China’s Cyberspace Administration (CAC) has released a Q&A on Data Cross-Border Security Management Policies, providing foreign businesses with practical guidance on implementing security assessments, processing personal information, and certifying data exports.
Key Takeaways from the Cross-Border Data Transfer Q&A
• China’s free flow of “general data” across borders has been clarified, with the CAC stating that data not involving personal information or important data can flow freely across borders. • The CAC has introduced measures to help companies avoid unnecessary repetition of compliance procedures, including allowing group companies to submit consolidated applications for data export compliance. • Foreign companies can participate in the development of industry and technical standards through working groups under the National Information Security Standardization Technical Committee. • Companies can streamline personal information exports through certification systems, group-wide certification, and extension of the validity period of a data export security assessment result. • The CAC is actively guiding FTZs to develop catalogs of general data that companies can freely export from the zone.
Clarification on General Data and Important Data Export
The CAC’s clarification that general data can be transferred freely across borders is significant, as it eliminates any uncertainty surrounding the validity of this interpretation. However, defining what constitutes general data may not be straightforward, as the government has not released a definitive list of data types that qualify. General data is defined as “any data excluding important and core data” by the Data Classification Standards [GB/T 43697-2024]. However, the definitions of “core”, “important”, and other data types outlined in these standards are not explicitly specified.
Determining the Necessity of Personal Information Export
One of the steps in exporting certain volumes of personal information out of China is to assess whether the export is necessary for the company’s business operations. The CAC has outlined four key factors that determine whether a personal information export is “necessary”:
• Whether the data export is directly related to the purpose of the data processing. • Whether the data export minimizes the impact on individual rights and interests. • Whether the data export is limited to the minimum scope needed for that purpose. • Whether the data retention period is as short as necessary to fulfill that purpose.
Clarification on Identifying Important Data and Regulations on Important Data Export
Under China’s data security laws, any data classified as “important” must undergo a security assessment by the CAC before it can be exported. However, as the government has not released a definitive list of what is considered important data, it is difficult to determine exactly which data will qualify. The cross-border data transfer Q&A clarifies that there are certain scenarios in which important data can be exported. Specifically, if a data export security assessment determines that the transfer of the data does not endanger national security or public interests, it can be exported.
Participation of Foreign Companies in Formulating Technical Standards
Foreign companies can participate in the development of industry and technical standards through working groups under the National Information Security Standardization Technical Committee. They can also engage by reviewing and submitting comments on draft standards published for public consultation.
The CAC has introduced several measures aimed at easing the process of personal information exports for companies. These include:
• Allowing group companies to submit consolidated applications for data export compliance. • Allowing certified multinational groups to transfer personal information internally across borders without the need to sign separate standard contracts with each foreign subsidiary. • Extending the validity period of a data export security assessment result from 2 years to 3 years.
The cross-border data transfer Q&A clarifies that the validity period of a data export security assessment result has been extended from 2 years to 3 years. This means that once a company passes the security assessment, it may continue exporting personal information for up to three years without needing to reapply.
