In Brief

On September 29, 2023, China’s primary data protection regulator, the Cyberspace Administration of China (“CAC“), proposed new rules for cross-border data transfers from China (the “Draft Rules“). If implemented as written, the Draft Rules, which are currently subject to public comment through mid-October, will significantly roll back requirements for many US and multinational organizations. There is no specific deadline for adoption, but it is expected prior to November 30, 2023, which is the deadline for organizations already exporting personal information (“PI“) out of China to file Standard Contractual Clauses (“SCCs“) and the accompanying transfer impact assessments with the CAC.

In Depth

The Draft Rules propose various exemptions to the data transfer rules stipulated under China’s trio of data protection and cybersecurity laws, the Personal Information Protection Law (“PIPL“), the Cybersecurity Law (“CSL“), and the Data Security Law (“DSL“). These laws have provisions that restrict (i) the transfer of important data and PI collected about Chinese residents (“Residents“), and (ii) the access to this data from outside of China. These laws have additional requirements described below.

Current Requirements for Cross-Border Data Transfers

Under the PIPL, organizations transferring PI of Residents to jurisdictions outside of China must apply to use one of three transfer mechanisms: (i) certification by CAC-designated institution, which is not generally used due to lack of guidance; (ii) a security assessment administered by the CAC; or (iii) SCCs with a self-assessment filed with the relevant CAC provincial office. Collectively, the three transfer mechanisms are referred to as “Transfer Mechanisms“.

Under PIPL, certain organizations are subject to a security assessment administered by the CAC, including those:

  1. Considered critical information infrastructure operators (“CIIO“);
  2. Who transfer “important data” outside of China; important data is not defined but is generally data that, if breached, would jeopardize national security or public interest; or
  3. Who meet certain thresholds for processing or transferring personal data, including processing the PI of more than one million Residents or transferring out of China the PI of more than 100,000 Residents or the sensitive PI of more than 10,000 Residents since January 1 of the proceeding calendar year.

There is also a catch-all provision under PIPL for “other circumstances where the CAC requires a security assessment.”

For all other organizations that transfer PI of Residents but do not meet one of the thresholds above, agreements incorporating the SCCs and the self-assessment must be filed, in Chinese, with the provincial CAC in lieu of a security assessment by November 30, 2023.  Organizations with multiple entities in China, that operate in more than one province, or that utilize local data processors who transfer PI may be required to make separate filings for each entity, in each province, and for each processor.

Exemptions under Draft Rules

The following data transfer activities are exempted under the Draft Rules; as such, the utilization of a Transfer Mechanism and CAC approval for same is not required:

  1. Organizations that transfer PI of less than 10,000 Residents annually. This is a critical exemption for many US and multinational companies, including business to business (“B2B“) companies and those with manufacturing operations in China. The organizations generally do not collect significant consumer data, and instead only employee and B2B contact data. Organizations would be exempt if the data of less than 10,000 Residents is transferred each year.
  2. Contractual necessity. Organizations that transfer PI as part of an international services contract may also be exempt. Such contracts may govern cross-border payments or commerce, retail, travel, and visa applications.
  3. Necessary for Human Resources Management. Transfers of employee PI may be exempt if such data is necessary to perform HR functions or to administer collective employee agreements, if such functions or agreements comply with China labor law requirements. However, it is not clear what is “necessary”, i.e. would the transfer of HR data to a central processor for efficiency or cost reasons be considered necessary.
  4. Necessary to protect a Vital Interest. Data transferred to protect the health or safety of an individual in an emergency is exempt. This likely includes transfers of health data in an emergency.
  5. Data related to International Trade, Academic Cooperation, Transnational Manufacturing, and Marketing. To the extent there is no important data or PI, data in these broad categories would be exempt from Transfer Mechanism requirements.

The Draft Rules also clarified certain ambiguous requirements, including around important data. The CAC recognized that it has not defined important data and said an organization may operate as if it does not have important data until the term is explicitly defined or until the organization is notified by the CAC that it has important data.

The motivation behind the CAC’s Draft Rules is not fully clear, but China has said it wants to encourage foreign investment, particularly at a time when many multinational companies are considering leaving China due in part to regulatory challenges like these transfer restrictions. The CAC has indicated that it may not have sufficient resources to review the significant number of additional filings expected on or near the November 30 deadline.

Continuing Requirements under China Laws

The Draft Rules apply specifically to the Transfer Mechanism requirements. However, organizations must still comply with other data protection obligations under PIPL, CSL, DSL, industry-specific rules, and other China data laws, including the Anti-Espionage Law. In the Draft Rules, the CAC says it will continue to oversee and supervise data processing and transfer activities.

Organizations should prioritize the following requirements under PIPL:

  1. Document the legal basis to process data
  2. Provide Privacy Notice; PIPL has specific requirements for this Notice
  3. Conduct data mapping to document the categories of data collected in, and transferred from, China and other data processing activities
  4. Conduct a data transfer impact assessment
  5. Document reasons company determined that a Transfer Mechanism was not required

If you have any questions or would like to further discuss the Draft Rules or the Chinese privacy and cybersecurity laws generally, contact one of the Baker McKenzie attorneys listed below.


Rachel Ehlers is a partner in Baker McKenzie's Intellectual Property and Technology Practice Group, based in the Firm's Houston office. Rachel's practice focuses on technology transactions, data privacy and cybersecurity. She has extensive experience advising clients on data incidents and breach response, cross-border transfers, and data privacy and cybersecurity issues related to mergers and acquisitions.


Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.


Jay Ruan specializes in corporate and M&A and regulatory advisory matters in China. He has acted for clients across a broad range of industries, and has extensive experience in advising clients on strategic joint ventures and business alliances, corporate-commercial and technology transactions, TMT regulatory matters as well as financial service and insurance regulatory.