On March 22, 2024, the Cyberspace Administration of China (the “CAC”) released the highly anticipated Provisions on Facilitating and Regulating Cross-Border Data Flow (《促进和规范数据跨境流动规定》) (the “Data Flow Regulation”), effective immediately. The Data Flow Regulation eliminates obstacles to cross-border personal information (the “PI”) transfers in various routine international business dealings and facilitates global unified HR management for multinational companies (the “MNCs”). Specifically, it offers certain exemptions from compliance with required transfer mechanisms under the PIPL (defined below) and raised the various thresholds that would trigger CAC security assessment.
Below we will provide an overview of China’s data export compliance mechanism and discuss key highlights as introduced by the newly-released Data Flow Regulation in detail.
1. PI Export Compliance Mechanisms
China established the compliance framework for cross-border data transfer when China’s Personal Information Protection Law (《中华人民共和国个人信息保护法》) (the “PIPL”) came into effect on Nov. 1, 2021. Based on the sensitivity, importance and volume of personal information (“PI”) they process, businesses are expected to conduct at least one of the following before they can lawfully transfer PI out of mainland China: (i) obtain security assessment approval for exporting the PI; (ii) conduct and obtain PI protection certification; or (iii) enter into a standard contract for cross-border transfer of PI (the “SCC”) with the overseas recipient (collectively, the “PI Export Compliance Mechanisms”).
