Five Keywords for Cross-border Data ...

Relevant laws and regulations have repeatedly emphasized "security" as the premise of free cross-border data transmission, which reflects that our country attaches great importance to safe data transmission. These laws and regulations also specify the supervision measures of cross-border data transmission. Enterprises, especially multinational enterprises must bear data security and compliance in mind.

“Important data” means any data that, if it is tampered with, destroyed, divulged, illegally obtained, or illegally used, among others, may endanger national security, economic operation, social stability, public health and security, among others. As to how to identify and judge whether an enterprise has "important data", an enterprise shall defer to lawyers and other professionals’ analysis based on the enterprise's industrial and business characteristics.

Currently, China's legislations in the area of data security tend to tighten the regulation on cross-border transmission of important data. Companies that illegally transmit important data to overseas parties will face heavier penalties than before. For example, according to the Data Security Law, if Critical Information Infrastructure Operators (“CIIOs”) fail to comply with the relevant provisions regarding cross-border transmission of important data, in the worst situation, such CIIOs may face a fine of up to RMB 10 million, and the people who are directly liable for such violation may face a fine of up to RMB 1 million. Before the promulgation of the Data Security Law, the cap of fines against enterprise and individual is RMB 500,000 and RMB 100,000, respectively.

China implements an export control over data. The latest Export Control Law has included "technical material and other data related to the items" into the scope of export control. The Data Security Law echoes the Export Control Law by restressing China's data export control system. It demonstrates China's determination to tighten the supervision over special or important data in certain key or advanced areas, and confirms the application of export control to data activities.

As to which specific controlled items are subject to export control, enterprises may refer to the List of Technologies Prohibited or Restricted from Export and the Announcement of Ministry of Commerce and Ministry of Science and Technology [2020] No. 38 — Announcement on Adjustment and Promulgation of the "List of Technologies Prohibited or Restricted from Export" promulgated and implemented on 28 August 2020.

Prior to the promulgation of Data Security Law, only outbound data transmission in the securities and finance sector and international criminal assistance should be approved by the competent authorities. Now the Data Security Law extends that requirement to the judicial and administrative sectors. In terms of requests of providing data from foreign judicial or law enforcement agencies, before conducting cross-border data transmission, provider must obtain the approval of competent authorities, otherwise any domestic organizations and individuals are not allowed to provide relevant data.

According to the Data Security Law, Measures for Cybersecurity Review and Measures for the Security Assessment of Outbound Data Transmission, data processing activities that affect or may affect national security are subject to national security review. 

As the national security review system for data, data security review system echoes the relevant requirements under the PRC National Security Law and is an important method to effectively prevent and resolve national security risks.

China's legislation for data security is being improved day by day, and new regulations are formulated and published at a fast pace and in large numbers. We suggest that enterprises shall keep a close eye on the new regulations to regulate its data processing practices, including outbound data transmission.