Deacons Client Alert

PRC Data Protection Updates 9 April 2024

New provisions ease the compliance burden under China’s

cross-border data transfer regime
Dora Si, Andy Yu, Lily Liu

In our previous alert, we reported on the proposal of the China Administration of Cyberspace (“CAC”) to relax the cross-border
data transfer compliance requirements under the PRC Personal Information Protection Law (“PIPL”). On 22 March 2024, the
CAC issued the much-anticipated Provisions on the Promotion and Regulation of Cross-border Data Transfer (“Provisions”)
which confirm the relaxation measures which will have significant implications for multinational businesses. The CAC’s
guidelines on applications for security assessment and standard contract recordal (“Updated Guidelines”) have also been
updated to reflect the new measures. The Provisions and the Updated Guidelines have all come into force with immediate effect.

What has been relaxed?

A significant change is that the Provisions allow certain exemptions from compliance with the required transfer mechanisms
under Art.38 of the PIPL, i.e. passing a security assessment led by the CAC, recording a standard contract with the CAC, or
obtaining a certification before transferring personal data abroad.

The Provisions also raise the threshold for triggering a security assessment, allowing businesses more flexibility to adopt the
alternative transfer tools of standard contract recordal or certification. For example, businesses processing a large volume of
personal data (exceeding 1 million data subjects) used to be subject to the official assessment requirement, even if the volume
of data exported may be limited. In contrast, the new Provisions focus on the volume of data subjects whose data are exported
in determining which transfer tool is applicable.

For exportation of important data, data handlers still have to undergo the official assessment but the Provisions clarify that this
only applies to “important data” that has been classified as such by official notices or published announcements by relevant
regulators.

The key exemptions and revised thresholds for outbound transfer of personal data by data handlers that are not Critical
information infrastructure operator (“non-CIIO”) are summarised below:-

# Scenarios Required transfer tools or exemptions

1 Since 1 January of the current year, accumulated exportation Passing the CAC’s security assessment (subject to
of: exemptions under Nos. 4-6 below)
• more than 1 million data subjects’ personal data (not
involving sensitive personal data); or
• more than 10,000 data subjects’ sensitive personal
data

2 Since 1 January of the current year, accumulated exportation Recording the standard contract with the CAC, or
of: obtaining certification from a recognised organisation
• more than 100,000 but less than 1 million data (subject to exemptions under Nos. 4-6 below)
subjects’ personal data (not involving sensitive
personal data); or
• less than 10,000 data subjects’ sensitive personal
data
 # Scenarios Required transfer tools or exemptions
3 Since 1 January of the current year, accumulated exportation Exempted from adopting any of the 3 transfer tools
of less than 100,000 data subjects’ personal data (not
involving sensitive personal data)

4 Necessary for:
• conclusion/ performance of a contract to which the
data subject is a party;
• cross-border HR management purposes in
accordance with lawfully formulated labour rules and
collective contracts; or
• protecting life, health and property safety in an
emergency situation

5 Exportation of data first collected overseas and then

imported into Mainland China for further processing,
provided that no domestic personal data or important
data is involved throughout the process

6 The data handler is within a free-trade zone and the exported

data does not fall within the negative list

What has not been relaxed?

It is important to note that the Provisions do not exempt businesses from other relevant compliance obligations applicable to
cross-border data transfer, such as obtaining informed and separate consent (where applicable), conducting personal
information impact assessment (PIA), ensuring data security and reporting data breaches. Therefore, it is still necessary for
data handlers to maintain suitable privacy policies, obtain relevant consents (if applicable), and have appropriate data
processing / transfer agreements in place, to ensure compliance.

It remains to be seen whether the CAC will adopt a more liberal or conservative approach in interpreting the exemptions,
especially in relation to the “necessity for conclusion / performance of a contract”, as well as “cross-border HR management
purposes”, which could substantially ease the compliance burden on multinational businesses.

Clarification on data processing activities under Art.3(2) of the PIPL

One important area of uncertainty under the previous regime was whether the collection and processing of the personal data of
data subjects in Mainland China, by an overseas data handler, amounts to cross-border data transfer. For example, where an
overseas business has no physical presence in Mainland China but provides goods/ services to its Mainland customers, or
analyses or evaluates their behaviour through online platforms, during which their personal data is directly processed by the
overseas data handler.

It has now been clarified under the Updated Guidelines that such overseas data processing activities falling within Art.3(2) of
the PIPL will be considered cross-border data transfer. Therefore, overseas businesses with no physical presence in Mainland
China may find themselves subject to the transfer tools requirement under Art. 38 of the PIPL, subject to any exemption under
the Provisions.
Why does this matter to you?

The Provisions address some of the important concerns of businesses and offer some relief from the compliance burden of the
transfer mechanism under the PIPL. Businesses should now review their data portfolio to ascertain whether they are subject to
the cross-border data transfer regulatory regime and whether any exemptions may apply. In particular, business should be alert
if they handle and transfer any sensitive personal data (i.e. information about biometrics, religious belief, specific identities,
healthcare, financial accounts, location tracking and personal data of minors aged under 14) outside China, considering the
threshold of exportation of sensitive personal data that will trigger the transfer tool requirement is relatively low.

For data transferred within the Greater Bay Area, businesses should also consider if they can take advantage of the separate
mechanism of Standard Contract for the Cross-boundary Flow of Personal Information within the Greater Bay Area which seems
to have less stringent requirements.

However, it must be remembered that the Provisions do not exempt businesses from the normal data compliance obligations.
As the regulatory regime for cross-border data transfer continues to evolve, it is imperative for businesses to stay ahead of the
data compliance curve and review their practices to manage the rising enforcement risks. Please contact Deacons Intellectual
Property Department if you wish to discuss any questions.

Want to know more?

Annie Tsoi Catherine Zheng Dora Si

Partner Partner Partner
annie.tsoi@deacons.com catherine.zheng@deacons.com dora.si@deacons.com
+852 2825 9255 +852 2825 9617 +852 2826 5394

Ian Liu Tracy Li Andy Yu

Partner Partner Senior Associate
ian.liu@deacons.com tracy.li@deacons.com andy.yu@deacons.com
+852 2826 5360 +852 2825 9429 +852 2825 9748

Lily Liu
Associate
lily.liu@deacons.com
+852 2825 9407

The information contained herein is for general guidance only and should not be relied upon as, or treated as a substitute for, specific advice. Deacons accepts
no responsibility for any loss which may arise from reliance on any of the information contained in these materials. No representation or warranty, express or
implied, is given as to the accuracy, validity, timeliness or completeness of any such information. All proprietary rights in relation to the contents herein are
hereby fully reserved.
0424 © Deacons 2024
www.deacons.com