The Provisions on Promoting and Regulating the Cross border Flow of Data, which was deliberated and adopted at the 26th office meeting of the State Internet Information Office in 2023 on November 28, 2023, is hereby promulgated and shall come into force as of the date of promulgation.
Zhuang Rongwen, Director of the State Internet Information Office
March 22, 2024
Promote and standardize the regulations on cross-border data flow
Article 1 In order to ensure data security, protect the rights and interests of personal information, and promote the orderly and free flow of data according to law, in accordance with the Cyber Security Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China and other laws and regulations These Provisions are formulated for the implementation of the data exit system such as personal information protection certification.
Article 2 Data processors shall identify and declare important data in accordance with relevant regulations. If the data is not informed by relevant departments or regions or is publicly released as important data, the data processor does not need to declare the exit safety assessment as important data.
Article 3 If the data collected and generated in international trade, cross-border transportation, academic cooperation, transnational production and manufacturing, marketing and other activities are provided overseas and do not contain personal information or important data, it is exempted from declaring data exit security assessment, concluding personal information exit standard contracts, and passing personal information protection certification.
Article 4 The personal information collected and generated by the data processor abroad is transmitted to China for processing and then provided overseas. If no domestic personal information or important data is introduced during the processing, the data processor is exempted from declaring data exit security assessment, concluding personal information exit standard contracts, and passing personal information protection certification.
Article 5 If the data processor provides personal information overseas and meets one of the following conditions, it is exempted from declaring data exit security assessment, concluding personal information exit standard contract, and passing personal information protection certification:
(1) It is really necessary to provide personal information overseas in order to conclude and perform contracts to which an individual is a party, such as cross-border shopping, cross-border mail and delivery, cross-border remittance, cross-border payment, cross-border account opening, air ticket and hotel booking, visa processing, examination services, etc;
(2) Implement cross-border human resources management in accordance with the labor rules and regulations formulated in accordance with the law and the collective contract signed in accordance with the law, and it is really necessary to provide personal information of employees overseas;
(3) In case of emergency, it is really necessary to provide personal information abroad to protect the life, health and property safety of natural persons;
(4) Data processors other than key information infrastructure operators have provided personal information (excluding sensitive personal information) of less than 100000 people overseas since January 1 of the current year.
The personal information provided to overseas referred to in the preceding paragraph does not include important data.
Article 6 Under the framework of the national data classification and classification protection system, the pilot free trade zone can independently formulate a data list (hereinafter referred to as the negative list) that needs to be included in the management scope of data exit security assessment, personal information exit standard contract and personal information protection certification in the zone, and after being approved by the provincial network security and informatization committee, submit it to the national network information department National data management department for filing.
The data processors in the pilot free trade zone who provide data outside the negative list to overseas countries can be exempted from declaring data exit security assessment, concluding personal information exit standard contracts, and passing personal information protection certification.
Article 7 Data processors who provide data abroad and meet one of the following conditions shall declare the data exit security assessment to the national network information department through the provincial network information department where they are located:
(1) The operator of key information infrastructure provides personal information or important data overseas;
(2) Data processors other than key information infrastructure operators provide important data overseas, or provide personal information of more than 1 million people (excluding sensitive personal information) or sensitive personal information of more than 10000 people to overseas since January 1 of the current year.
If the circumstances specified in Articles 3, 4, 5 and 6 of these Provisions are met, the provisions shall prevail.
Article 8 If data processors other than key information infrastructure operators provide personal information (excluding sensitive personal information) of more than 100000 people but less than 1 million people or sensitive personal information of less than 10000 people to overseas since January 1 of the current year, they shall conclude personal information exit standard contracts with overseas recipients or pass personal information protection certification according to law.
If the circumstances specified in Articles 3, 4, 5 and 6 of these Provisions are met, the provisions shall prevail.
Article 9 The validity period of the exit security assessment results is 3 years, calculated from the date of issuance of the assessment results. When the validity period expires, if it is necessary to continue data exit activities and there is no need to re declare the data exit security assessment, the data processor may, within 60 working days before the expiration of the validity period, apply to the national network information department through the local provincial network information department to extend the validity period of the assessment results. The validity period of the evaluation results can be extended for 3 years upon the approval of the national network information department.
Article 10 Where a data processor provides personal information abroad, it shall perform the obligations of informing, obtaining individual consent, and evaluating the impact of personal information protection in accordance with laws and administrative regulations.
Article 11 Data processors who provide data abroad shall comply with the provisions of laws and regulations, fulfill the obligations of data security protection, and take technical and other necessary measures to ensure the safety of data leaving the country. If a data security incident occurs or is likely to occur, remedial measures shall be taken and the incident shall be reported to the network information department at or above the provincial level and other competent departments in a timely manner.
Article 12 Local network information departments should strengthen the guidance and supervision of data processors' data exit activities, improve the security evaluation system for data exit, and optimize the evaluation process; Strengthen the supervision of the whole chain and all fields before, during and after the event, and require the data processor to rectify and eliminate hidden dangers in case of major risks or data security incidents in data outbound activities; Those who refuse to correct or cause serious consequences shall be investigated for legal responsibility according to law.
Article 13 In case of any inconsistency between the Measures for Data Exit Security Assessment (Order No. 11 of the State Internet Information Office) published on July 7, 2022, the Measures for Personal Information Exit Standard Contract (Order No. 13 of the State Internet Information Office) published on February 22, 2023 and these Provisions, these Provisions shall apply.
Article 14 These Provisions shall come into force as of the date of promulgation.
(Source: "Nettrust China")
(Link: https://mp.weixin.qq.com/s/I8bGNv59pXP7KZHf_SuYag )