The Cyberspace Administration of China released the "Regulations on Promoting and Regulating Cross-border Data Flows"

　　China News Service, March 26. According to the "Network China" WeChat public account, on March 22, the Cyberspace Administration of China announced the "Regulations on Promoting and Regulating Cross-Border Data Flows" (hereinafter referred to as the "Regulations"). Effective from date.

　　The relevant person in charge of the Cyberspace Administration of China said that cross-border data flow has become the basis for the exchange and sharing of global capital, information, technology, talents, goods and other resource elements. In order to promote the orderly and free flow of data in accordance with the law, stimulate the value of data elements, and expand high-level opening up to the outside world, the "Regulations" optimize and adjust the data export systems such as data export security assessment, personal information export standard contract, and personal information protection certification.

　　The "Regulations" clarify the reporting standards for the export security assessment of important data, and propose that if the data has not been notified or publicly released as important data by the relevant departments or regions, the data processor does not need to declare the data export security assessment as important data.

　　The "Regulations" stipulate the conditions for data export activities that are exempt from reporting data export security assessments, entering into standard personal information export contracts, and passing personal information protection certification: First, international trade, cross-border transportation, academic cooperation, transnational manufacturing and marketing, etc. The data collected and generated during the activities are provided overseas and do not contain personal information or important data; second, the personal information collected and generated overseas is transferred to the country for processing and then provided overseas, and no domestic personal information or important data is introduced during the processing. thirdly, it is really necessary to provide personal information overseas in order to conclude and perform a contract to which the individual is a party; fourthly, it is necessary to provide cross-border human resources management in accordance with the labor rules and regulations formulated in accordance with the law and the collective contract signed in accordance with the law, and it is really necessary to provide personal information overseas Providing personal information of employees; fifth, in order to protect the life, health and property safety of natural persons in emergencies, it is really necessary to provide personal information overseas; sixth, data processors other than critical information infrastructure operators shall start from January 1 of that year A total of less than 100,000 personal information (excluding sensitive personal information) has been provided overseas.

　　The "Regulations" establish a negative list system for free trade pilot zones. It is proposed that within the framework of the national data classification and hierarchical protection system, the free trade pilot zone can formulate a negative list within the zone on its own, and after approval by the provincial network security and information technology committee, report it to the national cybersecurity and informatization department and the national data management department for filing. Data processors in the free trade pilot zone who provide data outside the negative list overseas are exempted from declaring a data export security assessment, entering into a standard contract for personal information export, and passing personal information protection certification.

　　The "Regulations" clarify the conditions for two types of data export activities that should apply for data export security assessment. First, critical information infrastructure operators provide personal information or important data overseas; second, data processors other than critical information infrastructure operators provide personal information or important data to foreign countries. Providing important data overseas, or providing personal information of more than 1 million people (excluding sensitive personal information) or sensitive personal information of more than 10,000 people to overseas countries since January 1 of that year. At the same time, it clarified the conditions for data export activities that should enter into a standard contract for personal information export or pass personal information protection certification, that is, data processors other than critical information infrastructure operators have provided more than 100,000 people overseas since January 1 of that year. , Personal information of less than 1 million people (excluding sensitive personal information) or sensitive personal information of less than 10,000 people.

　　The "Regulations" also stipulate the validity period and extension application of data export security assessment, data security protection obligations and supervision and management responsibilities, and the connection and application with other regulations on data export security management.