State Internet Information Office Order
No. 16
The “Regulations on Promoting and Standardizing Cross-Border Data Flows” have been reviewed and approved at the 26th office meeting of the State Internet Information Office on November 28, 2023. They are hereby announced and shall be implemented from the date of announcement.
Director of the State Internet Information Office
Zhuang Rongwen
March 22, 2024
Provisions on Promoting and Standardizing Cross-Border Data Flows
Article 1: In order to safeguard data security, protect the rights and interests of personal information, and promote the lawful and orderly free flow of data, these provisions are formulated in accordance with the laws and regulations of the People’s Republic of China, including the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, and the Personal Information Protection Law of the People’s Republic of China, concerning the implementation of the data export system, such as data export security assessments, standard contracts for the export of personal information, and personal information protection certification.
Article 2: Data processors shall identify and declare important data in accordance with relevant regulations. If data has not been identified or publicly announced as important data by relevant departments or regions, data processors are not required to undergo a data export security assessment for data that is not declared as important data.
Article 3: Data collected and generated in activities such as international trade, cross-border transportation, academic cooperation, cross-border production and manufacturing, and marketing, provided to overseas without involving personal information or important data, shall be exempted from the requirement to undergo a data export security assessment, enter into standard contracts for the export of personal information, or obtain personal information protection certification.
Article 4: When personal information collected and generated by data processors overseas is transferred to China for processing and subsequently provided to overseas without introducing personal information or important data during the processing, they shall be exempted from the requirement to undergo a data export security assessment, enter into standard contracts for the export of personal information, or obtain personal information protection certification.
Article 5: Data processors providing personal information overseas shall be exempted from the requirement to undergo a data export security assessment, enter into standard contracts for the export of personal information, or obtain personal information protection certification if they meet one of the following conditions:
(1) It is necessary to provide personal information overseas for the conclusion or performance of contracts in which individuals are parties, such as cross-border shopping, cross-border mailing, cross-border remittance, cross-border payment, cross-border account opening, airline and hotel reservations, visa application, examination services, etc.;
(2) It is necessary to provide employee personal information overseas for the implementation of cross-border human resources management in accordance with legally formulated labor regulations and collective contracts signed in accordance with the law;
(3) It is necessary to provide personal information overseas to protect the life, health, and property safety of natural persons in emergency situations;
(4) Data processors other than operators of critical information infrastructure have provided less than 100,000 pieces of personal information (excluding sensitive personal information) overseas cumulatively since January 1 of the current year.
The personal information provided overseas as referred to in the preceding paragraph does not include important data.
Article 6: Free Trade Pilot Zones may independently formulate a negative list of data that needs to be included in the scope of data export security assessments, standard contracts for the export of personal information, and personal information protection certification management within the framework of the national data classification and grading protection system. After approval by the provincial-level cybersecurity and informatization committee, it shall be filed with the competent authority of the State Cyberspace Administration and the competent authority of the National Data Management Department.
Data processors providing data overseas within the Free Trade Pilot Zones that is not included in the negative list may be exempted from the requirement to undergo a data export security assessment, enter into standard contracts for the export of personal information, or obtain personal information protection certification.
Article 7: Data processors providing data overseas shall apply for a data export security assessment through the provincial-level cyberspace administration department to the competent authority of the State Cyberspace Administration if they meet one of the following conditions:
(1) Operators of critical information infrastructure provide personal information or important data overseas;
(2) Data processors other than operators of critical information infrastructure provide important data overseas or have provided personal information (excluding sensitive personal information) to overseas exceeding one million people, or sensitive personal information exceeding ten thousand people cumulatively since January 1 of the current year.
The provisions of Articles 3, 4, 5, and 6 of these regulations shall apply to the above situations.
Article 8: Data processors other than operators of critical information infrastructure that have provided personal information (excluding sensitive personal information) to overseas exceeding one hundred thousand people but less than one million people, or sensitive personal information to less than ten thousand people cumulatively since January 1 of the current year, shall conclude standard contracts for the export of personal information with the overseas recipient or obtain personal information protection certification in accordance with the law.
The provisions of Articles 3, 4, 5, and 6 of these regulations shall apply to the above situations.
Article 9: The validity period of the results of the data export security assessment shall be three years from the date of issuance of the assessment results. When the validity period expires and it is necessary to continue data export activities without the occurrence of circumstances requiring a reapplication for a data export security assessment, data processors may apply to extend the validity period of the assessment results to the competent authority of the State Cyberspace Administration through the provincial-level cyberspace administration department 60 working days before the expiration of the validity period. With the approval of the competent authority of the State Cyberspace Administration, the validity period of the assessment results may be extended for three years.
Article 10: Data processors providing personal information overseas shall fulfill obligations such as notification, obtaining individual consent, and conducting personal information protection impact assessments in accordance with laws and regulations.
Article 11: Data processors providing data overseas shall comply with laws and regulations, fulfill obligations of data security protection, adopt technical measures and other necessary measures to ensure data export security. In the event of or potential for a data security incident, remedial measures shall be taken, and timely reports shall be made to the provincial-level and above cyberspace administration departments and other relevant competent authorities.
Article 12: Local cyberspace administration departments shall strengthen guidance and supervision over data processors’ data export activities, improve the data export security assessment system, and optimize the assessment process. They shall strengthen end-to-end and all-domain supervision before, during, and after data export activities. In case of significant risks in data export activities or occurrence of data security incidents, data processors shall be required to rectify and eliminate hidden dangers. Those who refuse to correct or cause serious consequences shall be held accountable according to law.
Article 13: If there is any inconsistency between these regulations and the “Measures for the Security Assessment of Data Export” (Order No. 11 of the State Cyberspace Administration, announced on July 7, 2022), and the “Methods for Standard Contracts for the Export of Personal Information” (Order No. 13 of the State Cyberspace Administration, announced on February 22, 2023), and other relevant regulations promulgated on July 7, 2022, and February 22, 2023, these regulations shall prevail.
Article 14: These regulations shall come into force on the date of promulgation.