Multinational employers operating in China have been waiting since September 2023 for the Cyberspace Administration of China (CAC) to finalize proposed revisions to its complex and burdensome rules for cross-border data transfers.  Relief arrived on March 22, 2024, when the CAC published the “Provisions on Promoting and Regulating Cross-border Data Flows” (the “Approved Provisions”), which went into effect on the same day. The Approved Provisions adopt three key changes, first proposed in September 2023, to the CAC’s original cross-border data transfer rules, which were published in February 2023.  While these changes will substantially reduce multinational employers’ compliance burdens when transferring human resources (HR) data and business contact information (BCI) out of China, the changes do not eliminate all compliance obligations. In this ASAP, we will explain the new, burden-reducing exemptions and describe the compliance obligations that remain in effect.

Statutory and Regulatory Background

Since its November 1, 2021 effective date, China’s Personal Information Protection Law (PIPL) has established the following requirements for transfers of personal information overseas:

• Providing notice to data subjects of the overseas transfer of their personal information;
• Obtaining the express consent of the data subject to the cross-border data transfer;
• Conducting a “transfer impact assessment” (TIA) to assess the risks associated with the data transfer; and
• Executing a standard data contract issued by the CAC.

On February 22, 2023, the CAC published the “Measures for the Standard Contract for the Export of Personal Information” (“Measures”), which, among other things, included the “Personal Information Export Standard Contract” (“Standard Contract”) as well as a comprehensive and burdensome form for completing the TIA. The Measures imposed a November 30, 2023 deadline on multinational employers to execute the Standard Contract, complete the TIA, and file both with each relevant provincial office of the CAC — depending on the location of each subsidiary in China.¹

In response to concerns expressed by the European business community and others over the complexity and burden of the process, particularly for transfers of HR data and BCI, in late September 2023, the CAC proposed the “Provisions on Regulating and Promoting Cross-border Data Flows” (draft for comments) (“Proposed Provisions”).  The Proposed Provisions created several exceptions, including exceptions applicable to HR data and BCI, from the requirements to enter into the Standard Contract and to file it and the TIA with the CAC.²  As the November 30, 2023 deadline came and went, multinational employers with a presence in China — particularly B2B companies which collect only HR data and BCI — anxiously awaited the CAC’s final word on the Proposed Provisions.

The Approved Provisions’ Exceptions for Cross-Border Transfers of HR Data and BCI

In a piece of good news for multinational employers, the Approved Provisions maintained the exceptions in the Proposed Provisions, substantially easing the compliance burdens associated with the cross-border transfer of HR data and BCI.  With respect to HR Data, this means subsidiaries of multinationals in China are not required to enter into the Standard Contract, when the transfer of HR data from China is truly necessary to carry out cross-border HR management in accordance with the employer’s internal labor rules and regulations and collective contracts. 

While the Approved Provisions do not expressly exempt BCI from the requirement to execute the Standard Contract, they do exempt virtually all businesses from the requirement to enter into the Standard Contract where the business transfers, in a calendar year, the personal information of fewer than 100,000 individuals.  It is highly unlikely that overseas transfers of BCI from a China-based subsidiary would exceed this threshold.³

Perhaps of greatest importance to multinational employers, the Approved Provisions necessarily eliminate the need to file the TIA with the Chinese government.  The Approved Provisions specifically state that to the extent the Measures are inconsistent with the Approved Provisions, the Approved Provisions control.  The Approved Provisions do not require the filing of the TIA.  In addition, the Measures linked the filing of the TIA with the filing of the Standard Contract.  For multinational employers no longer required to execute and file the Standard Contract, the elimination of any requirement to file the TIA is logical.

Multinational Employers Must Still Comply with the PIPL’s Requirements before Transferring HR Data and BCI Overseas

The Approved Provisions emphasize that all provisions of the PIPL related to cross-border data transfers not subject to an exception continue to apply.  As a result, multinational employers still are required to satisfy the following compliance obligations before transferring HR data and BCI overseas:

• Provide notice to employees and business contacts that their personal information will be transferred overseas;
• Obtain their express consent to the transfer; and
• Complete the TIA. 

While the requirement to complete the TIA remains, the elimination of the requirement to file the TIA with Chinese authorities provides some leeway for multinational employers to be less rigorous when completing the TIA.  The elimination of the filing requirement also eliminates the risk that Chinese authorities would determine that a filed TIA was inadequate and then order the suspension of cross-border transfers of HR data and BCI until the multinational employer secured the Chinese government’s approval of a revised TIA.

Takeaways

While the Approved Provisions reduce the compliance burden on multinational employers that transfer HR data and BCI outside of China, multinational employers should not lose sight of the compliance obligations that remain.  Multinational employers must ensure that a workflow process exists for the distribution of notice / consent forms to workforce members and business contacts whose personal information is transferred outside of China.  This should be coupled with a process for storing the executed consent forms.  Multinational employers must still complete the TIA, a process which has the benefit of helping to reduce data protection and data security associated with the cross-border data transfers.  While the TIA no longer needs to be submitted to Chinese authorities for approval, multinational employers should be mindful that in the event of a government inquiry — for example, in response to a report of a data breach or an employee’s complaint — the TIA may need to be produced and subjected to government scrutiny.