China's Network Legal System and Data Cross-Border Flow Regulations

On June 18th, TapTechNews reported that the Information Office of the State Council held a press conference today. Relevant officials from the Cyberspace Administration of China, the Supreme People's Court and other related departments introduced the relevant situation of network legal guarantee for high-quality development.

The official said: Up to now, China has formulated and promulgated over 150 pieces of legislation in the field of network, basically forming a network legal system with the Constitution as the fundamental, relying on laws, administrative regulations, departmental rules and local regulations, local government rules, based on traditional legislation, and with network content construction and management, network security and informatization and other network-specific legislation as the mainstay, building the 'four beams and eight pillars' of China's network rule of law, providing a solid institutional guarantee for the construction of a cyber power.

Here is an example. The Cyberspace Administration of China announced the 'Regulations on Promoting and Regulating Data Cross-Border Flows' (hereinafter referred to as the 'Regulations') on March 22 this year, and it came into effect as of the date of announcement.

The 'Regulations' clarified the reporting standards for the security assessment of important data exit, and proposed that if the data processor does not need to report the security assessment of data exit if it is not informed or publicly announced as important data by relevant departments and regions.

The 'Regulations' stipulate the conditions of data exit activities that are exempt from reporting the security assessment of data exit, concluding a standard contract for personal information exit, and passing the personal information protection certification: First, the data collected and generated in activities such as international trade, cross-border transportation, academic cooperation, transnational production and marketing is provided to overseas, and does not contain personal information or important data; Second, the personal information collected and generated overseas is transmitted to the territory for processing and then provided to overseas, and there is no introduction of domestic personal information or important data in the processing process; Third, in order to conclude and perform a contract in which an individual is a party, it is indeed necessary to provide personal information to overseas; Fourth, in order to implement cross-border human resource management in accordance with the labor rules and regulations formulated in accordance with the law and the collective contract signed in accordance with the law, it is indeed necessary to provide employees' personal information to overseas; Fifth, in case of emergency to protect the life, health and property safety of natural persons, it is indeed necessary to provide personal information to overseas; Sixth, the data processor other than the key information infrastructure operator has cumulatively provided less than 100,000 personal information (excluding sensitive personal information) to overseas since January 1 of the current year.

The 'Regulations' established a negative list system in the free trade试验区. It is proposed that under the national data classification and grading protection system framework, the free trade试验区 can formulate its own negative list in the area, and after being approved by the provincial network security and informatization committee, it shall be reported to the Cyberspace Administration of China and the national data management department for record.

Data processors in the free t rade试验区 providing data outside the negative list to overseas can be exempted from reporting the security assessment of data exit, concluding a standard contract for personal information exit, and passing the personal information protection certification.

The 'Regulations' clarified the conditions of two types of data exit activities that should report the security assessment of data exit. One is that the key information infrastructure operator provides personal information or important data to overseas; the other is that the data processor other than the key information infrastructure operator provides important data to overseas, or cumulatively provides more than 1 million personal information (excluding sensitive personal information) or more than 10,000 sensitive personal information to overseas since January 1 of the current year. At the same time, the conditions of data exit activities that should conclude a standard contract for personal information exit or pass the personal information protection certification are clarified, that is, the data processor other than the key information infrastructure operator has cumulatively provided more than 100,000 and less than 1 million personal information (excluding sensitive personal information) or less than 10,000 sensitive personal information to overseas since January 1 of the current year.

The 'Regulations' also stipulated the valid period and extension application of the security assessment of data exit, the data security protection obligations and supervision and management responsibilities, and the connection and application with other regulations on data exit security management.