Promulgated by: Cyberspace Administration of China (CAC).
Document No.: Decree No. 16 of the Cyberspace Administration of China.
Adopted at the 26th executive meeting in 2023 of the CAC on November 28, 2023.
Promulgated and effective March 22, 2024.
Zhuang Rongwen, Minister of CAC.
Article 1. In order to protect data security, protect personal information rights and interests, and promote the orderly and free flow of data in accordance with the law, these Provisions are enacted in accordance with the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China, and other relevant laws and regulations for the implementation of systems for provision of data abroad, such as security assessment for data to be provided abroad, the standard contract for provision of personal information abroad and personal information protection authentication.
Article 2. Data handlers shall identify and declare important data in accordance with relevant provisions. If the data have not been informed or publicly announced as important data by relevant departments or regions, data handlers are not required to declare security assessment for cross-border provision of the data as important data.
Article 3. To provide the data collected and generated in such activities as international trade, cross-border transport, academic cooperation, transnational manufacturing and marketing, which do not contain personal information or important data, to overseas parties, it is exempted from declaring security assessment for data to be provided abroad, concluding a standard contract for personal information to be provided abroad or passing authentication for protection of personal information.
Article 4. Where a data handler provides personal information collected and generated abroad to overseas parties after being provided to China for processing, and no domestic personal information or important data is introduced in the process of processing, the data handler is exempted from declaring security assessment for data to be provided abroad, concluding a standard contract for personal information to be provided abroad or passing authentication for protection of personal information.
Article 5. A data handler providing personal information abroad may be exempted from declaring security assessment for data to be provided abroad, concluding a standard contract for personal information to be provided abroad or passing authentication for protection of personal information if it satisfies any of the following conditions: 1. Where it is really necessary to provide personal information abroad for the purpose of concluding or performing a contract to which an individual concerned is a party, such as cross-border shopping, cross-border delivery, cross-border remittance, cross-border payment, cross-border account opening, air ticket and hotel reservation, visa handling and examination services; 2. Where it is really necessary to provide employees’ personal information abroad for the purpose of conducting cross-border human resources management in accordance with the employment rules and regulations formulated in accordance with the law and collective contracts concluded in accordance with the law; 3. Where it is really necessary to provide personal information abroad in an emergency to protect the life, health and property safety of a natural person; or 4. Where a data handler other than a critical information infrastructure operator provides abroad the personal information (excluding sensitive personal information) of not more than 100,000 persons accumulatively as of January 1 of the current year. For the purpose of the preceding paragraph, “personal information provided abroad” does not include important data.
Article 6. Under the framework of the national system for classified and hierarchical protection of data, pilot free trade zones may, at their own discretion, formulate lists of data that need to be included in the scope of administration of security assessment for providing data abroad, the standard contract for providing personal information abroad and authentication for personal information protection (hereinafter referred to as the “negative list” in short), which shall be filed with the national cyberspace administration and the national data administration for the record upon approval by the cyberspace administration at the provincial level. Any data handler in a pilot free trade zone providing overseas parties with any data not included in the negative list may be exempted from declaring a security assessment for providing data abroad, concluding a standard contract for providing personal information abroad or passing authentication for personal information protection.
Article 7. To provide data abroad, any data handler shall declare security assessment for providing data abroad to the national cyberspace administration through the cyberspace administration authority at the provincial level at its locality if it satisfies either of the following condition: 1. Where a critical information infrastructure operator provides personal information or important data abroad; or 2. Where any data handler other than a critical information infrastructure operator provides important data abroad or, as of January 1 of the current year, provides personal information (excluding sensitive personal information) of not less than 1 million people or sensitive personal information of not less than 10,000 people in aggregate to overseas parties. Where the circumstance falls under the provisions of Article 3, 4, 5 1 1 or 6 hereof, such provisions shall apply.
Article 8. Where any data handler other than a critical information infrastructure operator provides abroad the 1 personal information (excluding sensitive personal information) of not less than 100,000 but not more than 1 million persons, or the sensitive personal information of not 100 more than 10,000 persons, accumulatively as of January 1 of the current year, it shall conclude a standard contract with 1 overseas recipients for provision of personal information abroad or go through the authentication on protection of personal information in accordance with the law. Where the circumstance falls under the provisions of Article 3, 4, 5 or 6 hereof, such provisions shall apply.
Article 9. The result of security assessment for providing data abroad remains valid for three years, commencing from the 3 date of issuance of the assessment result. Where it is necessary to continue providing the data abroad and there is no circumstance requiring re-declaration for security assessment for the data abroad upon expiry of the period of validity, the data handler may, within 60 workdays by the expiry of the period of validity, apply to the national cyberspace administration through the local cyberspace administration at the provincial level for extending the period 60 of validity of the assessment result. Upon approval by the national cyberspace administration, the period of validity of the assessment result may be extended by three years. 3
Article 10. To provide personal information abroad, a data handler shall, in accordance with laws and administrative regulations, perform obligations such as notification, obtaining individual consent and conducting assessment of impact of personal information protection.
Article 11. Any data handler providing data abroad shall abide by the provisions of laws and regulations, perform data security protection obligations, and take technical and other necessary measures to ensure the security of data to be provided abroad. If a data security incident occurs or may occur, the data handler shall take remedial measures, and report to the cyberspace administration at the provincial level or above and other competent authorities in a timely manner.
Article 12. Local cyberspace administrations shall strengthen guidance and supervision over the cross-border provision of data by data handlers, improve the security assessment system for data to be provided abroad, and optimize the assessment process; they shall also strengthen the whole- chain and full-range regulation before the event, during the event and after the event, and require the data handler to make rectifications and eliminate hidden dangers if it is found that there are relatively high risks in the data to be provided abroad or that a data security incident has occurred; and the data handler shall be investigated for legal liability according to the law if it refuses to make rectifications or the accident has caused serious consequences.
Article 13. In case of any discrepancy between these Provisions and the relevant provisions such as the Security Assessment Measures for Data Provision Abroad (Decree No. 11 of the Cyberspace Administration of China) promulgated 11 on July 7, 2022 and the Measures on Standard Contracts for 2023 2 22 Cross-border Provision of Personal Information (Decree No. 13 of the Cyberspace Administration of China) promulgated on February 22, 2023, these Provisions shall prevail. 13
Article 14. These Provisions shall come into force as of the date of promulgation.