Safe Harbors Part II – China’s Safe Harbor Rules Lower Barriers to Cross-Border Data Transfer | HUB

In part one of our alert on China's new Safe Harbor rules, we discussed key developments between the draft provisions on the regulation and facilitation of cross-border data flows (Chinese version only) and the Provisions to facilitate and regulate cross-border data flows (the Provisions, Chinese version only). In this alert, we will compare the arrangements and three existing routes in China for cross-border data transfer.

The main existing regulations are the measures for assessing the security of outgoing data transfers (CAC valuation rules), specifications for security certification for cross-border personal information processing activities (Licensed Certification Guide), and measures relating to the standard contract for the outgoing transfer of personal information (Chinese CCS measures).

Prior to the publication of the provisions, multinational corporations (MNCs) needing to transfer data, particularly personal data, out of China were required to go through one of three data export mechanisms: (i) security assessment conducted by the CAC. (the CAC Assessment) (please refer to our full series of CAC Assessments: Part 1, Part 2 and Part 3 for detailed information); (ii) protection certification by an approved body (Licensed Certification) (detailed in our customer alert on licensed certification);¹ and (iii) the Chinese standard contract (the China SCC) (see our client alert on the China SCC) (collectively referred to as the Three Mechanisms).

The introduction of the provisions (the Safe Harbor Rules) provides exemptions to the cumbersome Three Mechanisms and clarifies the relationship between the Safe Harbor Rules and the existing Three Mechanisms regulations.

The provisions make clear that in the event of a conflict between the Safe Harbor Rules and existing regulations of the three mechanisms that were promulgated before the Safe Harbor Rules, the Safe Harbor Rules will control.

The Three Mechanisms do not introduce the concept of the three types of data export required as an exemption from the Three Mechanisms. Thus, when the data exporter is not a critical information infrastructure operator (CIIO)² or where the data to be exported does not include significant data, the mechanism to be used by a data exporter among the Three Mechanisms will depend exclusively on the volume of personal data involved in the intended transfer.

The table below shows the main changes to the volume threshold of the Three Mechanisms for personal data exporters that are not CIIOs between the main existing regulations and the Provisions.

Itineraries	Three mechanisms	Safety areas
China SCC or licensed certification	Exports of: Less than 100,000 general personal data of individuals, OR Less than 10,000 sensitive personal data of individuals, in each case within two years from 1 January of the preceding year, by personal data controllers who process less than 1 million personal data of individuals in China (article 4 of the Chinese CPS measures)	Exports of: 100,000 to 1 million people's personal data (excluding sensitive personal data), OR Less than 10,000 sensitive personal data of individuals, in each case over a period of one year, accumulated from 1 January of the same year by controllers of personal data who are not CIIOs (article 8)
CAC assessment	Exports of: More than 100,000 general personal data of people, OR More than 10,000 sensitive personal data of individuals, in each case within two years from January 1 of the previous year, by personal data controllers processing less than 1 million personal data of individuals in China (Article 4-3 of the CAC Assessment Rules) Exports of any personal data from personal data controllers who process more than 1 million personal data in China (Article 4-2 of the CAC Assessment Rules)	Exports of: More than a million people's personal data (excluding sensitive personal data), OR More than 10,000 sensitive personal data of natural persons, each with a cumulative year from January 1 of the same year by personal data controllers who are not CIIOs (article 7-2)

After the introduction of the provisions, the criteria of China SCC compulsory mechanism, licensed certification and CAC assessment have been significantly limited in the following senses:

• Some volume thresholds that trigger the Three Mechanisms have been raised. In other words, more scenarios that do not fall within the scope of the three types of necessary data export activities are no longer subject to CAC assessment under the provisions;
• The period for calculating the volume of personal data exports has been shortened from two years to one year, thereby increasing the threshold required by data exporters to trigger the three mechanisms; And
• The provisions also eliminate the requirement for data controllers processing the personal data of more than a million people in China (mass data controllers) to undergo a CAC assessment if they only export the data personal data of a small number of people, for example one person. Previously, mass data controllers were required to undertake CAC assessments even if they exported an individual's personal data.

Our observations

1. The provisions have significantly reduced the compliance burdens for most multinationals when exporting data from China, especially in the cross-border human resource management scenario and for business-to-business relationships in which only a limited amount of personal data (employees or non-employees) ) is exported from China, and generally for commercial purposes.
2. Multinational companies must have an appropriate privacy notice for Chinese employees that complies with both data privacy laws and applicable labor laws.
3. Regardless of the stipulations of the provisions stating that multinationals would be exempted from the three mechanisms where the requirements are met, multinationals are still required to meet internal compliance obligations regarding data export and general data processing under the law on the protection of personal information. This includes in particular:

• Appropriate notification to data subjects;
• Obtain individual consent (if necessary);
• Carry out the required personal data protection impact assessments in one of the seven scenarios;
• Fulfill data security obligations;
• Implement the necessary technical and other protection measures;
• Manage security incidents; And
• Implementation of data security and personal data protection systems.

Our global data protection, privacy and security team remains available to help ensure your cross-border data transfer to China is compliant.