Today, Hu Xiao(胡啸), the Head of the Data Management Bureau(网络数据管理局) at the Cyberspace Administration of China (CAC), published a signed article in the "China Cyberspace Affairs" (中国网信)journal. He reviewed and summarized China's cross-border data flow security management system and outlined plans and directions for future work.

The CAC is the top regulator of cyberspace in China, and the Data Management Bureau is responsible for the specific design of cross-border data flow systems in China. This bureau is the most powerful regulatory body in data security. It holds the authority to approve data exports, which has caused headaches for countless Chinese and foreign companies. These approvals are implemented by provincial CAC offices under the guidance of this bureau. In negotiations on cross-border data flow rules in China, this bureau plays a crucial role and is a typical "powerhouse department" within the Chinese bureaucratic system.

Hu is a seasoned veteran in the CAC, known for his extensive experience and deep understanding of network data management. Before the establishment of the Data Management Bureau in 2021, he served as the top-ranking Deputy Chief of the Cybersecurity Coordination Bureau of the CAC, where he led the development of China's foundational regime for data export and personal information protection. After being appointed as the first head of the Data Management Bureau, he continued to design and develop China's regulatory rules for data export. During some discussions on data security and personal information protection legislation, I had the privilege of having face-to-face exchanges with Hu. I found him to be a very approachable and highly professional technical official with a relatively deep understanding of technology and industry.

"China Cyberspace Affairs" is the most authoritative and the only official journal of the CAC, managed by the China Institute of Cyberspace(中国网络空间研究院). Its mission is to "interpret major decisions and deployments in China's cyberspace, and to serve as a platform for deepening theoretical research, technological innovation, and practical activities in cyberspace governance." The inaugural issue of "China Cyberspace Affairs" in 2022 featured an article by Elon Musk, titled "Believe in Technology to Create a Better Future," where he discussed his vision for clean energy, humanoid robots, brain-computer interfaces, and space exploration.

In his article today, Hu systematically summarized the basic approach to China's cross-border data flow security regulation, reviewed the gradual establishment of this complex regulatory system, and outlined the CAC's key directions for future work in this area. He emphasized that China's cross-border data flow system is universally applied, not targeting any specific country or company, treating domestic and foreign companies equally. I feel like this statement subtly criticizes the U.S. data Executive Order released by President Biden in May, as well as an ANPRM to implement the EO by the Justice Department, which is explicitly targeting China and several other “foreign adversaries”. These new rulemaking efforts highlight a considerable change in the U.S. approach to cross-border data flow, specifically targeting countries like China with more stringent restrictions. This shift suggests a more protective and cautious stance towards foreign data practices, reflecting broader geopolitical tensions and competition.

Notably, Hu disclosed some data on the CAC's handling of corporate data export security assessments as of May 8, 2024, emphasizing that most applications were approved, with only about one-tenth of the data export requests not receiving approval. He also highlights the importance of making the rule align with the country's goals for "high-quality development"(高质量发展), "high-level openness"(高水平开放) and a "new development pattern"(新发展格局). The CAC has already somewhat relaxed data export control by releasing a new data export rule in March. This meticulously crafted new rule was greeted with relief by foreign and Chinese firms in China that trade outside the country. Hu’s above statement indicates that more business-friendly and investment-convenient policies in cross-border data flow will be introduced.

Talking about China’s stance on global data governance, he said China is ready to promote and establish “universally accepted international rules” for cross-border data flow. He then hinted that the UN and WTO are China’s preferred venues to formulate such rules by saying that “China will actively participate in the formulation of international rules and standards for cross-border data flows under the frameworks of the United Nations and the World Trade Organization”. According to him, China is also exploring establishing special institutional arrangements for cross-border data flows with relevant countries and regions to promote safe and orderly data flows.

For anyone looking to comprehensively understand the guiding principles, historical context, and future directions of China's cross-border data flow rules, I highly recommend reading this article. To make it easier for readers, I have translated the article into English. All highlights and faults are mine.

Design of China's Cross-Border Data Flow Security Management System

President Xi Jinping emphasized, "Data is a new production element, a fundamental and strategic resource, and an important productive force. Strengthening data security management, enhancing personal information protection, and regulating the collection and use of personal information by technology companies and institutions are crucial. Particularly, it is essential to conduct security assessments and supervision of cross-border data flows."

Currently, there is a strong demand for cross-border data flow in areas such as e-commerce, transportation, pharmaceutical research and development, academic cooperation, manufacturing, and marketing. Building a secure, orderly, and convenient cross-border data flow management mechanism is of great significance for promoting the development of the digital economy and preventing data security risks.

In recent years, the CAC has thoroughly implemented President Xi's important thoughts on building a strong cyber power, earnestly executed the decisions and deployments of the Party Central Committee and the State Council, adhered to interactions between high-quality development and high-level security, issued a series of regulatory policies and documents, and gradually established and improved China's cross-border data flow security management system. Together with local departments, the CAC has conducted cross-border data flow security management according to laws and regulations, promoting the safe and orderly flow of data across borders and assisting the high-quality development of the digital economy.

Adhering to the Principle of Open Cooperation and Legal Compliance

Firstly, Adhering to Legal Management:

With the increasing frequency of cross-border data flows, many countries and regions have explored institutional measures based on their own conditions, issuing a series of laws, regulations, and standards. China, considering its national conditions, has successively enacted the "Cybersecurity Law of the People's Republic of China" (hereinafter referred to as the "Cybersecurity Law"), the "Data Security Law of the People's Republic of China" (hereinafter referred to as the "Data Security Law"), and the "Personal Information Protection Law of the People's Republic of China" (hereinafter referred to as the "Personal Information Protection Law"). These laws provide clear regulations for providing important data and personal information to overseas entities. The "Cybersecurity Law" stipulates that operators of critical information infrastructure should store personal information and important data collected and generated during operations within the territory of the People's Republic of China. If it is necessary to provide such data abroad for business needs, a security assessment should be conducted according to the methods formulated by the CAC in conjunction with relevant departments of the State Council; if laws and administrative regulations provide otherwise, those provisions shall be followed. The "Data Security Law" specifies that the security management of important data collected and generated by operators of critical information infrastructure within the territory of the People's Republic of China shall comply with the provisions of the "Cybersecurity Law." The measures for the security management of the export of important data collected and generated by other data handlers within the territory of the People's Republic of China shall be formulated by the CAC in conjunction with relevant departments of the State Council. The "Personal Information Protection Law" provides that personal information handlers who need to provide personal information to overseas entities for business needs can do so through security assessments, personal information protection certifications, or by entering into standard contracts with overseas recipients. These legislations form the basic legal framework for China's cross-border data flow security management, providing a legal basis for conducting security management of cross-border data flows.

Secondly, Adhering to Classification and Grading Management:

Compared to traditional production elements, data flows more conveniently and has more apparent cross-regional and cross-border characteristics. China's cross-border data flow security management focuses on maintaining data security and protecting the rights and interests of citizens' personal information while promoting the safe and orderly flow of data and leveraging the role of data elements. We recognize the importance of data flow and emphasize preventing security risks arising from data flow. China's cross-border data flow security management is not targeted at all data but limited to important data and personal information. Important data refers to data of national significance, not corporate or personal significance. If a security assessment concludes that the export of important data will not harm national security and public interests, it can be exported. For personal information export, personal information processors can choose to apply for data export security assessments, obtain personal information protection certifications, or enter into standard contracts for personal information export with overseas recipients. General data not involving important data or personal information can flow freely across borders under the general compliance obligations prescribed by law.

Thirdly, Adhering to Unified Standards:

The subjects of data export involve various industries, and overseas recipients are distributed in different countries and regions. China's cross-border data flow security management system is a universal provision, not targeting any specific country or enterprise, treating domestic and foreign companies equally. In practice, we have issued a series of regulations, guidelines, and standards for cross-border data flow management based on extensive consultation and adoption of opinions and suggestions from all parties. These refine the institutional arrangements made by laws, clarify the compliance obligations of data processors in conducting cross-border data activities, continuously improve the data export security management mechanism, and ensure the lawful, secure, and orderly flow of data.

Fourthly, Adhering to Openness and Cooperation:

Currently, a unified global rule for cross-border data flow has not been established. Building a mutually coordinated international governance system to promote the safe and orderly flow of cross-border data is a common challenge. The "Personal Information Protection Law" provides that international treaties or agreements concluded or acceded to by the People's Republic of China that stipulate conditions for providing personal information abroad can be followed. China supports achieving safe and orderly cross-border data flow based on international treaties or agreements and following the principle of reciprocity. China is willing to conduct multilateral and bilateral exchanges and cooperation with other countries and regions on cross-border data issues within the frameworks of the United Nations, the World Trade Organization, and other platforms, promoting the establishment of universally accepted international rules for cross-border data flow and aiding the globalization of the digital economy.

Adhering to Open Innovation and Establishing a Data Export Security Management System

Implementing the institutional arrangements for data export security management as stipulated by law, the CAC has been diligently establishing and refining China’s data export security management system. This includes clear implementation paths for data export security assessments, standard contracts for personal information export, and personal information protection certifications. The CAC continues to ensure the effective implementation of these systems, achieving phased progress.

1. Establishing the Data Export Security Assessment System

To strengthen the security management of exporting important data and large-scale personal information, the CAC issued the "Measures for Data Export Security Assessment" on July 7, 2022, which took effect on September 1, 2022. These measures outline the scope, process, key points, and regulatory requirements for data export security assessments. Additionally, the "Guidelines for Applying for Data Export Security Assessments (First Edition)" were released on August 31, 2022, providing specific application requirements. On March 22, 2024, an updated "Guidelines for Applying for Data Export Security Assessments (Second Edition)" was published, simplifying the required application materials and reducing compliance costs for data handlers.

The first approved data export security assessment project was a cross-border health and medical research project by Beijing Friendship Hospital affiliated with Capital Medical University, with the University Medical Center Amsterdam in the Netherlands as the overseas recipient. As of May 8, 2024, the CAC had received 262 applications for data export security assessments from provincial CAC offices, accepted 243, and completed 234 assessments, with 232 projects receiving assessment results (206 approved or partially approved, 26 not approved), and two assessments terminated, resulting in an 11.1% non-approval rate. The projects involved various sectors, including retail, transportation, finance, industry, e-commerce, health, technology, postal services, culture and tourism, education, recruitment, telecommunications, and real estate, with overseas recipients mainly located in the EU, the U.S., Hong Kong, Singapore, and Japan.

2. Establishing the Standard Contract Filing System for Personal Information Export

To facilitate and regulate the export of small-scale personal information, the CAC issued the "Measures for the Standard Contract for Personal Information Export" on February 22, 2023, effective June 1, 2023. These measures specify the applicable scope, standard contract signing, and filing requirements, along with a standard contract template. The "Guidelines for Filing Standard Contracts for Personal Information Export (First Edition)" were released on May 30, 2023, providing specific filing requirements. An updated "Guidelines for Filing Standard Contracts for Personal Information Export (Second Edition)" was published on March 22, 2024, simplifying the required filing materials. The first case of a standard contract for personal information export was filed by Beijing Deyixin Data Co., Ltd., with Novartis Integrity Co., Ltd. in Hong Kong, becoming the first successfully filed standard contract for personal information export. As of May 8, 2024, over 760 standard contracts for personal information export had been filed across various provinces, with Shanghai, Beijing, Jiangsu, and Guangdong leading in the number of filings.

3. Establishing the Personal Information Protection Certification System

On November 4, 2022, the CAC, together with the State Administration for Market Regulation, issued the "Announcement on Implementing Personal Information Protection Certification" and its supporting certification rules. These documents define the basic principles and specific requirements for certifying personal information handlers conducting cross-border activities, encouraging them to enhance their personal information protection capabilities through certification. This voluntary certification, operated in a market-based manner, allows companies to apply voluntarily. Certification bodies evaluate the personal information protection capabilities of processors based on relevant laws, regulations, and standards.

4. Facilitating Cross-Border Data Flow in the Guangdong-Hong Kong-Macao Greater Bay Area

To promote high-quality development in the Greater Bay Area and explore mechanisms that facilitate data flow while ensuring security, the CAC and the Hong Kong Special Administrative Region’s Innovation, Technology and Industry Bureau signed a "Memorandum of Understanding on Promoting Cross-Border Data Flow in the Guangdong-Hong Kong-Macao Greater Bay Area" on June 29, 2023. On December 10, 2023, they jointly issued the "Guidelines for Implementing Standard Contracts for Cross-Border Personal Information Flow in the Greater Bay Area (Mainland and Hong Kong)." These guidelines support the cross-border flow of personal information through certification or standard contracts, exempting the need for data export security assessments. General data not involving important data or personal information can flow freely within the Greater Bay Area. This initiative marks a beneficial attempt at regional cross-border data flow cooperation and provides valuable experience for future multi-bilateral data cooperation.

5. Adhering to High-Level Opening-Up and Continuously Optimizing the Data Cross-Border Flow Security Management System

To further promote the lawful and orderly flow of data, unleash the value of data elements, and expand high-level opening-up, the CAC issued the "Regulations on Promoting and Regulating Data Cross-Border Flow" on March 22, 2024. These regulations optimize and adjust the systems for data export security assessments, standard contracts for personal information export, and personal information protection certifications. Key adjustments include:

1. Clarifying situations exempt from data export security assessments, standard contracts, and personal information protection certifications.

2. Optimizing the conditions requiring data export security assessments, standard contracts, and personal information protection certifications.

3. Extending the validity period of data export security assessment results from two years to three years.

4. Clarifying that data processors should identify and report important data according to laws and regulations. Data not identified or publicly announced as important by relevant departments or regions does not need to be reported for security assessment.

5. Allowing pilot free trade zones to formulate their own lists of data requiring security assessments, standard contracts, or personal information protection certifications within the framework of the national data classification and grading protection system. Data handlers in these zones can export data not on the list without undergoing these processes. Recently, the CAC and the National Data Bureau clarified the filing mechanisms and processes for the negative list of free trade zones, with the China (Tianjin) Pilot Free Trade Zone becoming the first to complete the filing.

It should be noted that data export activities meeting the conditions listed in the "Regulations" are exempt from the compliance requirements of data export security assessments, standard contracts, and personal information protection certifications, but are not exempt from the statutory obligations of data security and personal information protection. Data handlers must still comply with the "Cybersecurity Law," "Data Security Law," and "Personal Information Protection Law," fulfilling legal obligations such as establishing comprehensive data security management systems, conducting personal information protection impact assessments, informing and obtaining individual consent, and taking technical and other necessary measures to ensure data security.

Balancing Security and Development: Continuously Improving the Cross-Border Data Flow Security Management System

At the 2023 Central Economic Work Conference, it was emphasized that "we must adhere to a virtuous interaction between high-quality development and high-level security, promoting high-level security with high-quality development, ensuring that development and security are dynamically balanced and mutually reinforcing." The conference also stressed the importance of addressing issues such as cross-border data flows and equal participation in government procurement in line with international high standards of economic and trade rules. Moving forward, the CAC will deeply implement the important instructions of General Secretary Xi Jinping and the decisions of the Party Central Committee, fully embrace the new development philosophy, continually summarize practical experiences, and further improve the cross-border data flow management system. This aims to promote the safe and orderly cross-border flow of data and support the robust development of the digital economy.

1. Ensuring the Implementation of Laws and Policies, Building a Data Export Security Management System Adapted to High-Quality Development

Efforts will focus on strengthening coordination with local and relevant departments of the State Council, continuously improving the data export security management mechanism, and ensuring the orderly implementation and effectiveness of various data export security management systems. Public awareness and understanding of data export security management laws, policies, systems, and standards will be promoted through diverse channels. Best practices and successful experiences in data export security management will be shared to foster a conducive environment for high-quality economic development. Pilot Free Trade Zones will be guided to develop negative lists tailored to their specific cross-border data flow conditions, creating more favorable conditions for cross-border data flows within these zones. The data export security management policies will be dynamically adjusted and optimized in response to the needs of the digital economy's development.

2. Enhancing International Exchanges and Cooperation, Building a Cross-Border Data Flow Management Rules System Aligned with High-Level Openness

Understanding the rapid development trends of the global digital economy and international digital trade, China will adhere to a high level of openness, actively aligning with high-standard international economic and trade rules such as the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) and the Digital Economy Partnership Agreement (DEPA). Under the frameworks of the United Nations and the World Trade Organization, China will actively participate in the formulation of international rules and standards for cross-border data flows, contributing to the globalization of the digital economy. Bilateral and multilateral digital governance cooperation will be promoted based on principles of equality and reciprocity, exploring the establishment of special institutional arrangements for cross-border data flows with relevant countries and regions to promote safe and orderly data flows.

3. Balancing Development and Security, Building a Cross-Border Data Flow Security Assurance System Adapted to the New Development Pattern

General Secretary Xi Jinping emphasized, "The more open we are, the more we need to emphasize security, and we must balance development and security." China will continue to prioritize both security and development, ensuring that safeguarding data security and promoting the safe and orderly flow of data, as well as its development and utilization, remain the fundamental directions of data export security management. Efforts will be accelerated to establish a cross-border data flow security regulatory model suitable for the new development pattern, enhancing the classification and grading protection of data, strengthening the technical capabilities for data export security regulation, and guiding companies to improve their compliance capabilities in data export. This approach aims to ensure data security while promoting its circulation and application, achieving a dynamic balance between development and security.

Conclusion

China is committed to creating a secure and efficient system for cross-border data flow management, which is crucial for the country's digital economy. Through a combination of legal frameworks, international cooperation, and a balance between security and development, China aims to foster an environment where data can flow safely and contribute to high-quality economic growth.