In the era of digital economy, the orderly flow and utilization efficiency of data are crucial to the optimization of data element allocation. Especially in cross-border digital trade activities, an efficient and secure cross-border data transmission system has become the basis for promoting the new order of digital trade. From a worldwide perspective, the United States, the European Union, ASEAN and others are promoting the construction of their own cross-border data transmission systems at the domestic law level, with the intention of seizing the right to formulate and voice the global cross-border data transmission rules. In order to fully grasp the economic context of the digital era and participate in the competition and cooperation of the new order of the digital economy pattern, China has successively formulated such high-quality cross-border data transmission rules as the Measures for Data Exit Security Assessment and the Measures for Personal Information Exit Standard Contracts, which have produced good results.
On the basis of the above rules and around the emerging new problems and new demands in the digital trade practice, China adheres to the overall planning of high-quality development and high-level security, and based on the needs of industrial practice, the National Cyberspace Office has formulated the Regulations on Promoting and Regulating the Cross border Flow of Data (hereinafter referred to as the Regulations). Within the current legislative framework of cross-border data transmission in China, the Regulations further refined the business compliance standards and operational specifications for enterprise data outbound, fully reflecting China's innovative ideas in the field of cross-border data transmission supervision, that is, to achieve the stability of digital trade activities by ensuring the security of cross-border data transmission, It is also necessary to create a new pattern of cross-border digital trade by unblocking the channels of cross-border data transmission systems. The promulgation of the Regulations has further optimized China's system of cross-border data flow, provided diversified and flexible institutional tools for enterprise data outbound, and also effectively responded to the groundless accusations of the United States and other western countries against China's "data localization" and impeding global digital trade activities.
The role of the Regulations in promoting the high-quality development of cross-border digital trade is mainly reflected in the following four aspects.
First, based on the practical characteristics of digital trade, refine the application scope of cross-border data transmission system. In the regulatory practice, some enterprises have not accurately understood the legal nature of their cross-border data transmission business, and it is difficult to accurately determine which cross-border data transmission flow mechanism should be applied. In order to solve the problem of ambiguous applicable standards of the cross-border data flow mechanism at the level of legal implementation, the Regulations enumerate the situations where it is not necessary to apply data exit security assessment, personal information exit standard contracts, and personal information protection authentication. For example, "concluding and performing contracts to which an individual is a party" mainly involves cross-border shopping, cross-border mail and delivery, cross-border remittance, cross-border payment, cross-border account opening, air ticket and hotel booking, visa processing, examination services and other activities. The commonality of these activities is that individual cross-border activities require high-frequency and barrier free cross-border transmission of personal information. For another example, the criteria for judging the necessity of "implementing cross-border human resources management" are labor rules and regulations formulated in accordance with the law and collective agreements signed in accordance with the law. Such terms express that on the basis of ensuring the normal entry and exit of employees' personal information necessary for cross-border enterprises or cross-border businesses, they effectively prevent some enterprises from improperly expanding the necessary practical scope of cross-border human resources management, Cause unnecessary personal information to leave the country in an unsafe way. For example, "emergency" refers to the urgency of data exit for the purpose of protecting the life, health and property safety of natural persons.
Second, clarify the demand for business activity scenarios and promote the orderly implementation of the cross-border data transmission system. After China has established a cross-border data transmission system centered on data exit security assessment, personal information exit standard contract and personal information protection certification, regulators are also continuing to promote the specific implementation of these systems. For example, the first data compliance outbound case in China, the cooperative research project between Beijing Friendship Hospital affiliated to Capital Medical University and the Medical Center of the University of Amsterdam in the Netherlands has provided practical guidance for the outbound safety management of medical and health data and international medical research cooperation. For another example, the first data exit safety assessment case in China's automotive field that has been approved through full system inventory, full business declaration and full scenario, the data exit safety assessment project of Beijing Hyundai Motor Co., Ltd. has demonstrated standardized business compliance methods for data exit activities in the automotive field. Under this scenario oriented governance concept of cross-border data transmission, the Regulations also focus on the business needs of specific scenarios. On the premise of not including personal information or important data, data outbound activities generated in international trade, cross-border transportation, academic cooperation, transnational production and manufacturing, and marketing activities are not applicable to data outbound security assessment Personal information standard contract and personal information protection authentication mechanism. This exemption undoubtedly provides great convenience for Chinese enterprises to carry out cross-border business overseas, because under the development trend of economic globalization, customer service, logistics, cloud storage, data analysis and other common cross-border trade activities will frequently generate and transmit relevant business data. The exit of these business data will not directly lead to national security and other issues. The Regulations exempt them, effectively eliminating the regulatory uncertainties behind such issues.
Third, we should reserve space for regulatory system interpretation and promote the diversified innovation of cross-border data transmission system. The cross-border data transmission system is an important support and security guarantee for the exploration of new cross-border digital trade activities in China's various free trade ports, free trade zones and the Guangdong Hong Kong Macao Greater Bay Area and other economic reform areas. The Special Plan for the International Data Industry in the New Portside Area of the China (Shanghai) Pilot Free Trade Zone (2023-2025) clearly proposes several specific measures to optimize the operational rules for cross-border data flow, promote the security assessment of cross-border data flow, and improve the functions of the public service management platform for cross-border data flow. In order to fully guarantee the implementation of the "first try first" governance model, the Regulations specifically add "flexible space" for the cross-border data flow system in the Free Trade Zone, that is, "fine tune" the existing cross-border data transmission mechanism in the form of a data list. The data list mechanism can be understood as the organic integration of three governance elements: "full authorization", "legal procedures" and "convenient flow". "Full authorization" means that the FTZ is authorized by the Regulations to develop a data exit supervision mechanism suitable for economic and trade activities in the region; "Legal procedure" means that the Regulations clearly define the approval and filing process from the local to the central government, truly realizing "full innovation within the legal scope"; "Convenient flow" means that other cross-border data transmission activities beyond the data list allowed by the Regulations do not need to continue to apply specific systems such as data exit security assessment, personal information exit standard contract, personal information protection certification, etc., but directly complete with cross-border digital trade activities in a way consistent with commercial efficiency. The FTZ belongs to the "domestic and foreign customs area", and there are preferential policies in industrial and commercial registration, foreign investment, talent introduction and other fields. The data list set by the Regulations enables the FTZ to focus more on exploring cross-border data flow systems and mechanisms with the economic characteristics of the FTZ on the basis of giving consideration to security management.
Fourth, we should respond to the concerns about the outbound compliance of enterprise data and reduce the compliance difficulty of the cross-border data transmission system. One of the highlights of the Regulations is that it has improved the operability of the current cross-border data transmission system and reduced the difficulty of business compliance for SMEs in data outbound. The Regulation does not set the regulatory threshold for the total amount of data held by data processors, but focuses more on the assessment of the risk level of the data environment. Therefore, the Regulations adjust the focus of risk attention to the scale and type of data outbound. For example, in the outbound activity of providing non sensitive personal information to overseas, "providing personal information of less than 100000 people accumulatively to overseas since January 1 of the current year", "providing personal information of more than 100000 people accumulatively to overseas since January 1 of the current year" and "providing personal information of more than 1 million people accumulatively to overseas since January 1 of the current year" are set The three types of data exit quantity thresholds correspond to the three types of business compliance requirements of "complete exemption", "exemption of applicable data exit security assessment" and "mandatory declaration data exit security assessment" respectively. For data outbound activities that clearly do not have the right to endanger national security and personal information, for example, the amount of cross-border transmission data is scarce, there is no need to declare special supervision processes such as data outbound security assessment.
It is reasonable to believe that the promulgation and implementation of the Regulations will play an important role in further promoting safe, orderly and efficient data cross-border, in further promoting cross-border digital trade activities, and in enhancing China's ability to compete and cooperate in the new pattern of international digital governance.
(Source: "Nettrust China")
(Link: https://mp.weixin.qq.com/s/hnlvLmoCMBSWZmD0EblLJA )