The global surge in cross-border data flow has prompted governments worldwide, including China, to intensify oversight of data export and enhance security provisions. Against the backdrop of the European Union’s enactment of the General Data Protection Regulation (GDPR), China announced its own Cybersecurity Law of the People’s Republic of China (CSL) soon after, introducing restrictions on data export. Subsequent legislation, such as the Data Security Law (DSL) and the Personal Information Protection Law (PIPL), along with supplementary regulations, have continually refined China’s cross-border data transfer (CBDT) regime.

For multinational corporations that send data overseas or remotely access data in China as part of their operations, understanding the evolving requirements and criteria for CBDT is of paramount importance. Compliance with China’s relevant data laws is not only essential for conducting business legally but also crucial for maximizing data security and facilitating the smooth flow of data across borders. Failure to implement proper CBDT mechanisms may result in delayed data sharing, business disruptions, and unforeseen penalties.

Despite cybersecurity and data protection laws being well developed, China’s regulatory landscape continues to evolve. In 2023, several new regulations specifically addressing data protection and cybersecurity were introduced, with a particular emphasis on CBDT. Additionally, a new draft law has been proposed, potentially introducing easing CBDT rules 2024.

This ongoing developmental phase has created some framework gaps, making it challenging for foreign companies to precisely discern applicable requirements and necessary actions for full compliance. Consequently, many companies have yet to take action, exposing themselves to coming policy shifts and compliance risks.

Given the current dynamic environment, experts in the legal and cybersecurity fields emphasize the importance of businesses adopting a proactive stance toward CBDT. Rather than awaiting enforcement, companies should address both known and unknown aspects appropriately.

In this handbook:

  • What data are subject to CBDT mechanisms?
  • What counts as CBDT activities?
  • What kind of companies will have CBDT issues?
  • What are the current rules for CBDT?
  • CBDT mechanism I: Security assessment by the CAC
  • CBDT mechanism II: Third party PI protection certification
  • CBDT mechanism III: Signing a standard contract
  • Recent developments & trends: Easing CBDT requirements for foreign companies
  • 2024 outlook for cybersecurity and data protection regulations
  • Conclusion: How businesses can deal with China’s evolving cross-border data transfer regimes
  • Appendix I: Regulatory framework for CBDT in China

weitere Informationen