In the era of digital economy, the orderly flow and utilization efficiency of data are crucial to the optimization of data element configuration. Especially in cross-border digital trade activities, an efficient and secure cross-border data transmission system has become the basis for promoting a new order of digital trade. From a global perspective, the United States, the European Union, ASEAN, etc. are all promoting the construction of cross-border data transmission systems at the domestic legal level, intending to seize the right to formulate and speak global data cross-border transmission rules. In order to fully grasp the economic context of the digital era and participate in the competition and cooperation in the new order of the digital economic landscape, my country has successively formulated high-quality cross-border data transmission rules such as the "Data Transfer Security Assessment Measures" and "Personal Information Transfer Standard Contract Measures", resulting in achieved good results.
On the basis of the above rules, focusing on the new issues and new demands that are constantly emerging in the practice of digital trade, my country insists on coordinating high-quality development and high-level security, and based on the needs of industrial practice, the State Cyberspace Administration of China has formulated the "Promoting and Regulating Data Cross-border Mobility Regulations" (hereinafter referred to as the "Regulations"). Within the current legislative framework of cross-border data transmission in my country, the "Regulations" further refines the business compliance standards and operational specifications for corporate data export, and fully reflects my country's innovative ideas in the field of cross-border data transmission supervision, that is: both Stable digital trade activities should be achieved by ensuring the security of cross-border data transmission, and a new pattern of cross-border digital trade should be created by smoothing institutional channels for cross-border data transmission. The promulgation of the "Regulations" further optimizes my country's institutional system for the cross-border flow of data, provides diversified and flexible institutional tools for corporate data export, and also effectively counters the United States and other Western countries' "data localism" and obstruction of globalization by the United States and other Western countries. Groundless accusations such as digital trade activities.
The role of the "Regulations" in promoting the high-quality development of cross-border digital trade is mainly reflected in the following four aspects.
First, based on the practical characteristics of digital trade, refine the scope of application of the cross-border data transmission system. In regulatory practice, some companies do not have an accurate understanding of the legal nature of their cross-border data transfer business, making it difficult to accurately confirm what cross-border data transfer flow mechanism should be applied. In order to solve the problem of ambiguous applicable standards for cross-border data flow mechanisms at the legal implementation level, the "Regulations" enumerate the situations where data export security assessment, personal information export standard contract, and personal information protection certification do not need to be applied. For example, "entering into and performing a contract to which an individual is a party" mainly involves activities such as cross-border shopping, cross-border mailing, cross-border remittance, cross-border payment, cross-border account opening, air ticket and hotel reservations, visa processing, examination services, etc. The scope of these activities The commonality is that personal cross-border activities require high-frequency and barrier-free cross-border transmission of personal information. For another example, the criterion for judging the necessity of “implementing cross-border human resources management” is the labor regulations and systems formulated in accordance with the law and the collective contract signed in accordance with the law. Such clauses express the personal information of employees necessary for the protection of cross-border enterprises or cross-border businesses. On the basis of normal entry and exit, it effectively prevents some companies from improperly expanding the necessary actual scope of cross-border human resources management, causing non-essential personal information to exit the country in an unsafe manner. For another example, “emergency situations” refer to the urgency of data export for the purpose of protecting the life, health and property safety of natural persons.
Second, clarify the needs of business activity scenarios and promote the orderly implementation of the cross-border data transmission system. After my country established a cross-border data transmission system centered on data export security assessment, personal information export standard contract, and personal information protection certification, regulatory agencies have also continued to promote the specific implementation of these systems. For example, the country's first data compliance export case, a joint research project between Beijing Friendship Hospital affiliated to Capital Medical University and the University of Amsterdam Medical Center in the Netherlands, provides practical guidance for the safety management of medical and health data export and international medical research cooperation. Another example is my country’s first full-system inventory, full-business declaration, and full-scenario approved data export security assessment case in the automotive field. Beijing Hyundai Motor Co., Ltd.’s data export security assessment project demonstrates standardized business compliance for data export activities in the automotive field. Way. Under this scenario-oriented concept of cross-border data transmission governance, the "Regulations" also focus on the business needs of specific scenarios, allowing international trade, cross-border transportation, academic cooperation, and transnational Data export security assessments, personal information standard contracts and personal information protection certification mechanisms are not applicable to data export activities generated in manufacturing and marketing activities. This exemption undoubtedly provides great convenience for Chinese companies to conduct cross-border business overseas, because with the development trend of economic globalization, common cross-border trade activities such as customer service, logistics, cloud storage, and data analysis will frequently generate and transmit related businesses. data. The export of these business data will not directly lead to national security and other issues, and the "Regulations" exempt it, effectively eliminating the regulatory uncertainty behind such issues.
Third, reserve space for interpretation of the regulatory system and promote diversified innovation in the cross-border data transmission system. The cross-border data transmission system is an important support and security guarantee for my country's various free trade ports, free trade zones, and even economic reform areas such as the Guangdong-Hong Kong-Macao Greater Bay Area to explore new cross-border digital trade activities. The "Special Plan for the International Data Industry of the Lingang New Area of the China (Shanghai) Pilot Free Trade Zone (2023-2025)" clearly states that it is necessary to optimize the operating rules for cross-border data flows, promote the security assessment of cross-border data flows, and improve the cross-border data flow. Mobile public service management platform functions and many other specific measures. In order to fully ensure the implementation of the "try first" governance model, the "Regulations" specifically add "flexible space" to the free trade zone's cross-border data flow system, that is, through the form of a data list, the existing cross-border data transmission mechanism be "fine-tuned". This data inventory mechanism can be understood as the organic integration of three types of governance elements: "full authorization", "legal procedures" and "convenient flow". "Full authorization" means that the "Regulations" authorize the free trade zone to formulate a data export supervision mechanism suitable for the region's economic and trade activities; "legal procedures" means that the "Regulations" clearly limit the approval and filing process from the local to the central government, truly realizing "Full innovation within the legal scope"; "convenient flow" refers to the fact that the "Regulations" allow other cross-border data transfer activities outside the data list, and do not need to continue to apply for data export security assessment, personal information export standard contract, personal information protection certification, etc. system, but directly integrated with cross-border digital trade activities in a manner that is consistent with commercial efficiency. The free trade zone belongs to the "domestic and outside customs" area, and there are policy preferences in the fields of industrial and commercial registration, foreign investment, talent introduction, etc. The data list set up in the "Regulations" can allow the free trade zone to gain more access to information while taking into account safety management. Prefer to explore the cross-border data flow system and mechanism with the economic characteristics of the free trade zone.
Fourth, respond to corporate compliance concerns about data exports and reduce the difficulty of compliance in cross-border data transmission systems. One of the highlights of the "Regulations" is that it improves the operability of the current cross-border data transmission system and reduces the difficulty of business compliance for data export by small and medium-sized enterprises. The "Regulations" do not set a regulatory threshold for the total amount of data held by data processors, but focus more on the assessment of the risk level of the data environment. Therefore, the Regulations adjust the focus of risk attention to the scale and type of data export. For example, in the outbound activities of providing non-sensitive personal information to overseas countries, it is set as "those who have provided personal information of less than 100,000 people to overseas countries since January 1 of the current year" and "who have provided personal information of less than 100,000 people to overseas countries since January 1 of that year." The three types of data export quantity thresholds are "complete exemption" and "exempt applicable data" respectively. Compliance requirements for three types of business: "Exit security assessment" and "Mandatory declaration of data exit security assessment". For data export activities that clearly do not endanger national security, personal information rights, etc., for example, the amount of data transferred across the border is sparse, there is no need to specifically declare regulatory procedures such as data export security assessment.
There is reason to believe that the promulgation and implementation of the "Regulations" will further promote safe, orderly and efficient cross-border data, further promote cross-border digital trade activities, and enhance my country's ability to compete and cooperate in the new international digital governance landscape. will all play an important role.
Author: Wang Xizhen, director and professor of the Research Center for Constitutional and Administrative Law at Peking University, vice president of the Network and Information Law Research Association of the China Law Society
Source: "Network China" WeChat public account