Notice of the Cyberspace Administration of China on Seeking Public Comments on the Provisions on Regulating and Promoting Cross-border Data Flow (Exposure Draft)

By Yoni HaoLast Updated on Oct 9, 2023
Notice of the Cyberspace Administration of China on Seeking Public Comments on the Provisions on Regulating and Promoting Cross-border Data Flow (Exposure Draft)

Promulgation Authorities: Cyberspace Administration of China

Release Date: 2023-09-28

Source: http://www.cac.gov.cn/2023-09/28/c_1697558914242877.htm

Original Title: 国家互联网信息办公室关于《规范和促进数据跨境流动规定(征求意见稿)》公开征求意见的通知

Notice of the Cyberspace Administration of China on Seeking Public Comments on the Provisions on Regulating and Promoting Cross-border Data Flow (Exposure Draft)

In order to ensure the security of national data, protect personal information rights and interests, and further regulate and promote the orderly and free flow of data in accordance with the law, we have drafted the Provisions on Regulating and Promoting Cross-border Data Flow (Exposure Draft) in accordance with the relevant laws, for which public comments are hereby sought. The public may give feedback through the following channels and ways:

1. Send comments by logging in to the China Government Legislative Information Network of the Ministry of Justice of the People’s Republic of China (www.moj.gov.cn, www.chinalaw.gov.cn) and click the Column of “Comments Sought on the Legislation” on the Main Menu Bar on the homepage to give comments.

2. Send comments by e-mail to: shujuju@cac.gov.cn.

3. Send comments by correspondence to: No.15 Fucheng Road, Haidian District, Beijing, Cyber-data Administration under the Cyberspace Administration of China, postal code: 100048, with “Comments Sought on the Provisions on Regulating and Promoting Cross-border Data Flow” indicated on the envelope.

The period for feedback will end on October 15, 2023.

Annex: Provisions on Regulating and Promoting Cross-border Data Flow (Exposure Draft)

Cyberspace Administration of China

September 28, 2023

Provisions on Regulating and Promoting Cross-border Data Flow

(Exposure Draft)

In order to ensure the security of national data, protect personal information rights and interests, and further regulate and promote the orderly and free flow of data in accordance with the law, the following rules on the implementation of the provisions on data provision abroad, such as the Security Assessment Measures for Data Provision Abroad and the Measures on Standard Contracts for Provision of Personal Information Abroad, are enacted in accordance with the relevant laws as follows:

I. For the data to be provided abroad generated in such activities as international trade, academic cooperation, transnational manufacturing and marketing, if it does not contain personal information or important data, it is not required to apply for security assessment for data to be provided abroad, to conclude a standard contract for personal information to be provided abroad or to pass the certification for personal information protection.

II. For the data that have not been informed by relevant departments or regions or have not been publicly announced as important data, the data handler is not required to apply for security assessment for the data to be provided abroad as important data.

III. Where the personal information that is not collected or generated within the territory of China is provided abroad, it is not required to apply for security assessment for data to be provided abroad, to conclude a standard contract for personal information to be provided abroad or to pass the certification for personal information protection.

IV. Under any of the following circumstances, it is not required to apply for security assessment for data to be provided abroad, to conclude a standard contract for personal information to be provided abroad or to pass the certification for personal information protection:

1. where the personal information must be provided abroad, as it is necessary for the conclusion and performance of a contract to which the individual is a party, such as cross-border shopping, cross-border remittance, air tickets and hotel booking, and visa processing, etc.;

2. For the human resources management in accordance with the labor regulations and rules formulated in accordance with the law and collective contracts concluded in accordance with the law, it is necessary to provide abroad the personal information of internal employees; and

3. where personal information has to be provided overseas in order to protect the life, health and property safety of natural persons in an emergency.

V. In the event that it is estimated to provide abroad personal information of less than 10,000 individuals within one year, it is not required to apply for security assessment for the data to be provided abroad, to conclude a standard contract for outbound provision of personal information or to pass the certification for personal information protection. However, if such information is to be provided abroad based on the consent of such individuals, the consent from the personal information subjects shall be obtained.

VI. In the event that it is estimated to provide abroad the personal information of more than 10,000 but less than one million individuals within one year, and the handler has concluded with an overseas recipient a standard contract for the provision of personal information abroad which is filed for the record with the cyberspace administration at the provincial level or has passed the certification for personal information protection, the hander is not required to apply for security assessment for the data to be provided abroad. Where it is expected to provide abroad the personal information of more than one million individuals, the handler shall apply for security assessment for the data to be provided abroad. However, if such information is to be provided to overseas parties based on the consent of such individuals, the consent from the personal information subjects shall be obtained.

VII. Pilot free trade zones may, on their own, formulate lists of data that need to be included in the scope of administration of security assessment for the data to be provided abroad, standard contracts for outbound provision of personal information and certification for personal information protection (hereinafter referred to as the “negative list” in short), which shall be filed with the Cyberspace Administration of China for the record after being approved by the cybersecurity and information technology commission concerned at the provincial level.

For the data not included in the negative list, the handler concerned is not required to apply for security assessment for the data to be provided abroad, to conclude a standard contract for personal information to be provided abroad or to pass the certification for personal information protection.

VIII. The provision of personal information and important data abroad by state organs and operators of critical information infrastructure shall be subject to relevant laws, administrative regulations and departmental rules.

The provision of sensitive information of the Party, the government, the army and secret-related entities and sensitive personal information abroad shall be subject to relevant laws, administrative regulations and departmental rules.

IX. When providing abroad important data and personal information, data handlers shall abide by the provisions of laws and administrative regulations, fulfill data security protection obligations, and ensure the security of data provision abroad ; in the event of a security incident involving data provision abroad or upon discovery of increased security risks of data provision abroad, remedial measures shall be taken, and a timely report shall be made to the cyberspace administration concerned.

X. Local cyberspace administrations shall strengthen the guidance and supervision of data provision abroad by data handlers, and intensify ex ante, interim and ex post supervision. In the event of a relatively high risk or a security incident in data provision abroad, the local cyberspace administration concerned shall require the data handler to make rectifications and eliminate risks; if the data handler refuses to make rectifications or serious consequences are caused, it shall be ordered to cease data provision abroad according to the law to ensure data security.

XI. In case of any discrepancy between these Provisions and the relevant provisions such as the Measures for Security Assessment for the Data to Be Provided Abroad and the Measures on Standard Contracts for Personal Information to Be Provided Abroad, these Provisions shall prevail.