Authors:
The Cybersecurity Administration of China (CAC) announced a new rule to regulate cross-border data transfer on March 22, 2024. Highlights include the following:
- Regulatory oversight will focus on outbound transfer of personal information of data subjects that reside in China and important data.
- The CAC renounced the catalogue-based approach to define “important data”. Controllers of important data will be notified by authorities on a case-by-case basis.
- Outbound transfer of bulk personal information will require a security review by the CAC (if the total quantity of data subjects exceeds one million within a 12-month period from January 1) or Personal Information Protection Law Standard Contractual Clauses (“PIPL SCCs”) (if the total quantity of data subjects is between 100,000 and one million within a 12-month period from January 1). The limit that applies to sensitive personal information for security review by the CAC is 10,000 data subjects within the same 12-month period. If the total quantity is less than 10,000 data subjects, only PIPL SCCs will be required.
- Free trade zones are authorized to define the degree of regulatory oversight with some discretion. Specifically, they can define a “Negative List” of personal information and important data that is subject to regulatory oversight. Data that is not on the Negative List is free to be transferred outbound.
Subscribe to Ropes & Gray Viewpoints by topic here.
Stay Up To Date with Ropes & Gray
Subscribe to Our Podcast
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Follow Us on Social
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
Join Our Mailing List
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.