On September 28, 2023, Cyberspace Administration of China ("CAC") publicly announced a request for comments on the Provisions on Regulating and Facilitating Cross-border Flow of Data (Exposure Draft) (the "Exposure Draft"). The deadline for feedback on the Exposure Draft is October 15, 2023.

Since 2022, CAC has issued documents such as the Security Assessment Measures for Data Provision Abroad and the Measures for Standard Contracts for Personal Information Outbound, which set out specific regulations on outbound requirements involving information collected within China. According to these documents, processors of data and personal information that meet different conditions should choose one of the following methods before the data crosses the border:

1. apply a data outbound security assessment;
2. signing a standard contract for the exit of personal information;
3. pass the personal information protection certification;

However, these documents have encountered a number of problems in practice. This exposure draft is considered by the law to supplement and refine these provisions, targeting the following types of detailed provisions:

Category 1: the first type of data that does not need to be declared for data exit security assessment, the conclusion of a standard contract for the exit of personal information, and the certification of personal information protection:

• data generated in international trade, academic cooperation, multinational manufacturing and marketing activities out of China that do not contain personal information or important data;
• personal information not collected and generated within China is provided outside of China.
• personal information must be provided outside of China for the purpose of entering into or fulfilling a contract to which the individual is a party, such as cross-border shopping, cross-border remittance, air ticket and hotel booking, visa application, etc;
• where personal information of internal employees must be provided outside of China for the implementation of human resource management in accordance with labor rules and regulations formulated in accordance with the law and collective contracts signed in accordance with the law;
• in case of emergency, personal information must be provided outside of China to protect the life, health and property safety of natural persons.

Category 2: If it has not been notified or publicly released as important data by the relevant departments or regions in China, the data processor is not required to declare the data as important data for outbound security assessment;

Category 3: Where personal information is provided outside of China based on the consent of the individual, the consent of the subject of the personal information shall be obtained. There are three different scenarios depending on the amount of personal information collected:

• If it is expected that less than 10,000 individuals' personal information will be provided outside of China within one year, there is no need to declare a data exit security assessment, enter into a standard contract for the exit of personal information, or pass a certification for the protection of personal information.
• If it is expected to provide more than 10,000 people and less than 1 million people with personal information outside China within one year, and if it enters into a standard contract on personal information exportation with the overseas receiver and files it with the provincial net information department or passes the certification of personal information protection, it may not declare the data exportation security assessment;
• If more than 1 million people's personal information is provided overseas, the data exit safety assessment shall be declared.

It is important to note that this provision has modified the amount of personal information specified in Article 4 of the Security Assessment Measures for Data Provision Abroad, but it does not exempt the obligation of personal information protection impact assessment.

The Chinese government has developed this Exposure Draft in order to facilitate the cross-border and flow of data. Of course, it does not solve all the practical problems encountered by enterprises in data export. For foreign enterprises that collect data, especially personal information, in China, a complete internal data inventory and assessment is still advised, and the companies could then choose a data export path that suits their situation.