Data other than important data and personal data can flow freely across borders. The Q&A emphasizes that, in principle, the requirements of Chinese law are intended to ensure the security and free flow of data. They apply only to personal data and important data because the transfer of such data outside of China may affect national security and public interests.

The methodology for assessing the necessity of transferring personal data outside China has been further elaborated. The CAC will consider whether there is a necessity for the transfer itself, the types of data subjects involved, and the categories of personal data transferred (each an “assessed factor”). The necessity test is satisfied with respect to an assessed factor if (i) the data to be transferred are directly related to, limited to the minimum necessary for, and retained only for the time required to achieve the purposes of the processing, and (ii) the processing has a minimal impact on the data subjects concerned. Thus, the context of the transfer is very important. The Chinese authorities will formulate sector-specific guidance to assist companies in assessing necessity in different transfer contexts.

Important data can be transferred outside of China if a security assessment shows that the transfer will not endanger national security or public interests. As of March 2025, the central CAC has completed a total of 44 applications for transferring important data outside of China. 7 out of 44 of such applications failed the assessment. The failure rate at the application level is 15.9%. These 44 applications include 509 important data fields, of which 325 important data fields were allowed to be transferred outside China after the assessment. The success rate at the data field level is 63.9%.

As to the scope of important data, the Q&A provides that companies may identify the important data that they process in accordance with a national standard (i.e. GB/T 43697-2024 Technical Data Security Data Classification and Grading Rules Appendix G Guidelines for Identifying Important Data) and report the identification results with the relevant authorities. But the Q&A restates and emphasizes at the same time that, it is not necessary for companies to make assessment applications for transferring important data outside of China, unless they have been notified by the authorities that the data being processed is important data or has been included in any public important data catalogues.

There are certain convenient channels that international organizations may consider to legitimize their intra-group transfers. For example, if several Chinese affiliates are transferring data outside of China in the same or similar patterns, they may choose a representative and make a filing or application on a group basis. If the transfers are more complex, the group affiliates, both inside and outside China, may consider applying for a transfer compliance certificate to cover all intra-group transfers. This certificate will exempt the covered affiliates from the requirement to sign stand-alone bilateral Standard Contractual Clauses (SCCs).

More flexible transfer arrangements will be made available to companies registered in free trade zones (FTZs). At present, the FTZs in Tianjin, Beijing, Hainan, Shanghai, Zhejiang and other places have published negative lists covering cross-border data transfers in 17 sectors, such as automobiles, medicine, retail, civil aviation, reinsurance, deep-sea industry and seed industry. Transfers covered by the negative lists can be exempted from the requirements of signing SCCs, making filings, or obtaining government approvals. More importantly, according to the Q&A, if one FTZ has already published a negative list for the same sector, the other FTZs can directly refer to and implement it. This means that companies registered in different FTZs may be able to benefit from the same policy.

Overall, this Q&A has sent a positive signal. After completing the necessary compliance actions, companies can transfer personal data and important data outside of China to carry out legitimate intra-group management and international business activities. The Chinese authorities are committed to further clarifying the rules and providing flexible arrangements for data transfers. As relevant guidelines and standards continue to be issued, “no clear rules” will no longer be a reasonable excuse. For companies that have not yet taken steps to address cross-border data transfers, we recommend that they plan and begin this work as soon as possible.

Based on the official statistics, during 2024, the CAC interviewed 11,159 website platforms, imposed warnings or fines on 4,046 website platforms, ordered 585 websites to suspend or update relevant functions, took down 200 Apps and took administrative actions on 40 mini-programs. The CAC also conducted joint enforcement actions together with the Ministry of Industry and Information Technology and revoked the licenses or shut down 10,946 websites and closed 107,802 accounts.

The following violations are of particular concern to these enforcement activities:

• Failure to maintain relevant network logs as required by law or to promptly address security risks (such as system vulnerabilities), resulting in illegal and regulatory issues such as system attacks, tampering, and data leaks;
  
• Failure to clearly display privacy notices in Apps, obtain necessary consent to process personal data, or provide convenient methods to opt out or de-register accounts;
  
• Failure to conduct required recordal or filing for AI models or features built into Apps or mini-apps; and
  
• Unreasonably requiring consumers to scan QR codes or perform facial recognition that is not necessary to provide the underlying services.

Around the same time, the National Computer Virus Emergency Response Center, which is an institution responsible for detecting and handling computer virus outbreaks and cyber attacks under the supervision of the Ministry of Public Security, published a list Apps that violated the personal data protection laws in the following areas:

• Failure to provide data subjects with all the required information about the processing (e.g. name and contact details of the controller, categories of personal data processed, purposes of the processing, retention period, etc.) in a prominent place and in clear and understandable language; in particular, failure to provide such information about any third party SDK or plugin is also considered a breach of the law;
  
• Failure to provide data subjects with the required details about any separate controller (e.g. name, contact information, categories of personal data processed, processing purposes, etc.) or to obtain the separate consent of data subjects before sharing their personal data with the separate controller;
• Failure to obtain the separate consent of data subjects before processing their sensitive personal data;
  
• Failure to provide users with the App functions to delete personal data or de-register accounts, or to complete the deletion or deregistration within 15 business days; or setting unreasonable conditions for users to de-register accounts;
  
• Failure to formulate special rules for processing the personal data of minors (under the age of 14) or to obtain parental consent before processing the personal data of minors; and
  
• Failure to take appropriate encryption, de-identification and other security measures, taking into account the nature of the processing and its impact on the rights and interests of data subjects.

The above enforcement focuses are also consistent with the audit points highlighted in the newly released personal data protection audit rules (see our article here). We expect the same enforcement trend to continue into 2025. Companies that process personal data in China or in connection with business in China are advised to review their compliance status with the requirements of Chinese law and take remedial action in a timely manner.

The Measures outline the requirements and procedures for both self-initiated and regulator-requested compliance audits.

(Interestingly, they also clarify some other PIPL obligations, such as the data volume threshold for appointing a DPO as well as the necessity of separate consent for some processing activities.)

Who must conduct data protection compliance audits, and when?

The Measures require a data controller processing personal data of more than 10 million individuals to conduct a self-initiatedcompliance audit of its personal data processing activities (“Self-Initiated Audits“) at least once every two years. 

Data controllers below this volume threshold should still conduct Self-Initiated Audits on a regular basis as is already prescribed under the PIPL, as a matter of good governance.

In addition, the CAC or other data regulators may instruct any data controller to conduct an audit (“Regulator-Requested Audits“):

1. when personal data processing activities are found to involve significant risks, including serious impact on individuals’ rights and interests or a serious lack of security measures;
   
2. when processing activities may infringe upon the rights and interests of a large number of individuals; or
   
3. following a data security incident involving the leakage, tampering, loss, or damage of personal information of one million or more individuals, or sensitive personal information of 100,000 or more individuals.

The audit report for Regulator-Requested Audits must be submitted to the regulator. The regulator may request data controllers to undertake rectification steps, and a subsequent rectification report must be provided to the regulator within 15 business days of competing the rectification steps.

Data controllers may, if they wish or when requested by the regulator, engage an accredited third party to conduct the audit (but the third party and its affiliates must not conduct more than three such audits in total for the same organisation).  

DPOs of data controllers processing personal data of more than one million individuals are responsible for overseeing the audit activities.

Key elements to be audited

The Measures outline a detailed set of key elements to be audited, which offer valuable insights into the detailed compliance steps expected from controllers for compliance with PIPL obligations, and will help organisations to scope their audits. Unsurprisingly, these elements cover every facet of PIPL compliance, spanning the whole data lifecycle. They include: lawful bases, notice and consent, joint controllership, sharing or disclosing personal data, cross-border data transfers, automated decision-making, image collection/identification equipment, processing publicly available personal data, processing sensitive personal data, retention and deletion, data subject right requests, internal data governance, data incident response, privacy training, Important Platform Providers’ platform rules and CSR reports, etc.

On 3 January 2025, the Cyberspace Administration of China (“CAC“) released for public consultation the draft Measures for Certification of Personal Information Protection for Cross-Border Transfer of Personal Information (“Draft Measures“). This regulation represents the final piece in the CAC’s regulatory framework for the three routes to legitimize cross-border transfers of personal data outside of China (“CBDTs“).

To recap, Chinese law requires data controllers to take one of the following three routes to legitimize CBDTs, unless they qualify for specific exemptions under the Provisions on Promoting and Regulating Cross-Border Data Flows (click here for our summary, “Provisions“) or local rules:

• CAC security assessment;
• Standard Contractual Clauses (“SCCs“) filing; or
• CAC-accredited certification.

If enacted, the Draft Measures will provide significant clarity regarding the certification route, offering data controllers both within and outside of China a viable option for compliance of CBDTs. Below is a practical guide to the key provisions of the Draft Measures, along with our recommendations for data controllers engaged in CBDTs in light of this new regulation.

Who can utilise the certification route?

Data controllers in China: In alignment with the conditions outlined in the Provisions, the Draft Measures reiterate that a data controller in China may pursue the certification route if:

• the data controller is not a critical information infrastructure operator (“CIIO“);
• no important data is transferred outside of China; and
• it has cumulatively transferred non-sensitive personal data of 100,000-1,000,000 individuals or sensitive personal data of less than 10,000 individuals outside of China since the beginning of the year.

It is worth noting that these conditions are the same as those for taking the SCCs filing route, making the certification route an effective alternative to the SCCs filing route for data controllers in China.

Overseas data controllers: The certification route is also available to data controllers outside of China that fall under the extraterritorial jurisdiction of the Personal Information Protection Law (“PIPL“), i.e. those processing personal data of residents in China to provide products or services to them or analyze or evaluate their behavior.

The Draft Measures do not specify the volume threshold or other conditions for overseas data controllers to take the certification route. It remains to be clarified whether overseas data controllers with a limited scope of CBDTs (e.g. those not reaching the volume threshold for data controllers in China as outlined above) can be exempted from obtaining certification or following the other legitimizing routes.

From which certification bodies can a data controller obtain the certification?

Certification bodies that have received approval from the State Administration for Market Regulation (“SAMR“) and have completed a filing process with the CAC are qualified to issue the CBDT certification.

What are the evaluation criteria for the certification?

The evaluation for the certification will focus on the following aspects:

• the legality, legitimacy and necessity of the purposes, scope and methods of the CBDT;
• the impact of the personal data protection laws and policies and network and data security environment of the country/region where the overseas data controller/recipient is located on the security of the transferred personal data;
• whether the overseas data controller/recipient’s level of personal data protection meets the requirements under Chinese laws, regulations and mandatory national standards;
• whether the legally binding agreement between the data controller and the overseas data recipient imposes obligations for personal data protection;
• whether the organizational structure, management system, and technical measures of the data controller and the overseas data recipient can adequately and effectively ensure data security and protect individuals’ rights and interests regarding their personal data; and
• other aspects deemed necessary by certification bodies according to relevant standards for personal information protection certification.

Are there special requirements for overseas data controllers pursuing certification?

Yes. An overseas data controller governed by the PIPL seeking certification must submit the application with the assistance of its dedicated institution or designated representative located in China (the presence of which is a requirement under the PIPL).

The Draft Measures also make it clear that overseas data controllers must, like data controllers in China, assume legal responsibilities associated with certification processes, undertake to comply with relevant Chinese data protection laws and regulations, and be subject to the supervision by Chinese regulators and certification bodies.

How are certification processes and results supervised?

The Draft Measures grant supervisory powers to both the SAMR and the CAC. They can conduct random checks on certification processes and results; and evaluate certification bodies. Certified data controllers will also be under continuous supervision by their certification bodies.

If a certified data controller is found to no longer meet the certification requirements (e.g. the actual scope of the CBDT is inconsistent with that specified in the certification), the certification will be suspended or revoked, which action will be made public. 

Are there ancillary rules and standards on the horizon?

Probably yes. The Draft Measures indicate that the CAC will collaborate with relevant regulators to formulate standards, technical regulations, and conformity assessment procedures for CBDT certification and work alongside the SAMR to develop implementation rules and unified certificates and marks for CBDT certification.

Is the certification likely to be recognised in other jurisdictions?

Probably yes. According to the Draft Measures, China will facilitate mutual recognition of personal information protection certification with other countries, regions, and international organizations.

Recommendations

As discussed, the Draft Measures make available a tangible certification route to legitimize CBDTs for data controllers both within and outside of China. Data controllers should carefully evaluate and choose between the three legitimizing routes when engaging in CBDTs, considering their respective pros and cons and suitability for the controllers’ specific patterns of CBDTs. For example, the certification route may be advantageous for complex CBDTs among multiple parties where signing of SCCs is challenging. To make well-informed decisions, data controllers engaged in CBDTs are recommended to closely monitor developments related to the Draft Measures in the months following the conclusion of the public consultation period on 3 February 2025, and remain vigilant for any release of ancillary rules and standards. This is particularly necessary because some important details about the certification route, such as the validity period of the certification and any thresholds for overseas data controllers to take the certification route, remain unclear.

Overseas data controllers processing personal data of residents in China should also be aware of the Draft Measures, as they specifically outline the certification route. This represents a further enhancement of Chinese regulations governing overseas data controllers, following clarifications regarding the procedure for reporting dedicated institutions or designated representatives of overseas data controllers under the Network Data Security Management Regulation that took effect on 1 January 2025 (click here for our summary). Given this trend, overseas data controllers processing personal data of residents in China should consider assessing whether they fall under the extraterritorial jurisdiction of Chinese data protection laws and, if so, evaluating the practical risks of non-compliance with such laws (e.g. the impact of potential service disruptions or access restrictions). If compliance with Chinese data protection laws turns out to be necessary, it is advisable to implement a comprehensive program to navigate how China’s CBDT restrictions and, more broadly, its complex data regulatory framework may apply to the overseas data controller and devise compliance strategies.

It is also important to remember that the legitimizing routes are not the sole requirement for CBDTs under Chinese law. Regardless of the chosen route, data controllers must implement other compliance measures for CBDTs, including obtaining separate consent from data subjects, conducting personal information impact assessments, and maintaining records of processing activities.

Scope

The Regulation governs “network data”, and the compliance obligations primarily apply to “network data handlers”.

• Network data: the Regulation governs electronic data processed and generated via networks (“network data“) and applies to all the processing of network data within Mainland China. A “network” means a system composed of computers or other information terminals and related equipment that collects, stores, transmits, exchanges and processes information according to certain rules and procedures. So, in practice, this captures all electronic data processed or generated online (including personal information and non-personal information).
  
• Network data handler: a “network data handler” refers to the party that autonomously determines the purposes and means of processing network data. That is akin to a data controller when it comes to personal information. In practice, this would include communication network operators, online service providers and users.

The Regulation has extra-territorial effect. This means that, if a foreign entity processes personal information of Mainland China residents outside of Mainland China, the requirements of the Regulation and the PIPL will apply if the processing purpose is to provide products or services to the data subjects or to analyze or evaluate their behaviour.

As has become common with China data regulations, if a foreign (non-Chinese) entity’s processing of network data outside of Mainland China may harm China’s national security, public interests, or the legitimate rights and interests of Chinese citizens or organizations, the Regulation restates Chinese authorities’ power to hold the foreign entity liable in accordance with other applicable laws. It remains unclear how these powers may be enforced in practice against non-Chinese entities without a presence in Mainland China.  

Key Compliance Obligations

The Regulation focuses on four key areas:

• personal information privacy: enhancements and clarifications to the existing China personal information protection framework as it pertains to “network data”;
  
• “large scale” personal information handlers: introduces additional reporting obligations on data controllers of large volumes of personal information;
  
• important data: imposes significant additional governance obligations to the existing “important data” compliance framework, and clarifies how organisations can assess whether or not they handle important data; and
  
• online platform operators: extends existing compliance obligations to manufacturers of smart terminal devices with pre-installed applications, and imposes additional reporting and governance obligations on “large-scale network platforms”. 

Impact on Data Privacy Compliance

Key developments as regards network data handlers processing personal information include:   

• Security defects, threats and risks: the timescale for network data handlers to report data incidents (i.e. security defects, threats or risks involving its products or services) is reduced, so that an incident must be reported within 24 hours of identification if it could harm national security or public interests. However, the Regulation does not specify what defects, threats or risks could harm national security or the public interest or provide any assessment methods.
  
• Data processing agreements (“DPAs”) and record-keeping: the obligation on network data handlers to enter into a DPA with each third party to which it transfers personal information is clarified now to include C2C (controller to controller) transfers as well as C2P (controller to processor) transfers. The DPA and relevant processing records must be kept for at least three years. This obligation is also now clarified to extend to the sharing of important data with third parties, not just personal information.
  
• Data portability: the PIPL gives data subjects the right to data portability (although it is little used in practice by data subjects in China). The Regulation now sets out the conditions that must be met to exercise such right, namely: (i) verifying the true identity of the data subject; (ii) the legal basis for processing the concerned personal information must either be consent or contract necessity; (iii) the transfer is technically feasible; and (iv) the transfer will not harm the legitimate rights and interests of others. Further, it is now clarified that, if the number of requests significantly exceeds a reasonable range, the network data handler may charge necessary costs of fulfilling the request. Please note that the right to data portability still only covers personal information. Unlike the EU Data Act, the portability of other non-personal business or operation data is not addressed under the Regulation.
  
• Foreign entities keeping and reporting institutions/representatives in China: The Regulation clarifies the procedure for complying with the PIPL requirement for foreign entities processing the personal information of Mainland China residents outside of Mainland China to establish a dedicated institution or designate a representative within Mainland China for personal information protection and to report the name and contact information of such institution/representative, where the processing purpose is to provide products or services to the data subjects or to analyze or evaluate their behaviour. According to the Regulation, such information should be reported to the municipal-level data authority, which will then forward it to other relevant regulators at the same level. However, foreign entities still need to watch out for further clarifications regarding other aspects of this requirement such as the reporting timeframe.

Obligations re Important Data

• Defining/identifying important data: the Regulation follows the current approach whereby industry regulators have been tasked to formulate (and some have already formulated) important data catalogues, setting out what will be deemed to be “important data” in their industry sector. However, unfortunately the Regulation seems to indicate that such important data catalogues will not be an exhaustive list of important data, and instead they should be treated more as industry guidelines to help organisations classify whether data constitutes important data, and then report it to the industry regulators as required under existing reporting/monitoring rules. Therefore, unfortunately, the most critical question, i.e. what constitutes important data, is still not clearly answered. We now face the situation of, instead of waiting for important data catalogues to be published, rather unhelpfully network data handlers operating in sensitive industries may need to be prepared to identify and report its own important data based on the guidelines given by the authorities.  
  
• DPA: it is now clear that network data handlers must enter into a DPA with each third party to which it transfers important data, and that each such DPA must be kept for at least three years. This is a unique requirement for Mainland China, and means that organisations will potentially need to extend their template DPAs to cover important data as well as personal information.
  
• Network data security officer appointment: a network data handler that handles important data must appoint a “network data security officer” (who shall be a member of senior management) and establish a “network data security management department”. They shall be responsible for: formulating network data protection policies and procedures; organizing training and drills; monitoring daily data processing activities; and handling claims, investigations and other data protection related matters pertaining to important data. This is in addition to existing obligations to appoint a DPO, DSO and CSO.  
  
• Transfer assessment: an important data handler must conduct a risk assessment before transferring important data to any third party, including in the case of entrusted or joint processing (except where the transfer concerned is mandatorily required by law). The assessment should include, inter alia, the data recipient’s data protection capabilities and overall compliance status; and the effectiveness of the contract with the data recipient to comply with relevant data protection obligations. This appears to be closer to a PIIA for personal information than an EU-style DPIA or TIA, but we await a template assessment form or further guidance from the regulators on this.
  
• Reporting during M&A and corporate reorganisations, etc.: if the security of important data may be affected by an important data handler’s M&A, corporate reorganization, dissolution, bankruptcy or other similar events, the handler must take measures to ensure data security, and report information regarding the data recipients and related matters to the relevant industry regulator and/or data authority at provincial level or above.
  
• Annual assessment report: an important data handler must carry out a risk assessment of its data processing activities once a year, and submit the assessment report to the relevant industry regulator at provincial level or above. Details of what these annual reports must include, and how to submit them, have not yet been published; and it is also unclear how these align with the proposed mandatory data compliance audits recently proposed by the China data protection authorities.

Obligations on “Large Scale” Personal Information Handlers

The Regulation requires a network data handler who processes personal information of more than 10 million data subjects to comply with the “network security officer appointment” and “reporting during M&A and corporate reorganisations etc.” obligations (discussed above) in the same way as an important data handler. However, the Regulation does not address whether the personal information of more than 10 million data subjects per se constitutes important data.

Obligations on Online Platform Operators

The Regulation emphasizes existing obligations on online platform operators (that is, operators of websites, mobile apps, etc.) to monitor and supervise data processing activities carried out by the users or third parties via their platforms. For example:

• platform operators must formulate rules and put in place effective contracts with third parties residing on the platform to clarify data protection obligations and responsibilities; and
  
• app store operators must conduct security assessments of the applications distributed via their stores, and remove non-compliant applications if the compliance gaps cannot be effectively remediated.

Notably, the Regulation now extends the definition of online platform operators to manufacturers of smart terminal devices with pre-installed applications (such as mobile phone and smart home product manufacturers), and requires them to comply with online platform operators’ obligations in addition to hardware manufacturers’ obligations.

The Regulation also introduces a definition of “large scale network platforms” as online platforms which have more than 50 million registered users or more than 10 million monthly active users, offer complex types of services, and may have significant impact on national security, economy and people’s livelihood. The Regulation further provides that large scale network platform operators are subject to additional obligations such as publishing an annual social responsibility report discussing how personal information protection matters are handled, and implementing measures to prevent unfair competition conducted via the platforms, etc.

Next Steps

The Regulation adds to, rather than replaces, the existing – complex and ever-evolving – China data protection framework, and requires organisations handling China data to update their China data compliance obligations to prepare for these additional compliance obligations before the start of 2025.

Further, as indicated by the Regulation, data incident reporting, DPAs, record-keeping and compliance assessments/reporting will likely become the new compliance focus of the China data authorities in 2025.

Online platform operators’ responsibilities of monitoring in-platform data processing activities will still be an enforcement focus. Meanwhile, smart device manufacturers – who will now be regulated as online platform operators – will face a new set of complex obligations, and so are recommended to familiarize themselves with the requirements and upgrade their compliance programmes before the end of the year.

The final Guide largely aligns with the June draft, incorporating only a few changes in wording. However, it introduces several business-friendly clarifications to the list of common examples of sensitive personal information therein (“Examples List“) that help limit the scope of sensitive personal information, including:

• Location Access Methods: The issued Guide differentiates between location access methods used by mobile applications. It specifies that approximate location data derived from IP addresses is not classified as sensitive personal information, whereas precise mobile positioning data is considered sensitive.

• Whereabouts/Tracking Information: The “whereabouts/tracking information” category of sensitive personal information has been clarified to encompass only data that indicates a “continuous track” of movements over a period of time, rather than including any data pertaining to locations of a person as in the June draft. Along the same line of reasoning, flight and high-speed train travel records have been removed from examples of this category.

• Medical Device Data: According to the final Guide, not all data produced by medical devices during healthcare services will be classified as sensitive personal information; only examination and testing data during healthcare services risks falling under such classification.

Notably, the final Guide, in line with existing laws and standards, includes a new explanatory note highlighting the primacy of the “risk of harm” test over the Examples List. The note stipulates that data covered by the Examples List may not qualify as sensitive personal information if there is substantial evidence and justification showing that it fails to pass the “risk of harm” test as outlined in the Guide. This gives organisations greater scope to self-assess whether or not data qualifies as sensitive personal information based on risk of harm rather than just a prescriptive list.

The extent to which the Guide will be relied on by the regulator or courts remains to be seen. However, organizations are encouraged to refer to the Guide alongside existing laws and standards when identifying the sensitive personal information. In particular, as noted above and in our previous article, it is crucial for organizations to focus on the “risk of harm” test when identifying Mainland China sensitive personal information.

In July 2024, a draft recommended national standard Personal Information Protection Compliance Audit Requirements (“Draft Standard“) was issued for public consultation, which sets out comprehensive audit requirements and procedures. To be specific:

• The Draft Standard includes in its Schedule C a list of 37 groups of specific processing operations that must be checked in an audit, as well as the relevant PIPL requirements. The requirements cover the full life cycle of personal data processing, and concern areas such as lawful bases of processing, necessity and data minimization principles, disclosure of necessary processing details to data subjects, sharing of personal data with third parties, automated decision making, public disclosure of personal data, CCTV, sensitive personal data and minor data protection, cross-border data transfers, data subjects’ rights, internal data protection policies and procedures, technical and organizational measures, DPO, personal data protection impact assessments, data incidents, etc.

• The Draft Standard also outlines the general procedures of an audit, and sample lists the documents and materials which must be reviewed during an audit.

• In addition, the Draft Standard emphasizes the importance of internal governance. It requires a data controller to establish a compliance audit management system and formulate audit rules and procedures. The data controller’s Board of Directors, DPO and/or Legal Representative must take ultimate responsibility for the establishment of audit system and implementation of audits within the organization. The data controller must also allocate sufficient finance and suitable human resources to audit related work. Personnel being appointed to handle audits related works must have suitable knowledge and experience, and ideally hold qualification certificates.

• The Draft Standard does not prescribe when or how often a data controller must conduct an audit. In the Measures for the Management of Compliance Audits on the Protection of Personal Information (Draft for Comments) (“Draft Measures“), which was issued in September 2023 for public consultation, it is stated that a data controller which processes more than one million individuals’ personal data must conduct Self-supervision Audits at least once a year. Other data controllers must conduct Self-supervision Audits at least once every two years.

• The Draft Measures require data controllers to submit the audit reports of Regulator Requested Audits, take necessary remediation actions, and then submit the post-remediation reports.

As of the date of this article, neither the Draft Standard nor the Draft Measures have been finalized. But there are rumours indicating that both will be finalized before the end of 2024. An increasingly common understanding in the market is that personal data compliance audits will become the next regulatory focus of the data regulator.

Regardless of the status of these drafts, a data controller has an obligation under the PIPL to conduct Self-supervision Audits periodically. It is, thus, recommended to take note of the requirements under the Draft Standard, consider establishing an internal audit management framework and complete at least one Self-supervsion Audit within a reasonable time.

Under China’s data protection law, if a data controller processes any sensitive personal information, it will be subject to stricter obligations. For example, it must obtain the individuals’ separate consent. It must take enhanced technical and organizational measures. More importantly, under the new Chinese regulation governing the cross-border transfer of personal information (see our article here for details), if it transfers even one individual’s sensitive personal information outside China, it will need to file the transfer with the Chinese data regulator. Thus, the accurate identification of sensitive personal information has become increasingly important, and will become more so under proposed new data audit regulations.

The China Personal Information Protection Law (“PIPL“) defines sensitive personal information as any personal information that, once leaked or misused used, may easily lead to the infringement of an individual’s personal dignity or harm to personal or property safety.

The PIPL offers a few samples of sensitive personal information (e.g. biometrics, religious beliefs, medical health, financial accounts, whereabouts, and any personal information relating to minors under the age of fourteen). Recommended national standards such as GB/T 35273-2020 Personal Information Security Specifications (“Specifications“) and GB/T 43697-2024 Rules for Data Classification and Grading (“Rules“) also include non-exhaustive sample lists. During the past years, the identification of sensitive personal information in the market has relied heavily on such samples and lists.

In June 2024, a new Draft Guide for Sensitive Personal Information Identification (“Draft Guide“) was issued for public consultation, which proposes a different approach to identifying sensitive personal information. For example:  

• Facial recognition data: Under the Specifications and the Rules, only facial feature extraction or faceprint constitutes sensitive personal information. The Draft Guide now proposes to expand the scope to cover face images also, based on the rationale that facial feature extraction or faceprint may be generated from face images.

• Health data: Under the Specifications and the Rules, food allergy related data is specifically identified as sensitive personal information, which (unreasonably) subject many restaurants and catering companies to stricter data protection obligations. The Draft Guide now proposes to limit the scope of health data to disease, illness, disabilities and diagnosis- and treatment-related data.

• Finance data: Under the Specification and the Rules, transaction and expense records are identified as sensitive personal information, which may lead to an extreme conclusion that all the shops and malls keeping consumers’ purchase records process sensitive personal information. Under the Draft Guide, transaction and expense records would be removed from the list. Instead, sensitive personal finance information would be limited to bank, securities and fund account or card numbers and passwords, as well as token information and income details related to each specific account or card.

• Other data: The Draft Guide proposes removing communications records and web browsing records from the sensitive personal list, which is helpful especially for companies that monitor and record employees’ work-related emails and messages. The Draft Guide also clarifies that flight and high-speed train travel records fall into the scope of “whereabouts” data and thus constitutes sensitive personal information, whether in a consumer or potentially even employee-travel context.

It is uncertain when the Draft Guide will be finalized, and indeed how much it would be relied upon by the Chinese data regulator considering it would only constitute non-binding recommended guidance. Nonetheless, it is clear that identifying sensitive personal information is no longer a straightforward question, and the context under which personal information is processed will be critical to the assessment. To be fair, the focus on “risk of harm” has always been a key component of defining sensitive personal information in China. Therefore, going forward organisations looking to identify its sensitive personal information should place more focus on the consequences and potential harm to the data subjects if the data in question is breached or misused. A case by case and context-specific analysis will likely be required.

Basic rules

As a general principle, sectoral authorities shall publish categories and guidelines to set out the sector-specific data classification and grading frameworks. Data handlers’ internal data classification and grading work shall be conducted under the relevant sectoral framework.

To be specific, a data handler shall first conduct data classification by identifying the sectors in which the data is processed, and classifying data as industrial data, telecom data, financial data, energy data, traffic and transportation data, natural resources data, health data, education data, science data, etc.

The data handler shall further classify the data in each sector by considering factors such as the objects described (e.g. user data, business data, operation data and system maintenance data, etc.), the business processes concerned (e.g. R&D, manufacturing, distribution, after-sales services, etc.), and the processing purposes (e.g. interna management, supplier management, marketing, etc.). Where personal data is involved, the existing personal data classification requirements (which is summarized in Schedule B of the new standard) must be reflected.  

Under the new standard, data is graded as core data, important data and regular data. The grading should be based on the significance of the data to economic and social development, as well as its impact on national security, public interests and the legitimate rights and interests of individuals and organizations that could result from tampering, destruction, leakage, unauthorized access, or illegal use of the data.

The following factors may affect the grading: business contexts in which the data is processed; the business objects or personal data subjects that the data describes; the geographic areas the data concerns; the data accuracy; coverage scale and level of details etc. Schedules 3 and 4 of the new standard provide further guidance on how each factor shall be assessed when determining the grading.

Important data

Important data refers to data specific to certain sectors, groups, regions, or has reached a certain level of precision and scale that, once leaked, tampered with, or destroyed, may directly jeopardize national security, economic operations, social stability, public health, and safety. Data that only affect the data handler itself or individual citizens are usually not considered as important data.

The new standard also sets out the factors and standards that sectoral authorities must consider when formulating the important data catalogues. Once such catalogues are published, data handlers must follow the catalogues, identify the important data within their own organizations and prepare their own important data catalogue accordingly.

If a data handler believes that it also processes other important data after considering all the factors provided in the new standard, it can identify such data as important data voluntarily. This is so, even though the data is not included in the sectoral authorities’ important data catalogues. However, only the important data included in sectoral catalogues (rather than the voluntarily identified important data) must go through the special approval processes before it can be transferred overseas.

After finalizing the important data catalogue internally, data handlers shall record their important data catalogues to the sectoral authorities in accordance with the requirements specified in sector-specific guidance. For example, according to the Measures for the Management of Data Security in the Field of Industry and Information Technology (for Trial Implementation), data handlers in the industry and information technology sector shall record their important data catalogues with local sectoral authorities and provide information on: the source; classification; grade; scale; carrier; purpose and method of processing; scope of use; responsible party; external sharing; cross-border transfer; and security protection measures etc. of the important data. The specific data items in the important data catalogue are not required to be provided.

Practical Next Steps

Since the standard has already set out a relatively clear framework and includes reasonable details, sectoral authorities are expected to publish sector-specific guidance and catalogues soon. While following such developments closely, data handlers are recommended to conduct thorough data mapping internally and initiate preliminary data classification and grading work in parallel.

Please contact Carolyn Bigg (Carolyn.Bigg@dlapiper.com), Amanda Ge (Amanda.Ge@dlapiper.com), or Venus Cheung (Venus.Cheung@dlapiper.com) if you would like to discuss what these latest developments mean for your organisation.

New Exemptions for Certain CBDTs

As a recap, the relevant routes to legitimise CBDTs routes are: (1) CAC Security Assessment, (2) China SCCs Filing, and (3) CAC Certification (together, “Legitimising Routes”). Under the Guidelines, certain exemptions have been now introduced meaning the following CBDTs are exempted from having to follow any one of the Legitimising Routes (“Exempted Transfers”):

1. Collection outside of Mainland China: the personal data being transferred outside of Mainland China was originally collected and generated outside of Mainland China and thereafter imported back into Mainland China, and the processing of such personal data within Mainland China does not involve any personal data or important data that is collected from or generated in Mainland China;
   
2. Cross-border HR management: the transfer is necessary for implementing cross-border human resource management in accordance with legally formulated employment policies and procedures or legally executed collective contracts. This is subject to a “necessity” test (see below);
   
3. Cross-border contract: the transfer is necessary for concluding or performing a contract between the data subject and the data controller (e.g. those contracts that relate to cross-border shipping, logistics, remittance, payments, bank account opening, flight and hotel booking, visa applications, examination services etc.). This is subject to a “necessity test” (see below); 
   
4. Emergency situation: the transfer is necessary for protecting the life, health or property security of any natural person under emergency circumstances; or
   
5. Volume threshold: the transfer falls below a specified volume threshold (see below).

Do we still need to obtain separate consent and put in place other measures for CBDTs?

Yes, the exemptions only apply to the Legitimising Routes. The other requirements for CBDTs under the Mainland China data laws must still be complied with, namely:

• clearly describe the CBDT in the privacy notice, and obtain separate, explicit data subject consent to the cross-border data transfer (as well as the general consent to data processing etc.); and

• put in place appropriate contractual and other measures (e.g. due diligence, TOMs, DPIA) to protect the data to the appropriate standard when processed outside of Mainland China.

What is the “Necessity Test”?

Exempted Transfers 2 (cross-border HR management) and 3 (cross-border contracts) above rely on a “necessity” test. This means the organisation must prove that the CBDT is necessary in order for the exemption to apply. However, it remains unclear as to what would constitute a necessary basis for the cross-border transfer of personal data. For example:

• Will overseas transfers of personal data within global companies where IT services are procured at a group level be a satisfactory reason for the CAC?
  
• When it comes to the contractual necessity exemption, the Guidelines require the data subject and data controller to be direct contracting parties, but does not provide for situations where the contracting party is an organisation rather than an individual (e.g. in corporate customer situations).

What are the Volume Thresholds?

If the above Exempted Transfers are not applicable, or are only partly applicable (after deducting the number of data subjects in which any of the above Exempted Transfers would apply):

1. CAC security assessment (i.e. full CAC approval) is required where:
   
   • important data is processed – the list of important data examples will be published by the CAC in due course; 
     
   • non-sensitive personal data of 1 million data subjects or more is transferred overseas; or
     
   • sensitive personal data of 10,000 data subjects or more is transferred overseas.
     
2. China SCCs filing is required where:
   
   • non-sensitive personal data of between 100,000 and 1 million data subjects is transferred overseas; or
     
   • sensitive personal data of fewer than 10,000 data subjects is transferred overseas.
     
3. None of the three Legitimising Routes is required – i.e. it is an Exempted Transfer (see above) – where  non-sensitive personal data of fewer than 100,000 data subjects is transferred overseas.

For the purposes of calculating the above volume thresholds, the relevant date for the calculation is a period of one year from 1 January of the year when the calculation is conducted.

For the third Legitimising Route – namely the CAC certification route – there remains uncertainty around its applicability. It was previously thought to cover largely CBDTs by non-China data controllers. However, it is not now mentioned in the Guidelines, and indeed the Guidelines seem to have covered most data processing scenarios and data volumes in any case. As such, further guidance is awaited on whether the CAC Certification is now just a voluntary compliance measure (e.g. for non-China data controllers), or an alternative to the other Legitimising Routes.

What about CIIOs?

The Exempted Transfers do not apply to organisations dedicated as a Critical Information Infrastructure Operator (“CIIOs”). CIIOs must in any case undergo a CAC Security Assessment to transfer or access data outside of Mainland China – regardless of the data category, data volume or data processing activity to be undertaken.

What if the Exempted Transfers do not Apply to My Organisation?

Along with the Guidelines, the CAC has also updated its template assessment and filing documents for the CAC security assessment and SCCs filing routes. In particular, these new templates reflect very specific requirements that the CAC expect in terms of drafting and formatting applications and filings. As such, any organisations that have drafted but not yet submitted their assessment application or PIIA or SCCs filing PIIA must now use the new templates.

In addition, a central submission platform has been set up. It is anticipated that only new submissions would need to submit via the platform. Organisations that have already submitted assessments or filings may continue to contact their designated case officer.

Practical Next Steps

1. Reconsider your Legitimising Route or whether an Exempted Transfer applies, by:
   
   • Checking internally whether your organisation has been informed by any authorities that it is designated as a CIIO, or if it processes important data (per the official list to be released in due course).
     
   • Identifying any provincial (e.g. Greater Bay Area Standard Contract, or Free Trade Zone rules that may be published etc.) nuances or exceptions to the CBDT requirements that may apply to your organisation.
     
   • Identifying whether your organisation’s CBDTs qualify as an Exempted Transfer. If so, this volume of data may be carved out from the overall volume calculation.
     
   • Classify your data to map out the categories of non-sensitive personal data and sensitive personal data.
     
   • Calculating in parallel the relevant volume of non-sensitive personal data and sensitive personal data being transferred overseas, and thereafter, identify the applicable Legitimising Route.
     
2. Organisations which have yet to make any submissions to the CAC should now consider internally whether they fall within any of the Exempted Transfers and those that cannot, or can only partially rely on the Exempted Transfers should determine whether it is transferring sensitive personal data, and if so, the necessity of doing so as this would impact the route chosen for legitmising CBDTs.
   
3. For organisations whose submission (whether CAC security assessment or SCCs filings) is already with the CAC for review, it is recommended to consider getting in touch with your relevant designated case officer to understand the status of the assessment or filing and whether it may be withdrawn if the Exempted Transfers conditions are met.

Please contact Carolyn Bigg (Carolyn.Bigg@dlapiper.com), Amanda Ge (Amanda.Ge@dlapiper.com), or Venus Cheung (Venus.Cheung@dlapiper.com) if you would like to discuss what these latest developments mean for your organisation.