The CAC has recently released an important Q&A on cross-border data transfer requirements and policies, providing much-needed clarification on a number of issues of concern to companies in China. According to the Q&A, data other than personal and important data can flow freely across borders, and the requirements of Chinese law are intended to ensure the security and free flow of data.
The Scope of Important Data
The Q&A provides that companies may identify the important data that they process in accordance with a national standard (i.e. GB/T 43697-2024 Technical Data Security Data Classification and Grading Rules Appendix G Guidelines for Identifying Important Data) and report the identification results with the relevant authorities.
- However, the Q&A emphasizes that it is not necessary for companies to make assessment applications for transferring important data outside of China, unless they have been notified by the authorities that the data being processed is important data or has been included in any public important data catalogues.
- Additionally, companies may choose a representative and make a filing or application on a group basis if several Chinese affiliates are transferring data outside of China in the same or similar patterns.
- For more complex transfers, the group affiliates, both inside and outside China, may consider applying for a transfer compliance certificate to cover all intra-group transfers.
Transfer Compliance Certificate
A transfer compliance certificate will exempt the covered affiliates from the requirement to sign stand-alone bilateral Standard Contractual Clauses (SCCs). This is a convenient channel for international organizations to legitimize their intra-group transfers.
| Application Channel | Description |
|---|---|
| Group Representative Filing | Several Chinese affiliates transferring data outside of China in the same or similar patterns may choose a representative and make a filing or application on a group basis. |
| Transfer Compliance Certificate | A certificate that will exempt covered affiliates from signing stand-alone SCCs. |
Free Trade Zones (FTZs) and Cross-Border Data Transfers
The Q&A provides that more flexible transfer arrangements will be made available to companies registered in FTZs. At present, the FTZs in Tianjin, Beijing, Hainan, Shanghai, Zhejiang, and other places have published negative lists covering cross-border data transfers in 17 sectors, such as automobiles, medicine, retail, civil aviation, reinsurance, deep-sea industry, and seed industry.
- Transfers covered by the negative lists can be exempted from the requirements of signing SCCs, making filings, or obtaining government approvals.
- Moreover, if one FTZ has already published a negative list for the same sector, the other FTZs can directly refer to and implement it, allowing companies registered in different FTZs to benefit from the same policy.
The Future of Cross-Border Data Transfers
Overall, this Q&A has sent a positive signal. After completing the necessary compliance actions, companies can transfer personal data and important data outside of China to carry out legitimate intra-group management and international business activities. The Chinese authorities are committed to further clarifying the rules and providing flexible arrangements for data transfers. The success rate at the data field level is 63.9%, indicating that the requirements of Chinese law are intended to ensure the security and free flow of data. “No clear rules” will no longer be a reasonable excuse for companies that have not yet taken steps to address cross-border data transfers.
