Press "Enter" to skip to content

Provisions on Promoting and Regulating the Cross-Border Flow of Data

Promulgation Date: 2024-3-22
Title: Provisions on Promoting and Regulating the Cross-Border Flow of Data
Document Number:
Expiration date: 
Promulgating Entities: Cybersecurity Administration
Source of text: https://www.cac.gov.cn/2024-03/22/c_1712776611775634.htm

Provisions on Promoting and Regulating the Cross-Border Flow of Data

Article 1: These provisions on the implementation of systems for data export such as data export security assessments, standard contracts for the export of personal information, and personal information protection certification are formulated on the basis of laws and regulations such as the PRC Cybersecurity Law, the PRC Data Security Law, and the PRC Personal Information Protection Law, to ensure data security, protect rights and interests in personal information, and promote the orderly and free flow of data in accordance with law.

Article 2: Data handlers shall identify and declare important data in accordance with relevant provisions. Data handlers do not need to report data as important data for data export security assessments where notice has not been given by relevant departments or regions or it was not openly published as important data.

Article 3: Where the data collected or produced in activities such as international trade, cross-border transport, academic cooperation, and multinational manufacturing and marketing that is to be provided overseas does not include personal information or important data, it is exempt from declarations for data export security assessments, concluding standard personal information export contracts, and passing personal information protection certification.

Article 4: Where personal information collected or produced by data handlers overseas is provided overseas after being transmitted to China for handling, and no domestic personal information or important data was introduced during the handling, it is exempted from declarations of data export security assessments, signing of standard personal information export contracts, and passing personal information protection certification.

Article 5: Where data handlers provide personal information overseas and meet any of the following conditions, they are exempted from declarations of data export security assessments, signing of standard personal information export contracts, and passing personal information protection certification:

(1) Where it is truly necessary to provide personal information overseas in order to conclude or perform on contracts to which an individual is a party, such as for cross-border purchases, cross-border delivery, cross-border wire transfers, cross-border payments, cross-border opening of accounts, plane and hotel reservations, visa handling, and testing services;

(2) Where it is truly necessary to provide employees' personal information overseas to carry out cross-border human resources management in accordance with lawfully formulated labor rules systems and collective contracts signed in accordance with law;

(3) Where it is truly necessary to provide personal information overseas in emergencies to protect the lives and wellbeing of natural persons and the security of their property;

(4) Where data handlers other than critical information infrastructure operators cumulatively provided less than 100,000 persons' personal information (not including sensitive personal information) overseas before January 1 of that year.

The personal information provided outside mainland China referred to in the preceding paragraph does not include important data.

Article 6: Under the hierarchical and classified data protection system, free trade pilot regions may themselves formulate lists of data that need to be included within the scope of data export security assessments, standardized contracts for the export of personal data, and personal information protection certification for that region (hereinafter referred to as negative lists) , and upon approval from the provincial Commission for Cybersecurity and Information Technology, report it to the National Network Information Department and the National Data Management Department for filing.

Data handlers in free trade pilot regions who are provided data from the negative list overseas may be exempted from declarations for data export security assessments, signing standard contracts for the export of personal information, and personal information protection certification.

Article 7: Where data handlers' provision of data overseas meets any of the following circumstances, they shall make declarations for data export security assessments to the NAtional Internet Information Department through the provincial internet information department:

(1) Critical infrastructure operators provide personal information or important data overseas;

(2) Data processors other than critical information infrastructure operators provide important data overseas, or provide the personal information of more than 1 million people (not including sensitive personal information) or the sensitive personal information of more than 10,000 people overseas countries since January 1 of that year;

Where it falls within the circumstances provided for in Articles 3, 4, 5, or 6 of these Regulations, follow those provisions.

Article 8: Where, since January 1 of that year, data processors other than critical information infrastructure operators cumulatively provide the personal information (not including sensitive personal information) of between 100,000 and 1 million people overseas, or provide the sensitive personal information of up to 10,000 people overseas, they shall conclude a standard contract for the export of personal information with the recipient or pass personal information protection certification.

Where it falls within the circumstances provided for in Articles 3, 4, 5, or 6 of these Regulations, follow those provisions.

Article 9: The validity period for results of data export security assessments is three years starting from the date of the assessment. At the completion of the validity period, where it is necessary to continue carrying out data export activities and there are no circumstances requiring new declarations for a data export security assessment, the data handlers may, within 60 working days of the validity period completing, submit an application to extend the assessment's validity period to the national internet information department through the local provincial internet information department. With the approval of the national infternet information department, the validity period of the evaluation results can be extended for 3 years.

Article 10: Where data handlers provide personal information overseas, they shall perform obligations such as giving notice, obtaining the individuals' independent consent, and conducting personal information protection impact assessment in accordance with laws and administrative regulations.

Article 11: Where data handlers provide data overseas they shall obey the provisions of laws and regulations, perform data security protection obligations, and employ technical measures and other necessary measures, to ensure the security of data exports. Where data security incidents occur or might occur, they shall employ remedial measures and promptly report to an internet information department or other relevant department at the provincial level or higher.

Article 12: The internet information departments of each region shall strengthen guidance and oversight of data handling and data export activities, complete and improve systems for data export security assessments, and optimize the assessment process; strengthen ex-ante, ex-post, and ongoing regulation throughout the entire chain, and where larger risks are discovered in data export activities or where data security incidents occur, request that the data handlers make corrections and eliminate the threats; those who refuse to make corrections or cause serious consequences are to be pursued for legal responsibility in accordance with law.

Article 13: The Data Export Security Assessments Measures (State Internet Information Office Order No. 11) published on July 7, 2022, the Measures on Standard Contracts for the Export of Personal Information (State Internet Information Office Order No. 11) published on February 22, 2022, and other related provisions are not consistent with these Provisions, these provisions apply.

Article 14: These Provisions come into force on the date of promulgation.

 

Click to rate this post!
[Total: 0 Average: 0]

Print this entry

CLT is a crowdsourced, crowdfunded legal translation project that enables English speaking people to better understand Chinese law.

Be First to Comment

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Translate