Question raising

On March 22, 2024, the State Internet Information Office announced the Provisions on Promoting and Regulating the Cross border Flow of Data (hereinafter referred to as the "Provisions"), which came into effect on the same day. This article provides a brief analysis of the triggering thresholds and exemption situations for the three compliance paths of data export under the Regulations.

Lawyer Interpretation

According to relevant laws and regulations, the three compliance paths for data export currently include: applying for data export security assessment, signing a personal information export standard contract, and passing personal information protection certification. The Regulations have elaborated on the triggering thresholds and exemption situations for the three compliance paths (i.e. exemption from applying for data export security assessment, signing personal information export standard contracts, and passing personal information protection certification), which not only reduces the burden on enterprises but also regulates and promotes the orderly and free flow of data in accordance with the law. Specifically, as follows:

1、 The triggering threshold for applying for data export security assessment.

Article 7 of the Regulations specifies different triggering thresholds for data processors to apply for data export security assessments: (1) For key information infrastructure operators who provide personal information or important data overseas, they should apply for data export security assessments; (2) For data processors other than key information infrastructure operators, they should apply for data export security assessment in the following three situations: ① providing important data overseas; ② Starting from January 1st of that year, providing non sensitive personal information to more than 1 million people overseas; ③ Starting from January 1st of that year, sensitive personal information of more than 10000 people has been provided overseas. It can be seen that strict regulations still exist for the supervision of the export of important data.

2、 The threshold for entering into a personal information export standard contract or passing personal information protection certification.

Article 8 of the Regulations specifies that data processors other than operators of critical information infrastructure shall, in accordance with the law, enter into personal information export standard contracts with overseas recipients or obtain personal information protection certification if they fall under any of the following circumstances: ① provide non sensitive personal information of more than 100000 people but less than 1 million people to overseas cumulatively from January 1 of that year; ② Starting from January 1st of that year, providing sensitive personal information to less than 10000 people overseas. This regulation adjusts the data statistics time from "January 1st of the previous year" to "January 1st of the current year", and raises the threshold for providing non sensitive personal information overseas to "more than 100000 people". However, the supervision of the export of sensitive personal information is still relatively strict.

3、 Exit exemption situation.

Although the Regulations specify the triggering thresholds for the three compliance paths for data export, Articles 3 to 6 also specify the circumstances for export exemptions:

1. Exemption for exit under specific scenarios: data collected and generated from activities such as international trade, cross-border transportation, academic cooperation, cross-border production and manufacturing, and marketing that do not include personal information or important data shall be exported.

2. Exit exemption for transit data: Personal information collected and generated by the data processor outside the country, transmitted to the country for processing and provided to the outside world, which meets the requirements that no personal information or important data within the country was introduced during the processing.

3. Export exemption for certain personal information (excluding important data): ① It is necessary to provide personal information overseas for the purpose of entering into or performing contracts to which an individual is a party; ② To implement cross-border human resource management in accordance with legally formulated labor regulations and collective contracts, it is necessary to provide personal information of employees overseas; ③ In emergency situations, it is necessary to provide personal information overseas to protect the life, health, and property safety of natural persons; ④ Data processors other than operators of critical information infrastructure have provided less than 100000 non sensitive personal information (excluding sensitive personal information) to overseas individuals since January 1st of that year.

4. Special legislative power and negative list system for free trade zones. The Regulations state that free trade pilot zones can independently develop negative lists within the framework of the national data classification and classification protection system. Data processors within the free trade zone are exempt from leaving the country if they provide data outside the negative list. At present, relevant regulations have been introduced in the Shanghai and Tianjin Free Trade Zones.