Cross-Border Data Transfer in China: 2024 Regulatory Changes

Cross Border Data Transfer in China

Consult an Expert

Learn about our solutions and receive a proposal and guidance about your business inquiry.

Share this article

Cross-border data transfer in China has become a hot topic in recent years due to the country’s strict regulations and policies regarding data privacy and security. However, recent changes have made it easier for businesses to transfer data overseas where they have a good reason. 

Here, we explain how cross-border data transfers are regulated in China and discuss regulatory changes in March 2024 that relax the rules

Overview of Cross-Border Data Transfer Regulations in China

Three main laws govern data transfer in China. The key elements of each are explained below.

1. Personal Information Protection Law (PIPL)

Enacted in 2021, the PIPL sets out comprehensive rules for processing personal information within China and transferring personal information outside of China. It requires that any transfer of personal information outside of China ensure equivalent data protection as provided under Chinese law. This can be achieved by obtaining certification under approved standards, entering into standard contractual clauses, or passing a security assessment by the Chinese authorities.

Additionally, companies are required to conduct a security assessment to ensure that the transfer does not pose any risks to national security or the public interest.

The regulations developed in association with this law have recently been relaxed

2. Data Security Law (DSL)

Implemented in 2021, the DSL emphasizes the security and control of data processed and generated in China. It categorizes data based on its importance to national security, economic development, and social public interests, imposing stricter controls on “important data” and “core data.”

3. Cybersecurity Law (CSL)

Since 2017, the CSL has been China’s foundational cybersecurity and data protection legislation. It requires critical information infrastructure operators (CIIOs) to store personal information and important data collected and generated in China within the country. Cross-border transfer of this data is permissible but subject to a stringent security assessment process.

Companies that fail to comply with these regulations may face fines, suspension of business operations, or even criminal charges.

March 2024 Changes to the Data Transfer Regulations

The Cyberspace Administration of China (CAC) issued updated regulations on March 22, 2024. These regulations introduce several key changes to ease businesses’ compliance burden while safeguarding sensitive information. The key changes are considered below. 

1. Exemptions 

The Regulations exempt certain categories of data transfers from stringent checks if they do not include sensitive or significant personal information. For instance, data involved in international trade, academic cooperation, and other specific activities are exempt unless classified as “important data.” Similarly, personal information collected and processed outside mainland China is exempt if no sensitive domestic data is involved.

2. Thresholds for Data Transfers

The regulations now provide clearer guidance on what constitutes “important data” and modify the thresholds for when a security assessment by the CAC is required. Notably, the threshold for general personal information has been raised, reducing the instances where a security assessment is needed.

3. Special Rules for Free Trade Zones (FTZs)

FTZs can create negative lists that specify the types of data subject to export requirements, potentially simplifying compliance for companies operating within these zones.

4. Standard Contracts and Personal Information Protection Certification

For data transfers involving the sensitive personal information of more than 10,000 individuals and general personal information of more than 1,000,000 individuals, a standard contract must be filed, or a personal information protection certification must be obtained. However, these requirements are relaxed for less sensitive or fewer data subjects.

Continued Compliance Obligations

Companies must comply with personal information protection and privacy laws despite easing some requirements. This includes obtaining consent for processing sensitive personal information and ensuring contractual terms with overseas recipients provide an equivalent level of data protection.

Note also that businesses in particular sectors, such as financial institutions, healthcare, and educational organizations, usually need specific permission from industry regulators to transfer data. 

If you would like additional advice and support on complying with China data transfer rules, get in touch with our compliance experts at MSA