Safe Harbors Part II – China’s Safe Harbor Rules Lower the Barrier for Cross-Border Data Transfer

In Part I of our alert on China's new safe harbor rules, we discuss key developments among Draft provisions on regulation and facilitation of cross-border data flow (Chinese version only) and the Provisions on facilitation and regulation of cross-border data flow (the Provisions, Chinese version only). In this alert, we will compare the Provisions and the three existing routes in China for a cross-border data transfer.

The key existing regulations are the Measures for the assessment of the security of outgoing data transfer (CAC evaluation rules), the Specifications on Security Certification for Cross-Border Personal Information Processing Activities (Licensed Certification Guide), and the Measures for the Standard Contract for the Outbound Transfer of Personal Information (China SCC Measurements).

Prior to the publication of the Provisions, multinational corporations (MNCs) that needed to transfer data, especially personal data, outside of China were required to go through one of three data export mechanisms: (i) security assessment conducted by the CAC (the CAC Assessment) (see our complete CAC Assessment series: Part 1, Part 2and part 3 for detailed information); (ii) protection certification by an authorized organization (the Authorized Certification) (detailed in our alerts customer about authorized certification);¹ and (iii) the China Standard Contract (the China SCC) (see our alerts customer about China SCC) (collectively known as the Three Mechanisms).

The introduction of the Provisions (the Safe Harbor Rules) offers exemptions from the cumbersome Three Mechanisms and clarifies the relationship between the Safe Harbor Rules and existing Three Mechanisms regulations.

The Provisions make clear that in the event of a conflict between the Safe Harbor Rules and existing regulations of the Three Mechanisms that were promulgated before the Safe Harbor Rules, the Safe Harbor Rules will prevail.

The Three Mechanisms do not introduce the concept of the three types of data export required as an exemption from the Three Mechanisms. As such, when the data exporter is not a critical information infrastructure operator (CIIO)² or when the data to be exported does not include important data, the mechanism that a data exporter will use among the Three Mechanisms will depend exclusively on the volume of personal data involved in the contemplated transfer.

The table below sets out the main changes to the Three Mechanisms volume threshold for non-CIIO personal data exporters between the existing key regulations and the Provisions.

Routes	Three mechanisms	Safe harbors
China SCC or licensed certification	Exports of: Less than 100,000 general personal data of individuals, OR Less than 10,000 sensitive personal data of individuals, in each case within two years from January 1 of the previous year by personal data controllers processing less than 1 million personal data of individuals in China (Article 4 of the SCC Measures from China)	Exports of: 100,000 to 1 million personal data of individuals (excluding sensitive personal data), OR Less than 10,000 sensitive personal data of natural persons, in each case within a period of one year, accumulated as of January 1 of that year by controllers of personal data processing other than CIIO (article 8)
CAC Assessment	Exports of: General personal data of more than 100,000 people, OR More than 10,000 sensitive personal data of individuals, in each case within two years from January 1 of the previous year by personal data controllers processing less than 1 million personal data of individuals in China (Article 4-3 of the Rules CAC Assessment Rules) Exports of any personal data by personal data controllers processing more than 1 million personal data of individuals in China (Article 4-2 of the CAC Assessment Rules)	Exports of: More than 1 million personal data of individuals (excluding sensitive personal data), OR More than 10,000 sensitive personal data of natural persons, in each case with one year accumulated from January 1 of that year by controllers of personal data processing other than CIIO (article 7-2)

After the introduction of the Provisions, the criteria for the mandatory mechanism of China SCC, Licensed Certification and CAC Assessment have been substantially limited with respect to:

• Certain volume thresholds that activate the Three Mechanisms have been higher. In other words, more scenarios that are not within the scope of the three types of necessary data export activities are no longer subject to CAC Assessment under the Provisions;
• The period for calculating the volume of personal data exports has been shortened from two years to one year, raising the threshold for data exporters to activate the Three Mechanisms; and
• The Provisions also remove the obligation for data controllers that process personal data of more than 1 million people in China (the Big Data Controllers) to undergo a CAC Assessment if they only export personal data of a small number of people, as an individual. Previously, big data controllers were required to perform CAC assessments even if they exported an individual's personal data.

Our observations

1. The Provisions have substantially reduced compliance burdens for most multinationals when exporting data from China, especially in the scenario of cross-border human resources management and for business-to-business relationships where only a limited amount of personal data is required. (employees or non-employees). ) is exported from China and, in general, for commercial purposes.
2. Multinational companies must have an appropriate China employee privacy notice that complies with both data privacy protection laws and applicable labor laws.
3. Notwithstanding the stipulations of the Provisions that multinationals would be exempt from the Three Mechanisms when the requirements are met, multinationals are still required to comply with internal compliance obligations for data export and general data processing under the Law. Protection of Personal Information. This includes, in particular:

• Adequate notification to individual data subjects;
• Obtain individual consent (where necessary);
• Carry out the personal data protection impact assessments required in any of the seven scenarios;
• Comply with data security obligations;
• Implement technical and other necessary safeguards;
• Security incident management; and
• Establishment of data security systems and protection of personal data.

Our Global data protection, privacy and security Our team remains available to help you achieve compliance for your cross-border data transfer with China.