2023.10.07 DONG, Xiao (Marissa)、LU, Sipei (Ryo)、LI, Shuoying、SHI, Xiaoyu
On September 28, 2023, the Cyberspace Administration of China (“CAC”) issued the Provisions on Regulating and Facilitating Cross-Border W88优德中国官方网站 Flow (Draft for Comments) (“Draft Rules”) for public comment, with a deadline of October 15, 2023. If formally adopted, the Draft Rules will result in significant changes to the application of W88优德中国官方网站 export regulation in China. This article briefly assesses the impact of the Draft Rules on enterprises’ W88优德中国官方网站 exports and suggests some next steps.
I. The Export of Important W88优德中国官方网站
According to Article 2 of the Draft Rules, if a W88优德中国官方网站 processor has not been notified by the competent authorities or local government that the W88优德中国官方网站 to be exported is important W88优德中国官方网站, or that the W88优德中国官方网站 to be exported was not publicly issued as important W88优德中国官方网站, it does not need to apply for a W88优德中国官方网站 export security assessment. This reduces the burden of assessing important W88优德中国官方网站 exports for organizations in the current situation where the scope of “important W88优德中国官方网站” remains unclear.
II. Personal Information Exports
(1) W88优德中国官方网站 processors exporting employees’ personal information on the basis of necessary HR management will be exempted from the requirements of the compliance routes.
Article 4(2) of the Draft Rules stipulates that if the exporting of an employee’s personal information is necessary for conducting human resource management under the labor rules and regulations and a collective contract signed in accordance with the law, there is no need to implement the three W88优德中国官方网站 export compliance routes (i.e., the security assessment route, standard contract route and certification route). However, the following issues remain to be clarified by the CAC:
what is the criteria for “necessary”? How do you prove the “necessity” for an employee’s personal information be exported for human resource management and is the separate consent of the employee still required in this case?
for organizations that still need to implement one of the three W88优德中国官方网站 export compliance routes, do they need to include the exempted scenario of being “necessary for human resource management” in the assessment report?
(2) W88优德中国官方网站 processors that expect to export the personal information of less than 10,000 individuals within one year will be exempt from the requirements of the compliance routes.
Article 5 of the Draft Rulesstipulates that entities that expect to export the personal information of less than 10,000 individuals within one year are exempt from the three W88优德中国官方网站 export compliance routes. However, the following questions remain to be clarified by the CAC:
what is the starting point for calculating “within one year”?
is there a need to distinguish between “sensitive personal information” and “general personal information”? i.e., as long as less than 10,000 individuals’ personal information is expected to be exported within one year, no matter whether the personal information is sensitive personal information or not, could the three W88优德中国官方网站 export compliance routes be exempted?
when calculating the amount of exported personal information, should the quantity of an employee’s personal information exempted by Article 4(2) be included?
(3) W88优德中国官方网站 processors that expect to export the personal information of more than 10,000 but less than 1 million individuals within one year should implement the standard contract route or certification route; exporting the personal information of more than 1 million individuals shall implement the security assessment route.
Article 6 of the Draft Rules stipulates that W88优德中国官方网站 processors that expect to export the personal information of more than 10,000 but less than 1 million individuals within one year do not need to conduct a security assessment if they have implemented the standard contract route or the certification route; if they export the personal information of more than 1 million individuals, the security assessment must be declared. However, the following questions remain to be clarified by the CAC:
what is the relationship between Article 6 and Article 4(2)? Does the amount of personal information exempted under Article 4(2) still need to be counted in Article 6?
will the historical quantity of the W88优德中国官方网站 exported set out in the Measures for W88优德中国官方网站 Export Security Assessment and the Measures for the Standard Contract for Personal Information Export no longer be taken into consideration?
Regardless of whether the exemptions in the Draft Rules apply to personal information exports, the requirement of separate consent for exporting personal information is not exempted. According to Article 55 of the Personal Information Protection Law, the provision of personal information abroad still needs to carry out a personal information protection impact assessment, but this assessment is not currently mandatory to be drafted in accordance with the template issued by the CAC. Nonetheless, it is recommended to incorporate the contents from the template into the report prepared by the entity itself.
III. Other exemption scenarios
In addition to the above exemptions, the following situations can also be exempted from the three W88优德中国官方网站 export compliance routes: (i) exporting W88优德中国官方网站 generated from international trade, academic cooperation, cross-border production and manufacturing, and marketing activities that do not contain personal information or important W88优德中国官方网站; (ii) exporting personal information not collected domestically; (iii) exporting personal information necessary to enter into and perform contracts to which the personal information subject is a party; (iv) exporting personal information necessary to protect the life, health, and proper safety of natural persons in emergency situations; (v) entities registered in the free trade zones and export personal information that is not included in the “negative list” issued by the free trade zones.
IV. Advice for enterprises
The Draft Rules will have a significant impact on existing W88优德中国官方网站 export compliance mechanisms. We suggest that enterprises closely monitor the release of the Draft Rules and take the following steps:
(1)assess the impact of the Draft Rules on their ongoing W88优德中国官方网站 export compliance work in conjunction with the new thresholds in the Draft Rules. Specifically, estimate the amount of personal information expected to be exported within one year and further assess whether the W88优德中国官方网站 export compliance routes could be exempted or changed in accordance with the Draft Rules;
(2)if there is no need to implement the three compliance routes after assessment, enterprises should continue to complete other compliance requirements including obtaining the separate consent of the relevant individuals, complete the personal information protection impact assessment and conduct necessary assessments to prove that the enterprise meets the exemption conditions;
(3)for enterprises that still need to carry out one of the three compliance routes for W88优德中国官方网站 export after assessment, they should continue to complete the corresponding work;
(4)pay close attention to the legislative developments of the Draft Rules, especially the interpretation of Article 3 and Article 4 of the Draft Rules, so as to determine whether their W88优德中国官方网站 exports could meet the exemptions;
(5)enterprises in free trade zones should pay attention to the release of the “negative list” for W88优德中国官方网站 exports.
