On 22 March, China's CAC released the final rules on outbound data transfer. The new rules optimize China's existing outbound data transfer regime, the three pillars framework:

• Security Assessments: This process involves a self-assessment by data processors, focusing on the legality, necessity, and risks associated with data processing. The CAC then conducts a formal security assessment before approving outbound data transfer.

• Standard Contracts: Data processors in China must sign contracts with overseas recipients when transferring personal information (PI) out of China. These contracts include detailed information on purpose, scope, responsibilities, and measures to prevent breaches.

• Personal Information Certification: Data processors may need certification from the Cybersecurity Administration of China (CAC) for certain types of data transfers.

Criticism of China's management system of outbound data transfer has been incessant, especially as many foreign companies complain that the rules are too strict and vague, with new rules hindering the data transfer required for their business operations and R&D activities. The industry as a whole also seems to believe that China's measures to enhance data security over the years have, to some extent, hindered development and may even carry a policy intention that is somewhat hostile to private and foreign-funded enterprises.

I've always thought this perception may not be objective. The issue is mainly technical rather than based on some unspeakable policy intention. Due to the high specialization of data security, and the field's high level of attention and rapid development, some research on security and governance has not kept up with the pace of development, leading to some security management requirements possibly being vague, extensive, and lacking in detail. In recent years, many non-professional opinions have also frequently been involved in discussions on the formulation of related laws, regulations, and policies, causing professional discussions in this field to be somewhat chaotic.

But perhaps it's undeniable that complaints from foreign companies and China's private enterprises, along with its current challenging economic situation, have prompted efforts towards more scientific and meticulous management of outbound data transfer. Introducing the new rules is, to some extent, a response to criticism and suggestions from various quarters. It can even be inferred from the change of the title of the rules, placing "promoting" before "regulating," indicating a priority focus on "promoting cross-border data flow". The unveiling of the new rules happens on the eve of the 2024 China Development Forum (中国发展高层论坛), with senior Chinese officials like Shanghai Party Secretary Chen Jining and Minister of Commerce Wang Wentao meeting intensively with foreign CEOs attending the forum in Beijing. An easily overlooked detail is that the new rules were passed on November 28, 2023, but were not released until the eve of the CDF, perhaps serving as a welcome gesture to the gathering of foreign executives in Beijing.

The new rules constitute the fourth important pillar of China's outbound data transfer regime. On the one hand, they clarify some of the ambiguities or misunderstandings identified in the practice of enforcing the first three pillar regime. On the other hand, they make further adjustments and optimizations based on them.

I. Compared to the draft for comment, the new rules further relax control over the outbound transfer of personal information:

(A) If a company is not an operator of critical information infrastructure (CIIO) and has provided personal information to overseas entities involving fewer than 100,000 individuals since January 1 of the current year, it can freely transfer such personal information from China to overseas. An important premise here is that these pieces of personal information cannot include "sensitive personal information." Article 28 of the Personal Information Protection Law defines "sensitive personal information" as those that, once leaked or illegally used, are likely to harm the dignity of natural persons or endanger personal and property safety, including biometrics, religious beliefs, specific identities, medical health, financial accounts, whereabouts, and personal information of minors under the age of fourteen.

(B) Compared to the draft for comment, the condition for freely transferring personal information across borders has been further reduced from "expecting to provide personal information to less than 10,000 individuals overseas within a year" to "having provided personal information to less than 100,000 individuals overseas since January 1 of the current year." Regarding how to count, the CAC's official Q&A highlights two points: one is deduplication, and the second is that the personal information exempted does not accumulate in the above scale. This change in the scale of personal information triggering regulatory mechanisms undoubtedly has a positive significance for many small and medium-sized enterprises in China.

(C) The new rules maintain the provision in the draft for comment that data generated from international trade, academic cooperation, transnational production and manufacturing, and market marketing activities can be freely transferred outside China, and further added the "cross-border transportation" scenario. Obviously, Chinese tourists taking planes or international trains to travel abroad or goods being transported from China to foreign countries by plane or ship will also involve some data transfer, and it is unnecessary to restrict them. The formal significance of this provision is greater than its practical significance, as China's data management system has always only governed personal information and important data. There are no regulatory restrictions in their outbound transfer for general data that is neither important nor personal information, such as institutional customer transaction flows, product sales data, etc. However, in practice, many misunderstandings have arisen, believing that the exit of this part of the data would also be controlled. The official Q&A by the CAC also emphasizes that data transfer security management is not for all data; it is only limited to important data and personal information. Of course, the outbound transfer of these data still needs to comply with China's specific laws in the field of anti-unfair competition, export control, state secret management, and confidentiality obligations in related contracts and agreements.

(D) The new rules further clarify that data collected outside of China can be freely transferred outside China if it is only subjected to activities such as data cleaning and labelling within the country and then transferred overseas again. This is beneficial for the data cleaning and labelling industries in some regions of China, especially as the development of AI presents these industries with significant business opportunities. However, an important precondition here is that these data processing activities do not involve personal information or important data in China.

(E) The draft for comment stipulated that the outbound transfer of personal information generated from personal affairs could be exempted, and highlighted several scenarios such as "cross-border shopping, cross-border remittances, airline and hotel bookings, and visa processing". The final rules retain this provision and add more scenarios, including "cross-border parcel delivery, cross-border payments, cross-border bank account opening, and examination services", to provide clearer guidance for individuals and businesses. In fact, according to Article 72 of the Personal Information Protection Law, which states that the processing of personal information by natural persons for personal or family affairs is not subject to this law, this exemption could be inferred, but in practice, misunderstandings have indeed arisen, with many believing that these situations also require security assessment, signing standard contracts, or obtaining personal information protection certification.

(F) For outbound data transfers that require security assessment by the CAC, the validity of the assessment's validity after passing is a very practical issue for businesses. Article 14 of the "Security Assessment Measures on Outbound Data Transfer" stipulates a validity period of 2 years, with a requirement for re-application upon expiry. The new rules further relax companies' compliance burden by extending the validity period to 3 years, and upon expiration, it allows for the application to extend the validity period for another 3 years, meaning that, theoretically, one assessment could be valid for up to 6 years.

II. Compared to the draft for comment, the new rules have strengthened control in terms of important data and the special policies for data in Pilot Free Trade Zones, reflecting the compromise between the forces of national security and development within China's policy sphere:

(A) Important Data

The new rules retain the clarification made in the draft for comment regarding important data, specifying that data processors are not required to apply for security assessment if the data they want to transfer overseas has not been notified or publicly released as important data by relevant departments or regions. This significantly reduces the pressure on data processors, alleviating their fears of inadvertently transferring important data overseas, fully reflecting the original intention of supporting development and openness. The CAC also reaffirmed in the Q&A that important data pertains to the nation, not companies and individuals.

However, at the same time, compared to the draft for comment, the new rules have clarified the obligations of enterprises to identify and declare important data. The national security faction within China's policy circles evidently believes that if some institutions do indeed have important data that the relevant departments or regions have not notified, and if the enterprises themselves do not proactively identify and declare such important data, this could pose a significant national security risk. While making it easier for enterprises to comply, it's also ensured that enterprises cannot completely neglect this responsibility.

According to articles published by experts close to the regulators, over the past few years, there have been several unresolved issues regarding important data: Can the catalogue of important data be made public? Can the standards for identifying important data by departments or regions be disclosed? There are reasons for not making these public, but as a policy aimed at the entire society, mainly targeting commercial activities, "non-disclosure" does not align with the characteristics of market economy activities. The wording of the new rules is very deliberate on this matter. It allows for either public disclosure ("publicly released as important data") or specific notification to enterprises ("notified by the relevant departments or regions"), leaving room for choice to regulators. This approach will significantly address the "hard nut to crack" in the security management system for cross-border data flows. With the implementation of the new rules, it is expected that the work on the classification and categorization of important data by various departments and relevant regions will accelerate.

(B) Negative List in Pilot Free Trade Zones

The new rules also retain the innovative system that allows PFTZs to establish a "negative list independently." A "negative list" (also known as a "blacklist") is a term specifically used in foreign investment review, meaning "everything not on the list is permitted." This contrasts with a "positive list" (also known as a "whitelist"), meaning "only those on the list are permitted." Clearly, the negative list approach is more open, pro-business and is also an internationally recognized practice. The establishment of a "negative list" inherently demonstrates an open attitude.

Building on this, the new rules add some content, emphasizing that the authority of PFTZs to formulate a "negative list" is limited. It must be carried out within the overall framework of the central government's data classification and categorization, and it clarifies that only "data processors within the PFTZs" can enjoy the exemption of free transfer of data outside the "negative list," that is, enterprises registered in and processing data within the PFTZs. This does not include companies that are merely registered as shell companies in the PFTZs but actually conduct their business and data processing activities elsewhere, as this would clearly contravene the original policy intentions of attracting foreign investment and increasing employment in PFTZs.

The negative list refers to the scope of data that is not subject to cross-border data flow security management. Obviously, this represents a greater degree of exemption, that is, a blanket exemption for outbound data transfer management regimes through the negative list. However, if implemented improperly, it could also bring significant risks. Therefore, at this stage, it is not advisable to promote the negative list system nationwide. Given the PFTZs' policy space for institutional innovation and experimentation, as well as the dual reasons for having more export-oriented enterprises, it is feasible to implement the negative list system for cross-border data flows in PFTZs. According to some experts' Wechat blogs, China's Tianjin PFTZ has already formulated the country's first negative list for outbound data transfers, which will be released soon.

促进和规范数据跨境流动规定

Rules on Promoting and regulating cross-border data flow

第一条 为了保障数据安全，保护个人信息权益，促进数据依法有序自由流动，根据《中华人民共和国网络安全法》、《中华人民共和国数据安全法》、《中华人民共和国个人信息保护法》等法律法规，对于数据出境安全评估、个人信息出境标准合同、个人信息保护认证等数据出境制度的施行，制定本规定。

Article 1: To ensure data security, protect the rights and interests of personal information, and promote the lawful, orderly, and free flow of data, in accordance with laws and regulations such as the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, and the Personal Information Protection Law of the People's Republic of China, this regulation is formulated for the implementation of security assessments of outbound data transfer, standard contracts for outbound transfer of personal information, personal information protection certification, and other outbound data transfer mechanisms.

第二条 数据处理者应当按照相关规定识别、申报重要数据。未被相关部门、地区告知或者公开发布为重要数据的，数据处理者不需要作为重要数据申报数据出境安全评估。

Article 2: Data processors should identify and declare important data in accordance with relevant regulations. If the data has not been notified or publicly released as important data by the relevant departments or regions, the data processor is not required to declare the data as important data for the purpose of security assessment of outbound data transfer.

第三条 国际贸易、跨境运输、学术合作、跨国生产制造和市场营销等活动中收集和产生的数据向境外提供，不包含个人信息或者重要数据的，免予申报数据出境安全评估、订立个人信息出境标准合同、通过个人信息保护认证。

Article 3: Data collected and generated in activities such as international trade, cross-border transportation, academic cooperation, transnational production and manufacturing, and market marketing that are provided overseas, which do not contain personal information or important data, are exempt from the regulatory mechanisms of the Security Assessment, or the Standard Contract, or the Certification.

第四条 数据处理者在境外收集和产生的个人信息传输至境内处理后向境外提供，处理过程中没有引入境内个人信息或者重要数据的，免予申报数据出境安全评估、订立个人信息出境标准合同、通过个人信息保护认证。

Article 4: When data processors collect and generate personal information overseas and then transfer it to domestic locations for processing before providing it abroad, and if no domestic personal information or important data are introduced during the processing, they are exempt from the regulatory mechanisms of the Security Assessment, or the Standard Contract, or the Certification.

第五条 数据处理者向境外提供个人信息，符合下列条件之一的，免予申报数据出境安全评估、订立个人信息出境标准合同、通过个人信息保护认证：

Article 5: Data processors providing personal information overseas are exempt from declaring outbound data transfer security assessments, establishing standard contracts for personal information exit, and passing personal information protection certification if they meet any of the following conditions:

（一）为订立、履行个人作为一方当事人的合同，如跨境购物、跨境寄递、跨境汇款、跨境支付、跨境开户、机票酒店预订、签证办理、考试服务等，确需向境外提供个人信息的；

(1) It is necessary to provide personal information abroad for the conclusion or performance of a contract where the individual is a party, such as for cross-border shopping, cross-border delivery, cross-border remittance, cross-border payment, cross-border account opening, booking of airline tickets and hotels, visa processing, examination services, etc.;

（二）按照依法制定的劳动规章制度和依法签订的集体合同实施跨境人力资源管理，确需向境外提供员工个人信息的；

(2) It is necessary to provide employees' personal information abroad for cross-border human resources management, in accordance with legally established labor regulations and collective contracts signed according to law;

（三）紧急情况下为保护自然人的生命健康和财产安全，确需向境外提供个人信息的；

(3) It is necessary to provide personal information abroad in emergency situations to protect the life, health, and property safety of natural persons;

（四）关键信息基础设施运营者以外的数据处理者自当年1月1日起累计向境外提供不满10万人个人信息（不含敏感个人信息）的。

(4) Data processors, other than operators of critical information infrastructure, have provided personal information of less than 100,000 people overseas (excluding sensitive personal information) cumulatively from January 1 of the current year.

前款所称向境外提供的个人信息，不包括重要数据。

The personal information provided overseas mentioned in the previous paragraph does not include important data.

第六条 自由贸易试验区在国家数据分类分级保护制度框架下，可以自行制定区内需要纳入数据出境安全评估、个人信息出境标准合同、个人信息保护认证管理范围的数据清单（以下简称负面清单），经省级网络安全和信息化委员会批准后，报国家网信部门、国家数据管理部门备案。

Article 6: Within the framework of the national data classification and grading protection system, Free Trade Zones may independently develop a list of data (hereinafter referred to as the negative list) that needs to be included in the outbound data transfer security assessment, standard contracts for personal information exit, and personal information protection certification management. After approval by the provincial cyberspace administration and informatization committee, it should be reported to the national cyberspace department and national data management department for the record.

自由贸易试验区内数据处理者向境外提供负面清单外的数据，可以免予申报数据出境安全评估、订立个人信息出境标准合同、通过个人信息保护认证。

Data processors within the Free Trade Zones providing data outside of the negative list to overseas parties may be exempt from declaring outbound data transfer security assessments, establishing standard contracts for personal information exit, and passing personal information protection certification.

第七条 数据处理者向境外提供数据，符合下列条件之一的，应当通过所在地省级网信部门向国家网信部门申报数据出境安全评估：

Article 7: Data processors providing data overseas must undergo a outbound data transfer security assessment through the provincial cyberspace authority to the national cyberspace department if they meet any of the following conditions:

（一）关键信息基础设施运营者向境外提供个人信息或者重要数据；

1. Operators of critical information infrastructure provide personal information or important data overseas.

（二）关键信息基础设施运营者以外的数据处理者向境外提供重要数据，或者自当年1月1日起累计向境外提供100万人以上个人信息（不含敏感个人信息）或者1万人以上敏感个人信息。

2. Data processors other than operators of critical information infrastructure provide important data overseas, or from January 1 of the current year, cumulatively provide personal information (excluding sensitive personal information) of more than 1 million people, or sensitive personal information of more than 10,000 people to overseas.

属于本规定第三条、第四条、第五条、第六条规定情形的，从其规定。

For situations stipulated in Articles 3, 4, 5, and 6 of these regulations, their provisions apply.

第八条 关键信息基础设施运营者以外的数据处理者自当年1月1日起累计向境外提供10万人以上、不满100万人个人信息（不含敏感个人信息）或者不满1万人敏感个人信息的，应当依法与境外接收方订立个人信息出境标准合同或者通过个人信息保护认证。

Article 8: Data processors other than operators of critical information infrastructure, from January 1 of the current year, providing personal information (excluding sensitive personal information) of more than 100,000 people but less than 1 million people, or sensitive personal information of less than 10,000 people overseas, must legally establish standard contracts for personal information exit with the overseas recipient or pass personal information protection certification.

属于本规定第三条、第四条、第五条、第六条规定情形的，从其规定。

For situations stipulated in Articles 3, 4, 5, and 6 of these regulations, their provisions apply.

第九条 通过数据出境安全评估的结果有效期为3年，自评估结果出具之日起计算。有效期届满，需要继续开展数据出境活动且未发生需要重新申报数据出境安全评估情形的，数据处理者可以在有效期届满前60个工作日内通过所在地省级网信部门向国家网信部门提出延长评估结果有效期申请。经国家网信部门批准，可以延长评估结果有效期3年。

Article 9: The validity of the results from a outbound data transfer security assessment is 3 years, starting from the date the assessment results are issued. If the validity period is due to expire, and there is a need to continue outbound data transfer activities without any situation requiring a redeclaration for a outbound data transfer security assessment, data processors may apply to extend the validity of the assessment results through the provincial cyberspace authority to the national cyberspace department 60 working days before the expiration of the validity period. With the approval of the national cyberspace department, the validity of the assessment results can be extended for another 3 years.

第十条 数据处理者向境外提供个人信息的，应当按照法律、行政法规的规定履行告知、取得个人单独同意、进行个人信息保护影响评估等义务。

Article 10: When data processors provide personal information overseas, they must fulfill the obligations of notification, obtaining individual consent, and conducting personal information protection impact assessments in accordance with the provisions of laws and administrative regulations.

第十一条 数据处理者向境外提供数据的，应当遵守法律、法规的规定，履行数据安全保护义务，采取技术措施和其他必要措施，保障数据出境安全。发生或者可能发生数据安全事件的，应当采取补救措施，及时向省级以上网信部门和其他有关主管部门报告。

Article 11: When data processors provide data overseas, they must comply with the provisions of laws and regulations, fulfill their data security protection obligations, and take technical and other necessary measures to ensure the security of outbound data transfer. In the event or potential event of a data security incident, they must take remedial measures and promptly report to the cyberspace authority at the provincial level or above and other relevant competent departments.

第十二条 各地网信部门应当加强对数据处理者数据出境活动的指导监督，健全完善数据出境安全评估制度，优化评估流程；强化事前事中事后全链条全领域监管，发现数据出境活动存在较大风险或者发生数据安全事件的，要求数据处理者进行整改，消除隐患；对拒不改正或者造成严重后果的，依法追究法律责任。

Article 12: Cyberspace authorities at all levels should strengthen the guidance and supervision of data processors' outbound data transfer activities, improve the outbound data transfer security assessment system, and optimize the assessment process. They should enhance pre-event, in-event, and post-event full-chain, full-domain supervision. If they find that outbound data transfer activities pose significant risks or if a data security event occurs, they should require data processors to make corrections to eliminate hidden dangers. For those who refuse to make corrections or cause serious consequences, legal responsibilities shall be pursued in accordance with the law.

第十三条 2022年7月7日公布的《数据出境安全评估办法》（国家互联网信息办公室令第11号）、2023年2月22日公布的《个人信息出境标准合同办法》（国家互联网信息办公室令第13号）等相关规定与本规定不一致的，适用本规定。

Article 13: In the event of any inconsistency between the regulations and other relevant regulations, such as relevant regulations such as the "Security Assessment Measures on Outbound Data Transfer" (Order No. 11 of the Cyberspace Administration of China) issued on July 7, 2022, and the "Standard Contract Measures for Outbound Transfer of Personal Information" (Order No. 13 of the Cyberspace Administration of China) issued on February 22, 2023, this regulation shall apply.

第十四条 本规定自公布之日起施行。

Article 14: The "rules" shall come into effect on the date of its promulgation.

Official Q&A by the CAC

Officials from the CAC answered journalists' questions regarding the new rules on outbound data transfer( the rules).

Question 1: Please introduce the background of the "rules"?

Answer: China actively promotes the lawful, orderly, and free flow of data, successively implementing the Cybersecurity Law, Data Security Law, and Personal Information Protection Law, which provide clear regulations on outbound data transfer. The Cybersecurity Law stipulates that operators of critical information infrastructure operating in the People's Republic of China shall store personal information and important data collected and generated during operations within the territory of China. If it is necessary to provide data overseas due to business needs, it should undergo a security assessment according to the methods jointly formulated by the national cyberspace administration and relevant departments of the State Council; if there are other rules in laws and administrative regulations, they shall be followed. The Data Security Law specifies that the outbound security management of important data collected and generated by operators of critical information infrastructure in China during operations within the country shall comply with the provisions of the Cybersecurity Law. The management measures for the outbound security of other data processors collecting and generating important data within China shall be formulated by the national cyberspace administration in conjunction with relevant departments of the State Council. The Personal Information Protection Law states that if personal information processors need to provide personal information overseas due to business needs, they must meet one of the conditions, including passing a security assessment organized by the national cyberspace administration, obtaining personal information protection certification from a professional institution according to the regulations of the national cyberspace administration, or entering into a contract with overseas recipients in accordance with standard contracts formulated by the national cyberspace administration. If international treaties or agreements that China has concluded or participated in have provisions on the conditions for providing personal information overseas, they can be implemented according to those provisions. These laws are made to effectively protect the interests of the people, safeguard national network and data security, and promote the lawful, orderly, and free flow of data. outbound data transfer security management applies not to all data but only to important data and personal information. Here, important data refers to the national perspective, not to enterprises and individuals.

To meet the requirements of laws, Cyberspace Administration China has issued the "Measures for the Security Assessment of Outbound Data Transfer" and the "Measures for the Standard Contract for Outbound Transfer of Personal Information," while the State Administration for Market Regulation has announced the "Announcement on Implementing Personal Information Protection Certification," establishing the basic framework for outbound data transfer security management. Additionally, the Cyberspace Administration of China has successively released guidelines such as the "Guidelines for the Application for Security Assessment for Outbound Data Transfer " and the "Guidlines for Filing the Standard Contract for Outbound Transfer of Personal Information," detailing the specific requirements for data processors to declare security assessments, file standard contracts, and submit necessary materials.

Incorporating the practical work of outbound data transfer security management, Cyberspace Administration China has formulated the "rules," further clarifying the implementation and coordination of existing outbound data transfer systems such as outbound data transfer security assessments, standard contracts for personal information export, and personal information protection certification. It appropriately relaxes the conditions for cross-border data flows, moderately narrows the scope of outbound data transfer security assessments, facilitates cross-border data flows while ensuring national data security, reduces compliance costs for enterprises, fully unleashes the value of data elements, expands high-level opening to the outside world, and provides legal protection for the high-quality development of the digital economy.

Question 2: What are the main contents of the "rules"?

Answer: The "rules" mainly specify the following: First, it clarifies the standards for declaring security assessments for important outbound data transfer. Second, it specifies the conditions for exempting security assessment declarations, entering into standard contracts for personal information exports, and obtaining personal information protection certification for outbound data transfer activities. Third, it establishes a negative list system for free trade pilot zones. Fourth, it adjusts the conditions for declaring security assessments for outbound data transfer, entering into standard contracts for personal information exports, and obtaining personal information protection certification. Fifth, it extends the validity period of outbound data transfer security assessment results and adds provisions for data processors to apply for an extension of the validity period.

Question 3: What is the relationship between the "rules" and the "Measures for the Security Assessment of Outbound Data Transfer" and the "Measures for the Standard Contract for Outbound Transfer of Personal Information" ?

Answer: In cases where the provisions of the "Measures for the Security Assessment of Outbound Data Transfer" and the "Measures for the Standard Contract for Outbound Transfer of Personal Information," the "rules" shall apply.

Question 4: How is important data defined in terms of outbound data transfer activities, and what are the standards for declaring security assessments for important outbound data transfer?

Answer: According to the "Measures for the Security Assessment of Outbound Data Transfer," important data refers to data that, if tampered with, destroyed, leaked, illegally accessed, or unlawfully utilized, could pose risks to national security, economic operations, social stability, public health, and safety.

As per the "Data Security Law," the national data security coordination mechanism oversees the development of a directory of important data to enhance the protection of such data. Regions and departments are required to establish specific directories of important data for their respective areas and industries based on the system of classified protection of data, providing focused protection for the data included in the directories.

Under the "rules," data processors are obligated to identify and declare important data in accordance with relevant regulations. If data has not been notified or publicly announced by relevant departments or regions as important data, data processors are not required to declare such data for security assessments for important outbound data transfer.

Question 5: What are personal information and sensitive personal information, and how are they determined?

Answer: According to the "Personal Information Protection Law," personal information refers to various information related to identified or identifiable natural persons recorded in electronic or other ways, excluding information that has been anonymized. Anonymization is the process by which personal information is rendered unidentifiable to specific natural persons and cannot be restored.

When personal information is processed using encryption, de-identification, and similar measures, it falls under de-identification. Personal information that has undergone de-identification processing remains classified as personal information under the "Personal Information Protection Law." De-identification is the process by which personal information is processed to make it unidentifiable to specific natural persons without the need for additional information.

Sensitive personal information refers to personal information that, if leaked or unlawfully used, could easily lead to the infringement of a natural person's dignity or endanger their personal, financial, or property security. This includes information such as biometric data, religious beliefs, specific identities, medical health, financial accounts, travel trajectories, and the personal information of individuals under the age of fourteen.

Question 6: What is critical information infrastructure, and how is it determined?

Answer: According to the "Regulation on Protecting the Security of Critical Information Infrastructure," critical information infrastructure refers to important network facilities, information systems, etc., in key industries and sectors such as public communications and information services, energy, transportation, water conservancy, finance, public services, e-government, defense technology industries, and others. If these facilities are destroyed, lose functionality, or experience data leakage, it could seriously endanger national security, the national economy, people's livelihoods, and public interests.

The competent authorities and supervisory departments of the relevant key industries and sectors are responsible for formulating rules for identifying critical information infrastructure in their respective industries and sectors. They organize the identification of critical information infrastructure in their industries and sectors and promptly notify the operators of critical information infrastructure of the identification results.

Question 7: Which outbound data transfer activities are exempt from reporting outbound data transfer security assessments, establishing standard contracts for personal information export, and obtaining personal information protection certification?

Answer: The following six types of outbound data transfer activities are exempt from reporting outbound data transfer security assessments, establishing standard contracts for personal information export, and obtaining personal information protection certification:

1. Data collected and generated in activities such as international trade, cross-border transportation, academic cooperation, cross-border production and marketing, provided to overseas without containing personal information or important data.

2. Personal information collected and generated overseas transferred for processing domestically before being provided overseas without involving domestic personal information or important data in the processing.

3. Providing personal information overseas is necessary for entering into or performing contracts in which individuals are one of the parties, such as cross-border shopping, cross-border delivery, cross-border remittance, cross-border payment, cross-border account opening, flight and hotel reservations, visa processing, exam services, etc.

4. Implementing cross-border human resources management in accordance with legally established labor rules and collective contracts, where it is necessary to provide employee personal information overseas.

5. Providing personal information overseas in emergency situations to protect the life, health, and property security of individuals.

6. Data processors other than operators of critical information infrastructure have cumulatively provided personal information (excluding sensitive personal information) to overseas that is less than 100,000 individuals since January 1 of the current year. Personal information provided overseas under the third to sixth conditions does not include personal information identified as important data by relevant departments or regions.

Question 8: How to understand the negative list system in the Free Trade Zone?

Answer: Under the national data classification and grading protection system framework, the Free Trade Zone can independently establish a data list (referred to as a negative list) that needs to be included in outbound data transfer security assessments, standard contracts for personal information export, and personal information protection certification.

Data processors within the Free Trade Zone providing data outside the negative list can be exempt from reporting outbound data transfer security assessments, establishing standard contracts for personal information export, and obtaining personal information protection certification. Before the negative list is introduced, outbound data transfer activities within the Free Trade Zone are conducted in accordance with relevant national regulations on outbound data transfer security management.

Question 9: How to understand the relationship between outbound data transfer security assessments, standard contracts for personal information export, and personal information protection certification?

Answer: For the outbound activities of important data and personal information outbound activities that meet the conditions for reporting outbound data transfer security assessments, they must undergo a outbound data transfer security assessment.

For personal information outbound activities that do not meet the conditions for reporting outbound data transfer security assessments, personal information processors can choose to establish standard contracts for personal information export or obtain personal information protection certification based on their own circumstances. If they meet the conditions for exemption from establishing standard contracts for personal information export or obtaining personal information protection certification, personal information processors do not need to follow the relevant procedures.

Question 10: Which outbound data transfer activities require reporting outbound data transfer security assessments?

Answer: The "rules" have optimized and adjusted the conditions for reporting outbound data transfer security assessments as specified in the "Measures for the Security Assessment of Outbound Data Transfer." The "rules" clearly define two conditions that require reporting outbound data transfer security assessments: first, operators of critical information infrastructure providing personal information or important data overseas; second, data processors other than operators of critical information infrastructure providing important data overseas, or cumulatively providing over 1 million individuals' personal information (excluding sensitive personal information) or over 10,000 individuals' sensitive personal information since January 1 of the current year. For situations falling under the provisions of Articles 3, 4, 5, and 6 of the "rules," the regulations apply accordingly.

Question 11: How is the calculation of "cumulatively providing over 1 million individuals' personal information (excluding sensitive personal information) or over 10,000 individuals' sensitive personal information since January 1 of the current year" done?

Answer: The calculation period is from January 1 of the current year until the day of reporting outbound data transfer security assessments, and the count is based on the de-duplicated statistical results in terms of individuals.

Activities falling under the provisions of Articles 3, 4, 5 (items 1 to 3), and 6 of the "Provisions" are not included in the cumulative count.

Question 12: Which outbound data transfer activities require establishing standard contracts for personal information export or obtaining personal information protection certification?

Answer: The "rules" have optimized and adjusted the conditions for establishing standard contracts for personal information export as specified in the "Measures for the Security Assessment of Outbound Data Transfer." According to the "rules," data processors other than operators of critical information infrastructure, who have cumulatively provided personal information (excluding sensitive personal information) to overseas for over 100,000 individuals but less than 1 million individuals, or provided sensitive personal information to less than 10,000 individuals since January 1 of the current year, should legally establish standard contracts for personal information export or obtain personal information protection certification with the overseas recipients. Activities falling under the provisions of Articles 3, 4, 5, and 6 of the "rules" are subject to these requirements.

It is important to note that when providing personal information abroad that has been identified by relevant departments or regions as important data, one must report outbound data transfer security assessments and cannot choose to establish standard contracts for personal information export or obtain personal information protection certification.

Question 13: How long is the validity period of the outbound data transfer security assessment results? Can an extension be requested?

Answer : The "rules" have extended the validity period of outbound data transfer security assessment results from the 2 years specified in the "Measures for the Security Assessment of Outbound Data Transfer" to 3 years, starting from the date of issuance of the assessment results. Additionally, they have added provisions for data processors to apply for an extension of the validity period of the assessment results. When the validity period expires and there is a need to continue outbound data transfer activities without requiring a new outbound data transfer security assessment, data processors can submit an application to extend the validity period to the national cyberspace administration department through the provincial cyberspace administration department where they are located within 60 working days before the expiration of the validity period. Upon approval by the national cyberspace administration department, the validity period of the assessment results can be extended by 3 years.

Question 14: How to apply this regulation to activities that have completed or are in the process of applying for outbound data transfer security assessments and submitting records of standard contracts for personal information export before the implementation of the "rules"?

Answer: For outbound data transfer activities that have already undergone outbound data transfer security assessments before the implementation of the "rules," data processors can continue their activities based on the declared matters.

For outbound data transfer activities that have not passed or only partially passed the outbound data transfer security assessments before the implementation of the "rules" and are exempt from reporting outbound data transfer security assessments according to the "rules," data processors can legally provide personal information to overseas through other means such as establishing standard contracts for personal information export or obtaining personal information protection certification.

For activities that have already reported outbound data transfer security assessments and submitted records of standard contracts for personal information export before the implementation of the "rules," and are not required to undergo the above procedures according to the "rules," data processors can proceed as per the original procedures or withdraw their applications and records by contacting the provincial cyberspace administration department where they are located.

Question 15: How can data processors report outbound data transfer security assessments, record standard contracts for personal information export, and apply for personal information protection certification?

Answer: Data processors can report outbound data transfer security assessments and record standard contracts for personal information export by logging into the outbound data transfer Declaration System at the website: https://sjcj.cac.gov.cn. If they have already submitted security assessment applications and contract records offline, there is no need to resubmit them through the outbound data transfer declaration system. To apply for personal information protection certification, they can log into the Personal Information Protection Certification Management System at the website: https://data.isccc.gov.cn.

For operators of critical information infrastructure or other entities not suitable for reporting outbound data transfer security assessments through the outbound data transfer declaration system, they can submit outbound data transfer security assessments offline through the provincial cyberspace administration department where they are located to the national cyberspace administration department.

Question 16: What are the contact methods for outbound data transfer consultation and reporting?

Answer: (1) outbound data transfer Security Assessment Declaration: 010-55627135, sjcj@cac.gov.cn; (2) Record of Standard Contracts for Personal Information Export: 010-55627565, bzht@cac.gov.cn; (3) Application for Personal Information Protection Certification: 010-82261100, data@isccc.gov.cn.

For contact information (office address, contact number) of provincial cyberspace administration departments handling outbound data transfer security assessment declarations and standard contract records for personal information export, please refer to the official websites, WeChat official accounts of provincial, autonomous region, municipality, and Xinjiang Production and Construction Corps Internet Information Offices, as well as the Cyberspace Administration China website - Data Governance section (https://www.cac.gov.cn).