整体放宽，重点从严——数据跨境监管应对指南（中英版）

2024年3月22日，国家互联网信息办公室接连出台《促进和规范数据跨境流动规定》（以下简称《规定》）《数据出境安全评估申报指南（第二版）》《个人信息出境标准合同备案指南（第二版）》并于当日起施行。从《规定》的出台显示中国数据跨境监管呈现出“整体放宽，重点从严”的趋势，广大企业应有针对性、系统性地开展相应工作。

On March 22, 2024, the Cyberspace Administration of China (hereinafter referred to as the “CAC”) issued the Provisions on Promoting and Regulating Cross-Border Data Flows (hereinafter referred to as the “Provisions”) , which came into effect on the exaxt same day, together with the Guidelines for the Application for Security Assessment for Outbound Data Transfer (Second Edition), and the Guidelines for Filing the Standard Contract for Outbound Transfer of Personal Information (Second Edition). The introduction of the Provisions reveals that China's regulation of cross-border data transfer (hereinafter referred to as the “CBDT”) is presenting a trend of ＂overall relaxation, selective control＂, and enterprises should carry out corresponding work in a targeted and systematic manner.

根据《中华人民共和国个人信息保护法》《数据出境安全评估办法》《个人信息出境标准合同办法》等相关法律法规，向境外提供数据可能涉及的审批备案事项包括以下三类：（一）申报数据出境安全评估（以下简称“评估”）；（二）订立个人信息出境标准合同（以下简称“标准合同”）；（三）通过个人信息保护认证（以下简称“认证”）（合称“CBDT合规义务”）。

Pursuant to the Personal Information Protection Law of the PRC, the Measures for the Security Assessment of Outbound Data Transfer, the Measures for the Standard Contract for the Outbound Transfer of Personal Information and other relevant laws and regulations, the approval and/or recordation obligations related to the outbound provision of data include the following: a) applying for the security assessment of outbound data transfer (hereinafter referred to as the “Assessment”); b) concluding a standard contract for personal information transfer abroad (hereinafter referred to as the “SCC(s)”; c) undergoing personal information protection certification (hereinafter referred to as the “Certification”) (Collectively referred to as the “CBDT Obligations”).

根据《规定》，以下场景下的特定数据出境行为将无需履行上述CBDT规定义务：

Pursuant to the Provisions, the outbound provision of certain data in the following scenarios will not be subject to the CBDT Obligations:

场景一：国际贸易、跨境运输、学术合作、跨国生产制造和市场营销等活动中收集和产⽣的数据向境外提供，不包含个⼈信息或者重要数据（第三条）。

Scenario A: The outbound provision of data that is collected and generated in international trade, cross-border transportation, academic cooperation, multinational production and manufacturing, marketing, and other activities that do not involve personal information or important data (Article 3).

场景二：在境外收集和产生的个人信息传输至境内处理后向境外提供，处理过程中没有引入境内个人信息或重要数据（第四条）。

Scenario B: The processing and subsequent outbound provision of personal information that is previously collected and generated outside the territory of the PRC by the data processor, provided that no personal information of persons within the territory of the PRC or important data is incorporated during the processing activities (Article 4).

场景三：为订⽴、履⾏个⼈作为一方当事⼈的合同，如跨境购物、跨境寄递、跨境汇款、跨境⽀付、跨境开户、机票酒店预订、签证办理、考试服务等，确需向境外提供个⼈信息（第五条）。

Scenario C: It is necessary to transfer personal information abroad for the purpose of concluding and performing a contract to which the individual concerned is a party, such as cross-border shopping, cross-border mailing and delivery, cross-border remittance, cross-border payment, cross-border account opening, flight and hotel reservations, visa processing, and examination services (Article 5).

场景四：按照依法制定的劳动规章制度和依法签订的集体合同实施跨境人力资源管理，确需向境外提供员⼯个⼈信息（第五条）。

Scenario D: It is necessary to transfer the personal information of employees abroad for conducting cross-border human resource management under the labor rules and regulations formulated in accordance with the law and collective agreements signed in accordance with the law (Article 5).

场景五：紧急情况下为保护⾃然⼈的⽣命健康和财产安全，确需向境外提供个⼈信息（第五条）。

Scenario E: It is necessary to transfer the personal information abroad in emergency situations, such as protection of the life, health and property safety of a natural person (Article 5).

The Critical Information Infrastructure Operator (hereinafter referred to as the “CIIO”)

《规定》规定CIIO涉及向境外提供个人信息或重要数据的，无论量级，皆需要申报数据出境安全评估。同时，《规定》第七条第二款还规定“属于本规定第三条、第四条、第五条、第六条规定情形（涉及上文第二部分提到豁免场景以及下文中的负面清单）的，从其规定。”该条款未将CIIO向境外提供个人信息的情况直接排除在外。因此，即使是CIIO向境外提供个人信息的，若适用相关豁免场景或负面清单的，可能同样不需要申报数据出境安全评估，但具体是否如此还有待在后续实践过程中明晰。

The Provisions require CIIOs to apply for the Assessment whenever they are involved in providing personal information or important data outside the country, regardless of whether the thresholds are met in the case of outbound provision of personal information. Meanwhile, Paragraph 2 of Article 7 provides that ＂in cases falling under the provisions of Articles 3, 4, 5, and 6 of the Provisions (these articles are related to the exemptions referred to in Part B above and the “Negative List” below), the provisions shall apply as stipulated in those provisions.＂ Paragraph 2 does not explicitly exclude the provision of personal information by a CIIO to a foreign country. Therefore, even in the case of a CIIO providing personal information abroad, if the relevant exemptions or negative lists are applicable, such a CIIO may still not be required to apply for the Assessment. Whether this is the case remains to be clarified in the course of subsequent practice.

(二) 自由贸易试验区与负面清单

Pilot Free Trade Zones (hereinafter referred to as the FTZs) and the Negative Lists

《规定》提出自由贸易试验区在国家数据分类分级保护制度框架下可自行制定区内需要纳入数据出境安全评估、个人信息出境标准合同、个人信息保护认证管理范围内的数据清单（即所谓“负面清单”）。因此，企业应密切关注该等负面清单的正式出台，视自身数据跨境实际需要作出相应的企业决策，充分利用好自由贸易区的有利政策。

The Provisions provide that FTZs can formulate their own lists of data that would potentially trigger the CBDT Obligations and those that would not (the so-called ＂Negative Lists＂) under the national data classification and grading protection system framework. Therefore, enterprises should pay close attention to the formal introduction of such Negative Lists and make corresponding corporate decisions depending on their actual CBDT needs to fullly take advantage of the favorable policies in the FTZs.

(三) 重要数据

Important Data

根据《规定》第七条，数据处理者只要向境外提供重要数据，就需要通过所在地省级网信部门向国家网信部门申报数据出境安全评估。《规定》第二条还明确指出，“未被相关部门、地区告知或者公开发布为重要数据的，数据处理者不需要作为重要数据申报数据出境安全评估。”因此企业只需密切关注相关部门、地区对重要数据的告知和公开发布情况即可判断自身是否存在重要数据跨境的情况。

According to Article 7 of the Provisions, data processors are required to apply for the Assessment to the national cyberspace administration authority through cyberspace administration at the provincial level where such data processors are located whenever they provide important data out of the country. Article 2 of the Provisions clearly states that ＂for data that have not been notified or publicly announced as important data by the relevant departments or regions, the data processor does not have to treat the data as important data and apply for the Assessment.＂ Hence enterprises only need to pay close attention to the notification and public release of important data by relevant departments and regions to determine whether they are engaging in the cross-border transfer of important data.

(四) 数据出境安全评估通过结果有效期

The Validity Period of the Results of Passing the Assessment

《规定》第九条将数据出境安全评估的有效期从过去的自评估结果出具之日起两年（《数据出境安全评估办法》）延长为三年，并新增了有效期延长制度，即若有效期届满需要继续开展数据出境活动且未发⽣需要重新申报数据出境安全评估情形的，数据处理者可以在有效期届满前60个⼯作日内通过所在地省级网信部门向国家网信部门提出延长评估结果有效期申请。若申请得到了国家网信部门批准的，可以延长评估结果有效期3年。

Article 9 of the Provisions not only extends the validity period of the Assessment from two years (the Measures for the Security Assessment of Outbound Data Transfer) to three years from the date of issuance of the Assessment result, but also adds that, if the validity period expires and there is a need to continue the outbound transfer of data and no circumstances have been created that would require the re-application for the Assessment, the data processor may, within 60 working days before the expiration of the validity period, apply for the extension of the validity period of the Assessment result to the national cyberspace administration through the provincial cyberspace administrations. If the application is approved by the national cyberspace administration, the validity period of the Assessment result can be extended for three years.

只要未出现《数据出境安全评估办法》第十四条规定的下列需要重新申报评估的情形的，企业便可以依据《规定》申请延长有效期3年：“（一）向境外提供数据的目的、方式、范围、种类和境外接收方处理数据的用途、方式发生变化影响出境数据安全的，或者延长个人信息和重要数据境外保存期限的；（二）境外接收方所在国家或者地区数据安全保护政策法规和网络安全环境发生变化以及发生其他不可抗力情形、数据处理者或者境外接收方实际控制权发生变化、数据处理者与境外接收方法律文件变更等影响出境数据安全的；（三）出现影响出境数据安全的其他情形。”

As long as none of the following circumstances stipulated in Article 14 of the Measures for the Security Assessment of Outbound Data Transfer requiring re-application for Assessment has occurred, enterprises can apply for a 3-year extension of the validity period in accordance with the Provisions: ＂(i) there is any change in the purpose, method, or scope of the outbound data transfer or the type of data, or the purpose or method of data processing by the overseas recipient, which affects the security of the data transferred abroad, or the period for the storage of personal information and important data abroad is extended; (ii) there is any change in the data security protection policies or regulations or the cybersecurity environment or any other force majeure event occurs in the country or region where the overseas recipient is located, any change in the actual control of the data processor or overseas recipient, or any change in the legal documents concluded between the data processor and overseas recipient, among others, which may affect the security of the data transferred abroad; (iii) any other circumstance that may affect the security of the data transferred abroad.

(五) 数据处理者的其他义务

Other Obligations of the Data Processor

《规定》还明确要求数据处理者需要履行如下义务：（一）依法依规对个人信息主体进行数据跨境事项的告知、取得个人单独同意、进行个人信息保护影响评估等（第十条）；（二）履行数据安全保护义务（采取技术措施和其他必要措施，保障数据出境安全）（第十一条）；（三）在发生或可能发生数据安全事件时采取补救措施，以及及时向省级以上网信部门和其他有关主管部门报告（第十一条）。

The Provisions also explicitly require data processors to fulfill the following obligations: (i) informing personal information subjects of data cross-border matters, obtaining the individual’s seperate consent for it, and conducting personal information protection impact assessments in accordance with the laws and regulations (Article 10); (ii) fulfilling the obligation of data security protection (adopting technological measures and other necessary measures to safeguard the security of the outbound transfer of data) (Article 11); and (iii) adopting remedial measures when data security incidents occur or are likely to occur, as well as timely reporting to the provincial-level or higher cyberspace administration authority and other relevant supervisory authorities (Article 11).

*请点击大图横屏浏览

【 特别声明：本篇文章所阐述和说明的观点仅代表作者本人意见，仅供参考和交流，不代表本所或其律师出具的任何形式之法律意见或建议。】