The Spring Festival of the Year of the Dragon is here, and the Chinese government has sent out several red packs on the issue of cross-border data flow. China is trying to clarify the rules for cross-border data flows at both the central and local levels in order to reduce the compliance burden on enterprises, promote the development of the digital economy, and create conditions for joining DEPA and CPTPP.

A new rule aiming to loosen control of outbound data flow is approaching

On September 28th, 2023, the Cyberspace Administration of China (CAC) announced a draft rule for comment on regulating and promoting cross-border data flow. Based on the authorization of Article 38 of the " Personal Information Protection Law ", the draft rule, which is known in the industry as "9·28 doc", is to loosen the control of outbound data flow required for international economic and trade activities, marking that China's data security management system is constantly developing and maturing in practice.

The State Council Information Office held a regular policy briefing at 10:00 am on Monday, February 5, 2024.

Zhu Bing, Director of the Foreign Investment Management Department of the Ministry of Commerce, said: The CAC has formulated the "Regulations on Regulating and Promoting Cross-border Data Flow" (9·28 doc) and is studying and improving them, preparing to promote their implementation.

Shanghai vows to make its own "important data" catalogues: big talk, little action

Important data has more implications for national security than personal information. Under Chinese data law, the outbound transfer of important data is subject to security evaluation conducted by the CAC. Therefore, the definition and scope of important data are critical for businesses. China's Data Security Law establishes the basic idea of categorizing and grading protection for important data. The National Information Security Standardization Technical Committee is working on a national standard for identifying important data but has made very limited progress so far. The 9·28 doc historically made clarification on important data, saying that "If it has not been informed by the relevant departments or regions, or publicly released as important data, the data processor does not need to declare the data exit security assessment as important data."

On the morning of February 6th, the Shanghai Municipal Government Information Office held a press conference to introduce the relevant situation of the "Implementation Plan for Shanghai to Fully Connect with International High-Standard Economic and Trade Rules and Promote the High-Level Institutional Opening of the China (Shanghai) Pilot Free Trade Zone".

In terms of standardizing and promoting cross-border data flow, measures such as taking the lead in formulating important data catalogues, exploring the establishment of legal, secure, and convenient cross-border data flow mechanisms, and establishing data cross-border service centres in the Lingang New Area are proposed.

Regarding promoting data openness and sharing, measures such as building an international open-source promotion organization, increasing the scope and intensity of public data openness, participating in the digital economy, and strengthening international cooperation for digital inclusiveness have been proposed.

Overall evaluation: Basically, it is a refinement of the higher-level document "Fully Connect with International High-Standard Economic and Trade Rules and Promote the High-Level Institutional Opening of the China (Shanghai) Pilot Free Trade Zone".

The specific display of the document is as follows:

Ⅱ.Accelerate the expansion and opening up of service trade

(2) Facilitate the cross-border transmission of financial data

5. Under the framework of the national data cross-border transmission security management system, financial institutions can transfer the data required for daily operation overseas. Financial Institutions shall carry out data export work in accordance with the requirements of data classification and grading management and data security work, carry out data export security evaluation, personal information protection certification and personal information export standard contract filing, and ensure the security of important data and personal information.

Brief comment: Still within the existing framework, it's equivalent to saying nothing.

IV. Take the lead in implementing high-standard digital trade rules

(1) Regulating and promoting cross-border data flow

38.Under the framework of the national data security management system, enterprises and individuals may provide data overseas for business needs.

Brief comment: Still the existing framework, no breakthrough.

39.The Shanghai Pilot Free Trade Zone Management Committee and the Lingang New Area Management Committee shall, in accordance with the data classification and grading protection system, take the lead in formulating an important data catalog according to the actual needs of the area.

Brief comment: The important data directory of the free trade zone can be clarified.

40. Explore establishing a legal, safe and convenient data cross-border flow mechanism to enhance the convenience of data cross-border flow. By strengthening the classification guidance of relevant industries' outbound data, publishing demonstration scenarios, and establishing a data cross-border service center in Lingang New Area, it is convenient for data processors to carry out data outbound self-assessment and other data outbound security compliance work.

Brief comment: Strengthen guidance.

(3) Promote data openness and sharing

56.Encourage public data to be provided to society in the form of models, verification, and other products and services, while protecting personal privacy and ensuring public safety, in accordance with the requirements of "original data source not in the domain, data available but not visible", explore the development and utilization of public data, and encourage the development of new products and services based on datasets.

Brief comment: Encourage privacy computing.

Tianjin quietly made further clarification to the scope and identification of important data: a surprise

On February 7, 2024, the Tianjin Municipal Bureau of Commerce and the Management Committee of the China (Tianjin) Pilot Free Trade Zone jointly released the "Standards and Specifications for Enterprise Data Classification and Grading in the China (Tianjin) Pilot Free Trade Zone", which is also the first data classification and grading standard in the country's free trade pilot zones, filling the institutional gap in this field.

The definition of important data given in this “standard and specification” is clear and enforceable. If the industry regulatory authorities have not issued standards for identifying important data, this “standard and specification” also provides guidance, involving a total of fourteen types of important data. Here are the main takeaways：

Data that only affects the organization itself or individual citizens is generally not considered important data.

The identification of important data shall refer to relevant laws, regulations, and provisions, and be carried out in combination with this “standard and specification”. If the industry regulatory authorities have publicly released or already released data classification and grading standards and specifications in the industry, the identification of important data shall be prioritized in accordance with industry specifications.

When the industry regulatory authorities do not have clear criteria to identify important data, the following criteria shall be followed:

• Personal information held by enterprises in the Tianjin Pilot Free Trade Zone with more than 10 million individuals; more than 1 million personal sensitive information; more than 100,000 people and including personal sensitive information such as personal bank accounts, personal insurance accounts, personal registration accounts, and personal medical treatment data.

• Personal information held by the operator identified as a critical information infrastructure.

• High-value sensitive data collected and generated by enterprises in the Tianjin Pilot Free Trade Zone during the R&D and design process, production and manufacturing process, and business management process, which are related to industry competitiveness and industry production safety. Data related to the enterprise supply chain involving national security.

• Automatic control system parameters and control, operation and maintenance, and test data of enterprises in the Tianjin Pilot Free Trade Zone that are related to the national economy and people's livelihood.