Order of the State Internet Information Office

No. 16

  The "Regulations on Promoting and Regulating Cross-Border Data Flows" were reviewed and adopted at the 26th office meeting of the Cyberspace Administration of China on November 28, 2023, and are hereby announced and will come into effect on the date of promulgation.

Zhuang Rongwen, Director of the Cyberspace Administration of China

March 22, 2024

Promote and standardize cross-border data flow regulations

  Article 1 In order to ensure data security, protect personal information rights and interests, and promote the orderly and free flow of data in accordance with the law, in accordance with the "Cybersecurity Law of the People's Republic of China", "Data Security Law of the People's Republic of China", "Personal Information Protection Law of the People's Republic of China", etc. Laws and regulations, these regulations are formulated for the implementation of data export systems such as data export security assessment, personal information export standard contract, and personal information protection certification.

  Article 2 Data processors shall identify and declare important data in accordance with relevant regulations. If the data has not been notified by relevant departments or regions or has been publicly released as important data, the data processor does not need to apply for data export security assessment as important data.

  Article 3 If the data collected and generated in activities such as international trade, cross-border transportation, academic cooperation, cross-border manufacturing, and marketing are provided overseas and do not contain personal information or important data, they will be exempted from reporting data export security assessments and entering into personal contracts. Information export standard contract and passed personal information protection certification.

  Article 4 If the personal information collected and generated by data processors abroad is transferred to China for processing and then provided abroad, and no domestic personal information or important data is introduced during the processing, the data processor is exempted from applying for a data export security assessment and entering into a standard contract for the export of personal information. , Passed personal information protection certification.

  Article 5 If a data processor provides personal information overseas and meets one of the following conditions, it will be exempted from applying for a data export security assessment, entering into a standard contract for personal information export, and passing personal information protection certification:

  (1) In order to enter into and perform a contract to which an individual is a party, such as cross-border shopping, cross-border delivery, cross-border remittance, cross-border payment, cross-border account opening, air ticket and hotel booking, visa processing, examination services, etc., it is really necessary to provide overseas services Provide personal information;

  (2) Implementing cross-border human resources management in accordance with the labor rules and regulations formulated in accordance with the law and the collective contract signed in accordance with the law, and it is really necessary to provide employees' personal information overseas;

  (3) In order to protect the life, health and property safety of natural persons in an emergency, it is really necessary to provide personal information overseas;

  (4) Data processors other than critical information infrastructure operators have provided personal information of less than 100,000 people (excluding sensitive personal information) to overseas countries since January 1 of that year.

  The personal information provided overseas as mentioned in the preceding paragraph does not include important data.

  Article 6 The free trade pilot zone, under the framework of the national data classification and hierarchical protection system, may independently formulate a list of data within the zone that needs to be included in the data export security assessment, personal information export standard contract, and personal information protection certification management scope (hereinafter referred to as the negative list) , after approval by the provincial network security and information technology committee, report to the national cybersecurity and informatization department and the national data management department for filing.

  Data processors in the free trade pilot zone who provide data outside the negative list overseas are exempted from declaring a data export security assessment, entering into a standard contract for personal information export, and passing personal information protection certification.

  Article 7 If a data processor provides data overseas and meets one of the following conditions, it shall apply to the national cybersecurity and informatization department for a data export security assessment through the local provincial cybersecurity and informatization department:

  (1) Critical information infrastructure operators provide personal information or important data overseas;

  (2) Data processors other than critical information infrastructure operators provide important data overseas, or have provided personal information of more than 1 million people (excluding sensitive personal information) or more than 10,000 people to overseas countries since January 1 of that year. Sensitive personal information.

  If it falls under the circumstances specified in Articles 3, 4, 5 and 6 of these Regulations, such provisions shall prevail.

  Article 8 Data processors other than critical information infrastructure operators have provided overseas personal information of more than 100,000 people but less than 1 million people (excluding sensitive personal information) or less than 10,000 sensitive individuals in total since January 1 of that year. For personal information transfer, a standard contract for the transfer of personal information abroad shall be concluded with the overseas recipient in accordance with the law or shall pass personal information protection certification.

  If it falls under the circumstances specified in Articles 3, 4, 5 and 6 of these Regulations, such provisions shall prevail.

  Article 9 The result of the data export security assessment is valid for 3 years, starting from the date the assessment result is issued. Upon expiration of the validity period, if data export activities need to be continued and there is no need to re-declare the data export security assessment, the data processor may apply to the national cybersecurity and informatization department for an extension of the assessment through the local provincial cybersecurity and informatization department within 60 working days before the expiration of the validity period. Result validity period application. With the approval of the national cybersecurity and informatization department, the validity period of the evaluation results can be extended for 3 years.

  Article 10 When data processors provide personal information overseas, they shall perform obligations such as notification, obtaining individual consent from individuals, and conducting personal information protection impact assessments in accordance with laws and administrative regulations.

  Article 11 When data processors provide data overseas, they shall abide by the provisions of laws and regulations, fulfill their data security protection obligations, and take technical measures and other necessary measures to ensure the safety of data leaving the country. If a data security incident occurs or may occur, remedial measures shall be taken and promptly reported to the cybersecurity and informatization department at or above the provincial level and other relevant competent authorities.

  Article 12 Local cybersecurity and informatization departments should strengthen the guidance and supervision of the data export activities of data processors, improve the data export security assessment system, and optimize the assessment process; strengthen the supervision of the entire chain and all areas before, during and after the event, and find that there are serious problems in data export activities. If there is a major risk or a data security incident occurs, the data processor will be required to make rectifications to eliminate hidden dangers; those who refuse to make corrections or cause serious consequences will be held legally responsible.

  Article 13 The "Data Transfer Security Assessment Measures" announced on July 7, 2022 (State Internet Information Office Order No. 11), and the "Standard Contract Measures for the Transfer of Personal Information" (State Internet Information Office) announced on February 22, 2023 If relevant provisions such as Office Order No. 13) are inconsistent with these provisions, these provisions shall apply.

  Article 14 These regulations shall come into effect from the date of promulgation.

  Source: "Network China" WeChat public account