Opinion: China’s New Rules on Cross-Border Data Transfer Offer Fresh Opportunities

The flow of data across borders brings with it new opportunities. Recently, the Cyberspace Administration of China unveiled the Regulations on Promoting and Regulating the Cross-Border Data Flows, which are concise yet comprehensive in scope.

They include: clarifying the standards for declaring important data for outbound security assessments; specifying conditions under which data can be exempted from such assessments; introducing a negative list system in free trade pilot zones; adjusting conditions requiring declarations for outbound data security assessments; establishing standard contracts for personal information leaving the country and those engaging in data export activities that have passed personal information protection certification; extending the validity period of the security assessments results for outbound data and adding provisions that allow data processors to apply for an extension of the validity period.

This suite of measures will undoubtedly greatly facilitate and standardize the cross-border flow of data.

Data is the cornerstone of the digital economy. Moreover, it is widely regarded as a novel factor of production, joining land, labor, capital and technology as a primary resource for economic development, necessitating rational global allocation.

Facilitating the lawful, orderly and free flow of data is also an essential requirement for integrating China into the global economy. The regulations aim to moderately relax the conditions for cross-border data flows and narrow the scope of security assessments for data exports.

Under the premise of ensuring national data security, these measures seek to reduce corporate compliance costs and fully unleash the value of data.

Undoubtedly, this will aid in high-quality development and serve to strongly support expansion to a higher level of international openness. Indeed, it could be said that the facilitation and regulation of cross-border flow of data is in itself a new initiative to expand international openness.

The issuance of these “regulations” is in line with current trends, reflecting the Chinese government’s lucid awareness of issues related to cross-border data flows. With the rapid advances in next-generation information technology, epitomized by artificial intelligence, cross-border data flows are a prerequisite for the development of the digital economy. Innovation and internationalization of enterprises also depend on the cross-border flow of data.

Furthermore, data possesses a cumulative effect: its utility can be exponentially increased through openness, flow, integration, and sharing. An economy aspiring to lead the next generation of the industrial revolution cannot afford to be a “data island.”

On the other hand, cross-border data flows are also one of the requirements of the current global high-level economic and trade system, and it is a threshold of the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP).

Against the backdrop of China’s active integration into the global economic system, with its proactive alignment with advanced economic and trade rules and pursuit of institutional openness, facilitating and regulating cross-border data flow has become a matter of course.

In terms of the legal framework, the “regulations” dovetail with the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law. Legal provisions tend to be principle-based, leaving both regulators and market participants often feeling adrift regarding their interpretation and application when putting them into practice. The “regulations” further refine and supplement the norms for cross-border data flows, eliminating much of the uncertainty.

The “regulations” also differ in emphasis from one of the aforementioned laws. As the name suggests, the Cybersecurity Law focuses on security, stating that personal information and important data collected and generated by operators of critical information infrastructure within China must be stored domestically.

If it is necessary for business purposes to provide such data abroad, a security assessment must be conducted in accordance with the methods developed by the national cyber information department in conjunction with relevant State Council departments. If other laws or administrative regulations specify otherwise, those provisions shall be followed.

The most noteworthy aspect of the “regulations” is their explicit statement that if the relevant departments and regions have not notified or publicly announced the data as important, data handlers do not need to submit it for a security assessment before transferring abroad. This establishes basic principles for cross-border data flow, facilitating more convenient movement.

Furthermore, by listing scenarios exempt from security assessment, establishing standards for contracts on personal information transferred abroad, and through personal information protection certification — such as international trade, cross-border transport, academic cooperation, transnational production, and marketing activities that provide data collected abroad without including personal information or important data — it greatly eases cross-border business for market entities and sets a compliance benchmark for corporate operations.

For a long time, security and development have often been simplistically viewed as a trade-off, suggesting that emphasizing security necessitates limiting development, and advocating for development requires sacrificing security. This perception is misleading. In the matter of cross-border data flows, whether to restrict or facilitate depends critically on the inherent attributes of various types of data. The “regulations” have provided a model for this.

Only by establishing clear rules and systems through laws and regulations can the simplistic trade-off be thoroughly broken, offering clear guidance and expectations to market participants and regulators alike. The “regulations” set basic principles for cross-border data flows from a high-level design perspective.

However, in the process of implementation, there will undoubtedly be many new issues and phenomena, necessitating continuous improvement. The precision in understanding and applying the “regulations” will determine their effectiveness.

Recently, the Chinese government introduced several measures to expand openness. The “regulations” respond to the common concerns of domestic and foreign enterprises, representing a tangible benefit to businesses and an opening gesture. This reaffirms to the world that the Chinese government’s determination and attitude toward openness remain unchanged, demonstrating its commitment to fulfilling promises and pursuing established goals through concrete actions.