On March 22, 2024, the Cyberspace Administration of China (CAC) published the Regulations on Promoting and Regulating Cross-border Data Flows.

In particular, the Regulations highlight that where a data processor provides personal information overseas, it will be exempted from applying for a data export security assessment, entering into a standard contract, and passing a personal information protection certification if it is necessary to provide personal information overseas and:

• the personal information processing is necessary to enter into and perform a contract to which an individual is party, including cross-border shopping, delivery, remittance, payment, account opening, air ticket and holiday booking, visa processing, and examination;
• the personal information processing is for cross-border HR management according to labor rules or collective employment contracts;
• the personal information processing is in an emergency situation to protect the life, health, and property of natural persons; or
• the aggregated transfer of non-sensitive personal information does not exceed 100,000 individuals since January 1 of that year.

Data processors that provide data overseas and meet one of the following conditions must apply to the CAC for a data export security assessment at the provincial level:

• critical information infrastructure operators (CIIOs) that provide personal information or important data overseas; or
• data processors other than CIIOs that provide important data overseas, or provide the personal information of more than one million people (excluding sensitive personal information) or the aggregated sensitive personal information of more than 10,000 people since January 1 of that year.

Data processors other than CIIOs that have provided the personal information of more than 100,000 people but less than one million people (excluding sensitive personal information) or the sensitive personal information of less than 10,000 people since January 1 of that year may conclude a standard contract for the transfer of personal information overseas.

Notably, the Regulations detail that the result of a data export security assessment is valid for three years, starting from the date of issuance of the assessment result.

Further, the Regulations stipulate that when data processors provide personal information overseas, they must notify individuals, obtain individual consent, and conduct Personal Information Protection Impact Assessments in accordance with applicable laws.

You can read the press release here and the Regulations here, both only available in Chinese.