border data movement is crucial, driving innovation, international cooperation, and global development.
However, to ensure national security, social stability, public interests, and domestic economic development, many countries and territories are considering establishing specialized legal systems to appropriately restrict the flow of cross-border data.
In China, since the implementation of the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law, this national government has continuously explored and tested controlled models in the field of cross-border data transfer through the trial implementation of various regulations and rules.
Finally, on the eve of the 2024 China Development Forum, the Chinese government issued a decree on the development and adjustment of cross-border data processing, internalizing many international standards and global trends.
These regulations are designed to assess the security of cross-border data transmission, standardize contracts for transmitting personal data abroad, certify the protection of personal data, and related systems for transmitting data outside China.
Main content of the decree on the development and adjustment of cross-border data processing
Assessment of the security of transferred data
In order to eliminate barriers to the cross-border transfer of personal data in daily international issues and streamline global personnel management for multinational companies, the decree on the development and adjustment of cross-border data processing has detailed provisions on the requirement for data processors transferring data outside China to register for an outbound data transfer security assessment.
This assessment is an important legal document necessary for data processors to be authorized to transfer cross-border data to organizations outside China.
Article 5 of the decree also stipulates some cases where data processors do not need to register an assessment of the security of transferred data, including:
- Processing of personal data necessary for signing and executing contracts including cross-border procurement, delivery, money transfer, payment, account opening, flight and travel booking, visa processing, etc.
- Processing of personal data for cross-border personnel management according to labor regulations or collective labor contracts.
- Processing of personal data in emergency situations to protect the life, health, and property of individuals.
- The transfer of non-sensitive personal data (basic personal data) does not exceed 100,000 individuals from January 1 of that year.
The validity of the cross-border data transfer security assessment results is 3 years from the date of issuance of the assessment results.
If the data processor needs to continue transmitting data outside China and does not need to re-register a new assessment of the safety of transmitting data abroad upon expiration, they can submit an application for extension of the validity of the assessment results to the provincial-level Cyberspace Administration of China 60 working days before the expiration date of the assessment.
With the approval of the national cyberspace administration, the validity period of the assessment results may be extended for an additional 3 years.
Implementing standard contracts for transferring personal data abroad
For non-sensitive personal data, China has eased the restrictions compared to previous regulations. Specifically, the transfer of basic personal data across borders for over 100,000 and under 1 million individuals will require the implementation of a standard contract for transferring personal data abroad with the recipient in foreign countries or obtaining certification for personal data protection.
For sensitive personal data, the requirement for establishing contracts is under 10,000 individuals. This provision also applies to the requirement for an assessment of safety when transferring data across borders. In some cases, signing standard contracts for transferring personal data abroad will not be required:
- When data transmission abroad aims to collect and generate data in activities such as international trade, cross-border transportation, academic cooperation, cross-national production and manufacturing, and marketing.
- Personal data collected and generated abroad by data processors, then transferred to domestic locations for processing before being sent abroad, and not related to transferring domestic personal data or important data during processing.
- The transfer of personal data abroad falls under the cases specified in Article 5 of the decree (including the 4 cases analyzed above that do not require registering an assessment of the security of transferred data).
- Within the framework of classifying national data types, the type of data transferred across borders is not on the list of prohibited transfers by Free Trade Zones.
Conclusion
The decree and related guidelines have also added provisions for data processors to assess the security and safety of cross-border data transmission themselves.
Specifically, Article 11 of the decree stipulates that when data processors transfer data out of China, they must comply with laws and regulations, fulfill data security obligations, apply technical measures, and other necessary measures to ensure the safety of data transmission abroad.
In case of incidents or data security breaches, data processors must take corrective measures and promptly report to the provincial-level cyberspace administration and other relevant management agencies.
Furthermore, Article 12 stipulates that when data processors transfer data out of China, they must comply with laws and regulations, fulfill data security obligations, apply technical measures, and other necessary measures to ensure the safety of data transmission abroad.
In case of incidents or potential data security breaches, corrective measures must be taken and promptly reported to the provincial-level cyberspace administration and other relevant management agencies.
These are important regulations requiring data processors to have higher responsibilities for the personal data of customers or Chinese citizens.
With these provisions, China will have a tighter legal basis to control and monitor the activities of Chinese enterprises and punish misconduct, contributing to building a national image of high safety, security, and reliability. This move is also seen as part of a campaign to reverse the image of advanced, highly secure technology in Western countries through data breaches over the past decade to China.
In essence, the decree mainly regulates contents related to basic personal data while maintaining the integrity of important data and sensitive personal data (Vietnam’s Decree No. 13/2023/NĐ-CP only regulates basic personal data, sensitive personal data without regulations on important data).
China’s new regulations have significantly reduced control over the cross-border transfer of non-sensitive information. It’s worth noting that this is a global trend as many other developed countries have also simplified and facilitated the transfer of basic personal data, or classified as non-sensitive personal data, non-critical personal data, etc., according to their laws.
This is a consistent move with China’s commitment to high openness, integration, and efforts to attract and utilize foreign investment capital.
In 2023, Vietnam issued Decree No. 13/2023/NĐ-CP on personal data protection, effective from July 1, 2023. This is Vietnam’s first legal document regulating how to collect, transfer data abroad, store, and process personal data in Vietnam.
ASL Law is a leading full-service and independent Vietnamese law firm made up of experienced and talented lawyers. ASL Law is ranked as the top tier Law Firm in Vietnam by Legal500, Asia Law, WTR, and Asia Business Law Journal. Based in both Hanoi and Ho Chi Minh City in Vietnam, the firm’s main purpose is to provide the most practical, efficient and lawful advice to its domestic and international clients. If we can be of assistance, please email to [email protected].
ASL LAW is the top-tier Vietnam law firm for in-depth legal advice in Vietnam and internationally. If you need any advice, please contact us for further information or collaboration.