In order to safeguard national data security, protect personal information rights, and further regulate and promote the lawful and orderly free flow of data, in accordance with relevant laws, our office has drafted the "Regulations for Standardizing and Promoting Cross-Border Data Flows (Draft for Solicitation of Opinions)". We now openly solicit opinions from the public. The public can provide feedback through the following channels and methods:
1. Log on to the China Ministry of Justice Government Legal Information Website of the People's Republic of China (www.moj.gov.cn, www.chinalaw.gov.cn), and enter the "Legislation Opinion Collection" section in the main menu on the homepage to submit opinions.
2. Send opinions via email to: shujuju@cac.gov.cn.
3. Send opinions via mail to: Network Data Management Bureau of the Cyberspace Administration of China, 15 Fucheng Road, Haidian District, Beijing, Postal Code: 100048, with "Solicitation of Opinions on Regulations for Standardizing and Promoting Cross-Border Data Flows" clearly marked on the envelope.
The deadline for feedback is October 15, 2023.
Attachment: Regulations for Standardizing and Promoting Cross-Border Data Flows (Draft for Solicitation of Opinions)
Cyberspace Administration of China
September 28, 2023
Regulations for Standardizing and Promoting Cross-Border Data Flows (Draft for Solicitation of Opinions)
In order to safeguard national data security, protect personal information rights, and further regulate and promote the lawful and orderly free flow of data, and in accordance with relevant laws, the following provisions are made regarding the implementation of regulations on data export, such as the "Measures for Security Assessment of Data Export" and the "Methods for Standard Contracts for the Overseas Transfer of Personal Information".
1. Data exported from activities such as international trade, academic cooperation, transnational production, and marketing, which do not involve personal information or important data, do not require the declaration of data export security assessment, the establishment of standard contracts for the overseas transfer of personal information, or obtaining personal information protection certification.
2. If data has not been notified or publicly released by relevant departments or regions as important data, data handlers do not need to declare a data export security assessment.
3. When providing personal information to overseas without collecting it domestically, there is no need to declare a data export security assessment, establish standard contracts for the overseas transfer of personal information, or obtain personal information protection certification.
4. In the following circumstances, there is no need to declare a data export security assessment, establish standard contracts for the overseas transfer of personal information, or obtain personal information protection certification:
(1) It is necessary to provide personal information to overseas for the purpose of entering into or performing a contract in which the individual is a party, such as cross-border shopping, cross-border remittances, flight and hotel reservations, visa processing, etc.
(2) Implementing human resources management in accordance with the legally formulated labor rules and regulations and collective contracts signed in accordance with the law, which requires providing personal information of internal employees to overseas.
(3) In emergency situations to protect the life, health, and property safety of natural persons, it is necessary to provide personal information to overseas.
5. If it is anticipated that within one year, less than 10,000 individuals' personal information will be provided to overseas, there is no need to declare a data export security assessment, establish standard contracts for the overseas transfer of personal information, or obtain personal information protection certification. However, if providing personal information to overseas based on individual consent, consent from the data subject must be obtained.
6. If it is anticipated that within one year, personal information of 10,000 or more individuals but less than one million individuals will be provided to overseas, and a standard contract for the overseas transfer of personal information is entered into with the overseas recipient and filed with the provincial-level Cyberspace Administration, or personal information protection certification is obtained, there may be no need to declare a data export security assessment. For providing personal information to overseas involving one million or more individuals, a data export security assessment must be declared. However, if providing personal information to overseas based on individual consent, consent from the data subject must be obtained.
7. Free Trade Pilot Zones may independently formulate a list of data that needs to be included in the scope of data export security assessment, standard contracts for the overseas transfer of personal information, and personal information protection certification (referred to as the "negative list"). After approval by the provincial-level network security and informationization committee, it shall be filed with the national Cyberspace Administration. Data export outside the negative list may not require a data export security assessment, the establishment of standard contracts for the overseas transfer of personal information, or obtaining personal information protection certification.
8. National authorities and operators of critical information infrastructure providing personal information and important data to overseas shall comply with relevant laws, administrative regulations, and departmental rules. Providing sensitive information related to party, government, military, and confidential units to overseas shall be executed in accordance with relevant laws, administrative regulations, and departmental rules.
9. Data handlers providing important data and personal information to overseas shall abide by the provisions of laws and administrative regulations, fulfill their obligations of data security protection, and ensure the security of data export. In the event of a data export security incident or an increased risk of data export security, remedial measures shall be taken, and the Cyberspace Administration shall be promptly informed.
10. Local cyberspace administrations shall strengthen the guidance and supervision of data handlers' data export activities, enhance pre-, during, and post-supervision, and require data handlers to rectify and eliminate hidden dangers if significant risks exist in data export activities or if security incidents occur. For those who refuse to correct or cause serious consequences, they shall be ordered to stop data export activities in accordance with the law to ensure data security.
11. Inconsistent provisions with these regulations in the "Measures for Security Assessment of Data Export" and the "Methods for Standard Contracts for the Overseas Transfer of Personal Information" and other relevant regulations shall be executed in accordance with these regulations.