China’s Most Recent Efforts to Rebalance Security and Economic Development Through Data

As China steps into 2024, it faces a world vastly different from that of 2021, when it introduced its initial cross-border data transfer (CBDT) framework. On the west coast of the Pacific Ocean, China is still struggling to realise its post-COVID-19 economic recovery goals. On the east coast, generative AI has heralded a potential new wave of industrial revolution, while China grapples with imposed restrictions on accessing advanced computing power. Similar restrictions are being extended to data, the “ingredients” of AI products and high-tech competition, as more countries abandon the concept of free flow and embrace protectionism.

In the past three years, more geopolitical bridges were demolished and more walls erected, and China now encounters escalating pressure in both security and economic development. It is compelled to strike a new, more intricate balance when reassessing its CBDT benchmarks, which were previously deemed overly security-focused and burdensome to multinationals. That explains why the Cyberspace Administration of China (CAC) attracted so much attention when releasing its long-awaited Rules on Facilitating and Regulating the Cross-Border Flow of Data (the “Rules”) on 22 March 2024.

The Rules have responded to the pleas from multinationals and industrial associations with a moderate relaxation of the lengthy government review process, the more complex data export security assessment process and the slightly conducive SCC filing process, for CBDT (the third option, personal information protection certification, is not yet a mature option in practice). The relaxation is primarily in the following ways:

Firstly, the Rules stipulate that data controllers can bypass the government review process if one of the exemptions applies to its CBDT of personal data:

Secondly, the Rules enable free trade zones (FTZs) in China to formulate their respective negative lists within the national framework of data classification and grading. Controllers located in the FTZs can skip the government review process, as long as the data subject to CBDT are not on the negative lists.

Thirdly, the Rules alleviate some of the burden on the controllers by streamlining the requirements on the application materials (eg, the application forms and the self-assessment reports).

Perhaps the intricacy of the Rules is best illustrated not by what has been relaxed, but by what remains unchanged.

The enumerated scenario-based exemptions suggest that China is less likely to introduce in the near future a more holistic exemption to satisfy multinationals’ broader intra-group management needs. This presumably reflects China’s concern over the potential circumvention of the general rules by abusing the broader exemption. Some of the listed exemptions can apply quite narrowly. For instance, the legal community generally agrees that the cross-border contract exemption would not apply to a China subsidiary’s transfer to its foreign headquarters of the personal data generated from its transactions contracted and performed in China, because such transfer is not considered “necessary”.

The Rules can be described as China’s efforts to ease restrictions on CBDT of non-sensitive data by non-sensitive controllers. Therefore, if the controllers are themselves sensitive, eg, if they are designated as “critical information infrastructure operators” (CIIOs), or if the exported data are either “important data” or “sensitive personal data”, the prior government formalities largely remain intact. In particular, in terms of the volume-based exemptions, it is noteworthy that even under the new framework, export of “sensitive personal data” of a single individual is enough to trigger the government review process, which requires, among other things, the foreign recipient’s full commitment to the data security and data privacy obligations stipulated in a government-issued template agreement, and an assessment of the recipient’s data security capabilities. Because the definition of “sensitive personal data” explicitly includes an individual’s biometrics, medical health, financial accounts, and personal whereabouts, many industries, such as financial services, life sciences, e-commerce, and automated driving, are less likely to benefit from the volume-based exemptions.

While the Rules are released by the CAC, they are the products of close inter-agency consultation and deliberation, and reflect the best pragmatic compromise among the official stakeholders. The Rules show that China’s CBDT framework is moving from a security-centric approach towards a more balanced, risk-based approach, but it is not difficult to perceive that they still hold the line by retaining almost all major security controls.

It remains to be observed how the Rules will be implemented in practice, as there is still ample room for interpretation and discretion. For instance, while one may be interested in learning the breadth of the future negative lists, it is equally important to observe their coverages – the extent to which companies registered outside of FTZs can take advantage of the preferential treatment given to their affiliates registered therein.

As the Rules have just been rolled out, it may take some time for the implementation benchmarks to stabilise, at least for a certain period, until they are further affected by international economic and geopolitical developments. The rebalance is most likely to be a dynamic calibration process.