Authored by: Fu GUANGRUI (Mark) , Zhou Qi and Yang Yifan
Since the promulgation of the Cybersecurity Law of China in 2017, the Chinese government has been focusing on the regulation over cross-border data transfer out of China. As of today, the PRC legal regime for the cross-border data transfer has been generally established, while special requirements may vary across different industries or regions. In recent years, China have enacted a set of regulations and voluntary rules on cross-border data transfer that data processors and their counterpart recipients should abide by concerning the outbound transfer of personal information or Important Data. Some of the compliance requirements can be rather stringent and onerous to be put into practice, especially for MNCs with limited resource in China. On March 22, 2024, the Cyberspace Administration of China (the “CAC”) enacted the much-awaited Provisions on Promoting and Regulating Cross-border Data Flows (the “New Provisions”) which was published for public comments in September 2023. The newly-issued New Provisions has significantly eased the triggering conditions of complicated compliance obligations by proposing a series of exemptions for scenarios that would otherwise be subject to data transfer restrictions. It is widely deemed as the regulator’s positive attitude of relaxing the control over cross-border data transfer and streamline the data exchange between China and overseas in the real world.