October 13, 2023
On behalf of the over 270 members of the US-China Business Council (USCBC), we appreciate the opportunity to provide comments to the Cyberspace Administration of China (CAC) on the draft Provisions on Regulating and Facilitating Cross-Border Data Flow (hereby referred to as “the Draft”). We appreciate the CAC’s efforts to relax requirements on outbound data flows, which will contribute to improving business sentiment for multinational companies that conduct business with China. We are grateful for the CAC’s efforts to maintain transparency and its consideration of industry perspectives during this process.
USCBC and its member companies encourage the CAC to fully consider industry feedback on areas of the Draft that stand to impact US businesses operating in China. The Draft is a welcome step, but we encourage additional clarity and exemptions in order to reduce the operational burdens on companies. There remain several areas of ambiguity, which could impose barriers on companies. In particular, we would like to highlight the following key points:
1. Clarify relationships among articles
- Articles 1 to 7 provide a variety of exemptions for security assessments. It is critical to clarify how these exemptions interact with each other. For example, the volume thresholds articulated in Articles 5 and 6 should only count personal data records that are not covered by the exclusions set forth elsewhere in the Draft.
2. Treatment of sensitive personal information
- It remains unclear whether the exemptions and numeric thresholds outlined in the Draft are applicable to sensitive personal information governed by the Personal Information Protection Law (PIPL). The Draft should clarify the treatment of personal information and sensitive personal information.
3. Inconsistency with existing laws
- The Draft could conflict with existing laws, such as the PIPL, Cybersecurity Law, and Data Security Law. We recommend aligning existing laws and regulations with the Draft to reduce inconsistencies.
4. Greater clarity and examples regarding exemptions
- For exemptions outlined in the Draft, we encourage more examples listed so as to provide greater clarity for companies on what scenarios qualify as exemptions. For instance, it is unclear whether the exemption included in Article 4(1) applies to the cross-border transfer of customers’ personal information for multinational businesses in the hotel and airline industries.
5. Uncertainty for existing submissions
- The Draft should clarify how companies that already submitted outbound data security assessments to provincial or central CACs should proceed. We recommend the Draft should offer specific guidance or a mechanism for companies. If the Draft is not adopted before the existing measures on data export security assessment go into effect, companies are forced to choose between facing more compliance risk or bearing significant cost to pass the data export security assessment.
6. Lingering questions on important data
- We encourage regulators to adopt a consistent definition and classification of “important data.” Additionally, it remains unclear what the Draft means by relevant departments or regional administrations, and such notification by these authorities should be written and not verbal only. We also recommend if a company receives notice that their data is classified as important data, outbound data security assessments should be prospective, not retroactive.
7. Ambiguity surrounding negative lists
- We encourage the issuance of a national-level Negative List. We also recommend requiring Free Trade Zones (FTZs) to adopt negative lists that are consistent with, and no more restrictive, than any national-level Negative List, as this will ease compliance burdens for businesses. Otherwise, companies that operate in multiple jurisdictions may be required to adhere to inconsistent rules. We also seek clarity on when such lists will be issued.
8. Numeric thresholds remain burdensome and unclear
- We encourage regulators to increase the numeric threshold from 10,000 to 100,000 individuals, providing more companies with exemptions from all security assessment requirements when exporting personal information. Low thresholds do not adequately ease the operational burdens on companies. We also encourage additional clarity on how thresholds will be applied to companies that have multiple subsidiaries in China.
9. Consistency with international norms
- To the degree possible, we urge regulators to strive for consistency with other international frameworks. For example, if a standard contract for cross-border transfer is required, we recommend the CAC to align its requirements with those of the European Union’s Standard Contract Clauses, where registration is not required but must be presented to the regulator upon request.
Read our full submission below.