China’s cybersecurity regulator Friday issued a set of rules governing cross-border data transfer, easing some requirements to address a key concern of foreign businesses.
The rules relaxed curbs on outbound data flow and narrowed the scope of information that requires security review. They also clarified how security evaluation and filing for data export will be implemented, according to the Cyberspace Administration of China (CAC).
Cross-border data flows have become fundamental to the global exchange and sharing of resources such as capital, information, technology, talent, and goods. A CAC spokesperson also highlighted the regulations' intent to promote lawful, orderly, and free data movement.
The new rules are aimed at unlocking the value of data as a factor of production and expanding the level of high-quality openness. The regulations optimize existing systems for cross-border data transfer, including safety assessments, standards for personal information transfer contracts, and certification for personal information protection.
The new regulations have clarified the criteria for cross-border data activities that are exempt from declaration, which includes data collected or generated during international trade, cross-border transport, academic cooperation, transnational production, and marketing activities that do not involve personal information or critical data.
Personal information collected and provided overseas and processed in China that does not involve domestic personal or critical data is also exempted from declaration. Additionally, some situations involving contracts, labor regulations, emergency situations, and operators of non-critical information infrastructure who provide no more than 100,000 non-sensitive personal information records abroad within a year are free from declaration.
