Data transfer from China to Europe, America and the rest of the world

Especially for international companies that operate servers, websites and web applications in China and have partners or branches in China, the transfer of data from China to other countries plays an enormously important role. This is why the legal developments in 2023 caused great concern and worry, as they posed major compliance hurdles for all Chinese companies. The Chinese government quickly recognized these problems, and with the relaxations enacted in March 2024, many companies are once again excluded from the necessary certification and approval processes.

While the Cybersecurity Law laid the foundation for the other laws on cross-border data transfer in 2017, the rules were only elaborated on at the end of 2021 with the adoption of the Data Security Law and the Personal Information Protection Law. However, their entry into force initially had no direct impact on international data transfer, as the relevant processes for the Security Audit, the Standard Contract and Data Protection Certification were not fully developed and defined until the beginning of 2023.

In practice, it quickly became apparent that the obligation for all Chinese companies to go through one of these three processes had noticeable consequences. On the one hand, both the companies and the authorities incurred an enormous workload. On the other hand, contact forms and similar functions were completely removed from some websites and web applications in China. For these reasons, the Chinese government published the draft "Provisions on Regulating and Promoting Cross-Border Data Transfer" (促进和规范数据跨境流动规定) for discussion at the end of 2023 with many relaxations to the existing provisions and issued it with immediate effect in March 2024.

In order to better understand the relaxation and the resulting new regulations for the transfer of data from China to Europe, America and the rest of the world, a basic knowledge of the relevant laws since the Cybersecurity Act is helpful.

Cybersecurity Law (CSL)

The entry into force of the Cybersecurity Law initially had no serious impact on the operation of websites in China or on cross-border data transfer. However, it still forms the basic framework for handling any form of data and the laws and decrees based on it. On the one hand, the law covers general topics such as responsibility for data, the introduction of preventive measures for the security of this data and the definition of emergency plans. On the other hand, it was stipulated for the first time that the collection of personal data is only permitted with the explicit consent of the person concerned and that they must be informed about the exact use of the data - these provisions are still valid today, for example for contact forms, registrations and logins on Chinese websites. Another important aspect of the Chinese Cybersecurity Law is the categorization of certain companies as Operators of Critical Information Infrastructure, which are subject to stricter regulations.

Both the Data Security Law and the Personal Data Protection Law are based on this framework.

Data Security Law (DSL)

While the Cybersecurity Law dealt at least in part with personal data, the handling of all other data was broadly undefined. This legal gap was closed with the Data Security Law, which contains corresponding provisions and processes.

The Data Security Act initially provides the categorization of data into Core Data, Important Data and all Other Data. While core data primarily relates to national security and is therefore subject to the highest security precautions, the exact definition of important data is still an open task for the responsible authorities more than three years after the publication of the law, with the publication of corresponding lists currently expected at some point in 2024. As a result, it is currently still unclear which category personal data falls into and where exactly the boundary between important and other data lies. It can be assumed that sensitive personal data will be classified as important data and all other personal data as other data.

Even without the concrete definition of important data, this separation of data already runs through many different process definitions and decrees that have been published since then. As soon as the lists of important data are available, the current state of affairs will change again somewhat, even if no serious consequences are to be expected.

The Data Security Law also addressed the transfer of data abroad for the first time and introduced a mandatory security audit prior to the transfer of any important data, of personal data above a threshold of one million data subjects, and for the operators of critical information infrastructure.

Personal Information Protection Law (PIPL)

The Personal Information Protection Law came into force a few days after the Data Security Law and supplemented it with rules for the handling of personal data and its transfer abroad. First, the law reiterates the stipulation of the Cybersecurity Law that users need to give their explicit consent and that they need to be informed about the purpose of collecting and processing their personal data. In addition, the law distinguishes between Sensitive Personal Data and all Other Personal Data, whereby non-sensitive personal data such as first and last name, email address and telephone number are mostly relevant for web applications in China.

A significant part of the law deals with the transfer of personal data abroad. The most important aspect here is that this transfer was initially prohibited across the board. At the same time, the law defines three different processes that a company can go through in order to transfer personal data of users, employees and other Chinese citizens abroad again. Specifically, these are the Security Audit, the Standard Contract and the Data Protection Certification. In addition, thresholds of 10,000, 100,000 and 1,000,000 data subjects were defined for the first time and assigned to the three processes with regard to sensitive and other personal data as well as the total volume of data subjects. While the exact criteria at which one of the three processes must be run through have changed since the introduction of the law, these threshold steps continue to be used by many decrees.

Understandably, the introduction of the PIPL caused great concern, especially among foreign companies that have branches in China and operate their own websites and web applications on servers directly in China. This is because the transfer of data from the servers and branches to the company headquarters is and remains an important part of the daily workflow, especially the central processing of customer inquiries, orders, user registrations, personnel data, etc. at the headquarters. However, the various processes to enable data transfer again were only described in principle by the law and not specified in detail, which is why there was initially no deadline and therefore no immediate need for action.

It was only more than a year after the Personal Information Protection Law came into force that the three processes were specified and a deadline of the end of November 2023 was set. From December 2023, the transfer of data abroad was only permitted after the company had successfully completed one of the three processes. This not only created massive bureaucratic burdens for Chinese companies and the relevant authorities, but also had a hugely noticeable impact on the willingness of foreign companies to expand into China or invest in China. Some foreign companies have simply switched off contact options and similar functions on their websites in China or even closed their branches in China.

For these reasons, a new draft law was published in September 2023, i.e. before the deadline, which included significant relaxations of the provisions and in many cases simply allowed data transfer abroad again. The draft was adopted on March 22, 2024, and came into force with immediate effect.

Provisions on Regulating and Promoting Cross-Border Data Transfer (CBDT Regulations)

The Provisions on Regulating and Promoting Cross-Border Data Transfer contain significant relaxations of the above provisions and thus form the latest legal state of affairs with regard to the transfer of data across China's borders.

While the Personal Information Protection Law originally prohibited the transfer of personal data abroad across the board, the new provisions contain corresponding thresholds below which the user's consent is sufficient. Small and medium-sized companies and their websites and web applications in China are thus to be relieved and excluded from the bureaucratically complex certification and approval processes.

There are now a total of three levels into which a company's international data transfer can fall.

1. Consent by the user

The fact that a user must explicitly consent to the transfer of their personal data and be informed about its use was already defined in the Cybersecurity Law and reiterated in the Personal Information Protection Law. This obligation remains in place for all companies in China and is also the lowest level that a company must fulfill for the transfer of data abroad.

From now on, the user's consent is sufficient for the transfer, provided the company only transfers non-sensitive personal data and this does not exceed a volume of 100,000 data subjects within a calendar year. Personal data of employees and data that is necessary for the conclusion or fulfillment of a contractual relationship is also generally excluded.

2. Standard Contract or Data Protection Certification

The next level up applies to companies that transfer the personal data of between 100,000 and 1,000,000 data subjects or sensitive personal data of less than 10,000 people abroad in a calendar year. In this case, either a standard contract must be concluded in advance or data protection certification must be carried out.

The user must of course still be informed about the transfer of their data and explicitly consent to it.

3. Security Audit

The security audit remains the highest security level and is mandatory for companies if they transfer the personal data of more than 1,000,000 people or sensitive personal data of more than 10,000 data subjects abroad within a calendar year. Companies in this category are therefore at the same level as operators of critical information infrastructure, for whom the security audit is always mandatory before any data is transferred abroad.

In this case, the user must still be informed about the transfer of their data and explicitly consent to it.

The need for a security audit prior to the transfer of critical data in accordance with the provisions of the Data Security Law is currently suspended while the authorities work on finalizing appropriate lists for the categorization of critical data.

Free-Trade Zones

For the free-trade zones in China, the new regulations also provide many opportunities to enact further relaxations for local companies. If your Chinese company is located in a free-trade zone, you should definitely find out about the limits, exemptions and other relaxations that apply there.

The free trade zone in Tianjin, for example, has already increased the above-mentioned limits tenfold, meaning that user consent is sufficient for volumes of non-sensitive personal data of up to 1,000,000 data subjects.

Our recommendations

You should first carry out an analysis of your data flow between China and Europe, America and the rest of the world - if you have not already done so in 2023 - or alternatively take another look at the analysis that has already taken place. If your company is based in a free-trade zone, you should also find out whether there are any further relaxations for you.

You should then use this information to assess which of the three levels your company falls into. The vast majority of European amd American companies will be at the lowest level, meaning that user consent is sufficient for international data transfer. So, if you have recently deactivated certain functions of your website in China, such as a contact form, then you may be able to add this back into your web application with no or minimal adjustments with regard to user consent.

If you had already started a standard contract or data protection certification in 2023 and this process was either unsuccessful or is still being processed by the authorities in China, you can withdraw this application if these two processes are no longer necessary for you under the new regulations. Similarly, you can check whether you can now carry out the standard contract or the data protection certification instead of a security audit.

If one of the three certification and approval processes is still mandatory for you and you have not yet started, you should do so as soon as possible. This is because a breach of the rules for international data transfer continues to represent a high compliance risk and is associated with personal liability of senior employees.

Would you like further advice?

With several years of experience in hosting a wide variety of websites, web shops and web applications in China, including booking platforms or online expos, weber.cloud China will be happy to help you with your questions. Our experts can advise you on operating your website in China and all related topics. If you have more in-depth legal questions, we can also put you in touch with our English-speaking partner lawyers in China. Of course, we can also support you with all questions regarding hosting in China and offer you the right solution to deliver your website to China with high performance.

Sounds exciting? Simply get in touch with us.

The contents of this article have been compiled with the greatest possible care and to the best of our knowledge. However, weber.digital GmbH does not assume any liability for the topicality, correctness, completeness or quality of the information provided. Any liability for damages arising directly or indirectly from the use of our knowledgebase is excluded, unless caused by intent or gross negligence.

Our knowledgebase contains external links to other websites over whose content we have no influence. For this reason, weber.digital GmbH cannot accept any liability for these contents. The respective provider of the linked website is responsible for the content and correctness of the information provided. At the time of linking, no legal violations were recognizable. If such an infringement becomes known, the link will be removed immediately.