China: Adopted CAC Regulations on Promoting and Regulating Cross-Border Data Flows

On 22 March 2024, the Cyberspace Administration of China (CAC) adopted Regulations on Promoting and Regulating Cross-Border Data Flows, outlining the mechanisms that have to be used for the transfer of data to other jurisdictions. Under the adopted regulations, the entities are required to disclose if they store imported data. The regulations specify that entities don't have to apply data export security assessments to transfer data if relevant departments have not notified them, the important data was made public, the data was collected through activities such as international trade, cross-border transportation, and do not contain personal information or important data, or if the data is transferred to China only for processing purposes. Furthermore, entities are transferring data for the purposes of performing a contract, human resources management, or emergencies or are sending personal information of less than 100'000 individuals and do not include important data or sensitive personal information are exempted from applying for a data export security assessment, entering into a standard contract for the export of personal information, and passing personal information protection certification. The entities transferring important data overseas or providing personal information of more than 1 million people will have to apply for data export security assessment and obtain approval. Finally, the entities will be able to enter into a standard contract or pass certification for personal information transfer abroad if they are transferring data to more than 100’000 people but less than 1 million people, excluding sensitive personal information, since 1 January of that year. The regulations entered into force on the day of adoption.