China Cybersecurity and Data Protection Regulations – 2023 Recap and 2024 Outlook
2023 saw the implementation of several new regulations on data protection and cybersecurity in China, with a particular focus on cross-border data transfer and personal information protection. However, in an effort to improve the business environment, China’s cybersecurity authorities are also considering easing some requirements on multinationals and foreign companies. We summarize the updates to the China data protection regulations in 2023 and discuss the changes we may see in 2024.
China has been expanding its legal framework for cybersecurity and data protection in recent years, with further advancements seen in 2023. This year witnessed the refinement of legal requirements governing the procedures to export personal information (PI), bringing further clarity to the responsibilities and accountabilities of companies.
At the same time, 2023 may have seen China’s cybersecurity authorities walk back some of the requirements placed on companies, in particular for cross-border data transfer (CBDT). Stringent CBDT restrictions have posed challenges for multinational corporations and foreign-invested enterprises (FIEs), potentially acting as barriers to increased foreign investment.
In an effort to improve the environment for foreign businesses, China’s cybersecurity authorities have recently proposed to ease the requirements imposed on companies regarding CBDT. By revisiting and modifying certain CBDT requirements, China is signaling its commitment to striking a balance between data security and facilitating smoother cross-border business operations. These proposed changes represent a pivotal step towards building a more dynamic and investor-friendly cybersecurity framework.
In this article, we look at the major developments in China’s cybersecurity and data protection regulations and discuss what to watch out for in 2024.
Cybersecurity and data protection developments in 2023
January 2023: Finalized data protection measures for industrial and telecom companies released
On December 13, 2022, China’s Ministry of Industry and Information Technology (MIIT) released the final version of the Measures for Data Security Management in the Field of Industry and Information Technology (Trial Implementation) (the “Trial Measures”). These trial Measures, which came into effect on January 1, 2023, outline data security requirements for companies in the field of industry and information technology sectors.
One of the more important developments of the Trial Measures is the classification of different types of “industrial and telecom data” as “industrial data”, “telecoms data”, and “radio data”. Under the Trial Measures, businesses are obliged to sort and classify these three types of industrial and telecoms data into three different risk categories: “core”, “important”, and “ordinary” data. They must then submit a catalog of the “important” and “core” data to the local branch of the MIIT.
Firms will be required to take different degrees of protection measures for the collection, processing, transfer, and disposal of data depending on the risk classification of the data. Moreover, companies that wish to export “core” or “important” data overseas will be required to undergo a security assessment.
The Trial Measures also stipulate that the MIIT is responsible for handling requests from foreign entities, such as industrial or telecom companies, to provide industrial or telecom data. The MIIT will provide such data in accordance with any international treaties that China has signed.
For more information on the data protection requirements of industrial and telecom companies, please see our article on the Finalized China Data Protection Measures for Industrial and Telecom Companies.
March 2023: Draft certification standards for cross-border personal information transfer released
On March 16, 2023, the National Information Security Standardization Technical Committee (NISSTC) released the Certification requirements for cross-border transmission of personal information (the “draft certification requirements”). This draft document, which was released for public comment until May 15, 2023, outlines the standards for the third-party certification of companies engaged in the cross-border transfer of PI.
Third-party certification is one of the three mechanisms available to companies to legally transfer certain volumes of PI outside of China, as required under China’s Personal Information Protection Law (PIPL) and related regulations. The other two mechanisms are undergoing a security assessment carried out by the Cybersecurity Administration of China (CAC), China’s cybersecurity regulator, or signing a standard contract with the overseas recipient of the PI.
Under the PIPL and related legislation, companies that meet the following criteria are eligible to undergo the certification method:
- They are not a critical information infrastructure operator (CIIO).
- They process the PI of fewer than one million people.
- Since January 1 of the previous year, they have transferred the PI of less than 100,000 people out of China.
- Since January 1 of the previous year, they have transferred the “sensitive” PI of less than 10,000 people out of China.
Those that exceed the above thresholds, or wish to provide “important data” overseas, must undergo a security assessment by the CAC.
The draft certification requirements, which are themselves an update to an earlier document, the Security Certification Specifications for Cross-Border Processing of Personal Information V2.0, provide a basis for certification agencies to carry out certification of companies’ cross-border processing activities.
Requirements for companies undergoing certification include signing legally binding and enforceable documents with their overseas recipients to ensure the protection of the rights and interests of PI subjects, appointing a person to be in charge of PI protection, setting up a PI protection agency to perform the relevant obligations, and carrying out a PI protection impact assessment (PIPIA).
At the time of writing, no update has been provided on the public feedback on the draft certification standards, and they have therefore not yet been officially adopted. This means that the rules for the certification method have not yet been finalized.
It is also important to note that, while they do shed some light on the proposed requirements for the certification method, China’s cybersecurity and market standards authorities have not yet released a list of the certification agencies that are authorized to carry out certification procedures. They have also not issued specific guidelines for how the certification agencies are required to carry out the certification. More clarity is therefore required for both companies and certification agencies for how this procedure will be carried out in practice.
June 2023: Standard contract measures come into force
On June 1, 2023, the Standard Contract Measures for the Export of Personal Information (“Standard Contract Measures”), came into effect. First released on February 22, the Standard Contract Measures clarify how companies can transfer PI outside of China through the standard contract mechanism, in which the company signs a contract with the overseas recipient of the data.
At the end of May 2023, the CAC also released the Guidelines for the Filing of Standard Contracts for Exporting Personal Information Abroad (First Edition) (the “Standard Contract Guidelines”), a supplementary document that acts as a guide for companies that choose to use the standard contract mechanism.
In addition to providing information on how to file materials with the local authorities, the Standard Contract Measures also provide additional clarity on certain legal definitions, including the definition of “PI export activity”.
The Standard Contract Measures stipulate that companies must carry out a PIPIA before signing a standard contract, outline the content of the standard contract (and provide a standard contract template), and clarify the filing procedures for the standard contract, including all of the required materials.
The Standard Contract Measures provide a much clearer picture for China-based companies on how to handle CBDT activities, helping to clarify the obligations and liabilities of each party. However, the measures still do not provide clarity on certain definitions that are important for companies to understand whether they are eligible for the standard contract mechanism. This includes a clear definition of what is considered a CIIO, and what is considered “important data”, as both CIIOs and companies exporting “important data” are required to undergo a security assessment by the CAC.
For more information on the standard contract mechanism, see our article on the Standard Contract Measures for Personal Information Export.
August 2023: CAC releases draft measures proposing regular compliance audits
On August 3, 2023, the CAC released a new set of draft measures, the Personal Information Protection Compliance Audit Management Measures (Draft for Comments) (the “Draft Audit Measures”) proposing that companies that process the PI of subjects in China undergo regular compliance audits. The compliance audit would assess whether companies are in compliance with the PI protection requirements of the PIPL, as well as other auxiliary measures and regulations.
The Draft Audit Measures stipulate that companies that process the PI of over one million people are required to undergo a compliance audit at least once a year. All other companies that process PI are required to undergo a compliance audit at least once every two years.
Companies would be permitted to carry out compliance audits on their own using either an internal organization or an entrusted third-party agency.
Although the Draft Audit Measures do pertain to the companies engaged in PI processing themselves, the rules that are laid out in the measures are mostly directed at the professional third-party institutions that are entrusted to conduct compliance audits on behalf of companies.
The CAC solicited opinions from the public on the measures until September 2, 2023, but as of writing, no update has been provided on their potential amendment or adoption.
The requirements for regular compliance audits, if passed into law in their current form, will add an additional compliance burden for foreign companies operating in China, similar in nature to statutory financial audits. However, China has already been building out its PI protection regulatory framework for a few years, and most companies operating in China will have begun to implement processes to comply with these regulations.
In addition, given more recent efforts to ease compliance requirements for foreign companies in particular, it is unclear whether these measures will be implemented.
For more information on the proposed PI compliance audits, see our article on Regular Compliance Audits for Personal Information Protection.
September 2023: CAC proposes easing cross-border data transfer requirements
In the latter half of the year, the Chinese government has taken several steps to improve the business environment for private and foreign companies, in an effort to increase investment.
In August 2023, the State Council issued a set of opinions to attract foreign investment, which among other things, recommended the creation of a more secure and efficient data export mechanism. The aim is to make it easier for foreign companies to export their data internationally.
To this end, the CAC in September released the Regulations on Standardizing and Promoting Cross-Border Data Flows (Draft for Comment) (the “draft regulations”), which provide several allowances for the export of “important data” and PI in certain scenarios. If passed, the regulations would greatly alleviate uncertainties and compliance burdens for many companies.
The draft regulations offer several mechanisms for easing the requirements for companies to export data overseas.
First, they waive the requirement for companies to undergo any of the three CBDT mechanisms (CAC security assessment, third-party certification, or signing a standard contract) if the data they wish to export meets certain requirements. These requirements are that the data is generated through activities such as international trade, academic cooperation, transnational manufacturing, or marketing, and does not contain any PI or “important” data.
The above proposal to ease CBDT requirements still hinges on the definition of “important” data, which has not been given. However, the draft regulations also stipulate that if the data in question has not already been determined to be important data by relevant government departments, through a regional or public notice, then the company is not required to undergo a security assessment. In other words, if the data has not been officially specified as “important”, then it will not be treated as such for the purpose of CBDT.
Secondly, the draft regulations stipulate scenarios in which the export of PI is deemed necessary and therefore are not subject to the three CBDT mechanisms. These scenarios include situations in which PI must be exported in order to perform a contract, implement human resources management in accordance with the labor rules and regulations, or protect the safety of life, health, and property of natural persons in an emergency.
Third, the draft regulations slightly shift the thresholds of the volume of data so that if a company expects to export the PI of less than 10,000 people within a year, then it does not need to undergo any CBDT mechanisms. Under current regulations, any company that has cumulatively exported the normal PI of under 100,000 thousand people or sensitive PI of under 10,000 people since January 1 of the previous year must still undergo one of the CBDT mechanisms.
Finally, the draft regulations propose that China’s free trade zones (FTZs) formulate data “negative lists” of certain types of data for which a company must undergo one of the CBDT mechanisms and receive approval from the CAC to export. Under this system, any data types that are not included in the negative list could be freely exported through the FTZs, without the company needing to undergo any CBDT mechanisms.
If passed in their current form, the draft regulations will make compliance with China’s CBDT regulations significantly easier for many foreign companies. For instance, the clause that allows companies to export potentially important data without undergoing the CBDT mechanisms—if the important data has not been specifically defined—addresses a key concern for foreign companies and business groups.
For more information on the draft regulations, see our article on Easing Cross-Border Data Transfer Rules.
2024 outlook for cybersecurity and data protection regulations
More clarity on legal definitions
One of the main sticking points of China’s growing cybersecurity and data protection regulation is the lack of clarity of certain legal terms.
Chief among them is the specific definition of “important” data, which underpins requirements to undergo special CBDT mechanisms (as companies deemed to export “important” data are required to undergo a CAC security assessment under current rules).
In its European Business in China Position Paper 2023/2024 released in September, the European Union Chamber of Commerce in China (EU Chamber) notes the lack of a clear definition for important data, and “urges for the scope of important data to be clearly and narrowly defined, with regulators providing a sufficient grace period between any future releases of guidelines related to the definition of ‘important data’ and catalog, and their implementation”.
While the draft measures to ease CBDT requirements, if passed in their current form, will offer a stop-gap measure for companies, eventually a clear and workable definition will be required to ensure standardized implementation of the regulation.
However, the authorities have not indicated that such a definition will be formulated in 2024, as companies have been calling for more clarity on these definitions since at least 2021.
Implementation of trials for “green channels” and “general data” lists for free CBDT
The opinions on measures to attract foreign investment released in August propose the establishment of so-called “green channels” for qualified foreign-invested enterprises (FIEs), to facilitate CBDT procedures. They also propose to run a pilot program with looser data export restrictions and identify a list of “general data” that can be freely transferred in specific regions, such as Beijing, Tianjin, Shanghai, and the Guangdong-Hong Kong-Macao Greater Bay Area (GBA).
This idea was not included in the draft regulations released in September. This could mean that policymakers may still be formulating measures, and could look to implement trials in select areas in 2024.
Further adjustments to align with DEPA and CPTPP benchmarks
Another dimension to China’s developing cybersecurity and data protection regime is its application to join the Digital Economy Partnership Agreement (DEPA) and the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP).
The CPTPP is a free trade agreement comprising seven countries in the Regional Comprehensive Economic Partnership (RCEP), along with Canada, Mexico, Chile, and Peru. China officially applied to join in October 2021.
The DEPA has been described as “the first trade agreement to target the digital economy”, and is currently made up of New Zealand, Singapore, and Chile. The trade agreement aims to facilitate digital trade, enable cross-border data flow, and create a system of trust in which data is shared equitably and personal and online consumer data is protected. China formally applied to join the DEPA in November 2021.
However, China’s accession to both of these agreements remains uncertain as it would require significant amendments to its current data protection regulations, in particular those related to local data storage and CBDT.
For instance, the CPTPP promotes free cross-border data flows among member states, while the DEPA requires that all parties to the agreement allow the cross-border transfer of information by electronic means, including PI, when this activity is for the conduct of the business of a covered person, and prohibits parties from requiring a covered person to use or locate computing facilities in that party’s territory as a condition for conducting business in that territory.
These requirements run directly counter to China’s current data regulations, which require companies to store data collected in China domestically and have limitations on the volume of data and PI that can be exported freely.
While little development was made on China’s accession to the CPTPP and DEPA in 2023, recent comments from the Chinese authorities suggest that the country is still pursuing these goals.
A brief statement from China’s Ministry of Commerce (MOFCOM) stated that China had held exchanges with the three DEPA member countries in August “on issues such as the treatment of digital products, data issues, the broader trust environment, business, and consumer trust, as well as the digitization of trade documents and other cooperation to be carried out under the DEPA framework”.
Meanwhile, an opinion piece by the Chinese Ambassador to New Zealand published in the New Zealand Herald in August outlines steps that China is taking to meet the CPTPP’s benchmarks for trade openness. These include launching trial measures in China’s pilot free trade zones (FTZs) and the Hainan Free Trade Port, which includes measures such as ensuring equal treatment for both domestic and foreign financial institutions, prohibiting the requirement of transferring or acquiring software source code as a condition for the importation and sale of mass-market software, and so on.
The Ambassador stated that the measures “will be rolled out in other areas nationwide in the future”.
This move is similar to the proposal to test the easing of CBDT requirements in select areas of China, namely FTZs, in the draft regulations released in September. While we do not expect China’s cybersecurity regulator to implement any drastic measures to ease requirements, it is likely we will see easing measures implemented on a trial basis in FTZs and other special economic areas in 2024, with the possibility that they will be rolled out nationwide at a later time.
About Us
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at china@dezshira.com.
Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, Dubai (UAE), and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.
- Previous Article Actualización de viajes a China – Las aduanas suprimen el requisito de la declaración sanitaria para todos los viajeros a partir del 1 de noviembre
- Next Article In Cina la Convenzione sull’Apostille entra ufficialmente in vigore il 7 novembre