Recent developments in the Shanghai Pilot Free Trade Zone to facilitate cross-border data transfers are expected to provide greater flexibility in exporting data from China, which has been stymied by the Cyberspace Administration of China (“CAC”)’s strict cross-border data transfer regulations proposed in December 2023. In recent years, the legal framework and practical enforcement for cross-border data transfers in China have undergone significant developments, especially with respect to the CAC’s cross-border data transfer security reviews and standard contractual clauses. The lack of clarity around the CAC’s strict rules for security assessment reviews appears to have caused significant delays in the approval process for cross-border data transfers and concern among international companies who regularly transfer data outside of China. However, it appears that the Shanghai government is likely to permit international companies to transfer data offshore by leveraging its sprawling free trade zones. Shanghai, for example, has recently unveiled new measures aimed at accelerating cross-border data transfers.
On December 7, 2023, China’s State Council issued its Overall Plan for Promoting High-level Institutional Opening-up in the China (Shanghai) Pilot Free Trade Zone by Comprehensively Aligning with International High-standard Economic and Trade Rules (the “Overall Plan”), assigning Shanghai the objective of “building a national institutional-type opening-up exemplary site,” and setting the direction for the Shanghai Pilot Free Trade Zone to promote further relaxation of cross-border transfer restrictions under the new framework.
To implement the pilot programs of the “Overall Plan,” the Shanghai government issued its Implementation Plan for Shanghai to Implement Overall Plan for Promoting High-level Institutional Opening of China (Shanghai) Pilot Free Trade Zone by Comprehensively Connecting with International High-Standard Economic and Trade Rules on February 3, 2024 (the “Implementation Plan”). On February 6, 2024, the Information Office of the Municipal Government of Shanghai held a press conference to introduce the key aspects of the Implementation Plan, which proposes a series of measures to regulate and foster cross-border data transfer, e.g., developing an Important Data Catalog[1], exploring the establishment of lawful, secure and expedient cross-border data transfer mechanisms, and creating a cross-border data service center in the Free Trade Zone (including the Lingang Special Area[2]) (“Free Trade Zone”). The latter is a new government department with the authority to conduct preliminary reviews of applications for cross-border data transfers. Specifically, the Implementation Plan provides that financial institutions are permitted to transfer operational data outside of China pursuant to applicable security policies and measures.
The Implementation Plan also outlines additional measures related to promoting data sharing and the development of digital trade in the Free Trade Zone. In accordance with the principles outlined in the Implementation Plan, the Lingang Special Area will take the following measures:
Development of "General Data Lists" and "Important Data Catalogs" for Cross-Border Data Transfers
As of February 2024, the Lingang Special Area government issued its “Data Flow Operation Guidelines,” which establish a comprehensive mechanism for “conducting pre-transfer assessments and filing, performing backup and storage during transfers, and conducting random checks and verification after transfers.” Nearly 50 scenarios for convenient cross-border transfer have been contemplated.
Furthermore, the Lingang Special Area government recently released the Management Measures for the Classification and Grading of Cross-border Data transfer in the Lingang Special Area (Trial) (“Management Measures”), which categorize cross-border data into three levels: (1) “Core Data,” (2) “Important Data” and (3) “General Data.” “Core Data” is prohibited from being transferred outside of China. Transfers involving “Important Data” must go through an initial verification and application process with the Cross-border Data Service Center of the Lingang Special Area, after which the transfers must be submitted to the local Cyberspace Administration for a security assessment. “General Data” is permitted to be transferred freely if the relevant data protection management requirements are met.
The Lingang Special Area government has formed working groups comprised of industry (and potentially other types of) stakeholders to address specific data transfer scenarios within various sectors (e.g., intelligent connected vehicles, financial planning, high-end shipping, international trade, biomedicine and cultural export). The working groups are tasked with developing “General Data” lists and “Important Data” catalogs.
The establishment of a dedicated cross-border data service center is intended to streamline processes for the submission of application materials, consultation, and preliminary review of data transfers, offering a potential means for enterprises within the Lingang Special Area to expedite their cross-border transfers.
Mutual Recognition of Standard Contracts and Personal Information Protection Certification
The Lingang Special Area is also developing pilot projects for the mutual recognition of international data related rules[3], with the intention of increasing cooperation with the Digital Economy Partnership Agreement (“DEPA”) countries in the field of digital trade, actively establishing the Lingang Special Area as a model site of DEPA cooperation[4], and promoting the implementation of new rules such as “paperless trade” in the Lingang Special Area. In particular, the Lingang Special Area is exploring a pilot program to implement standard contracts for cross-border data transfers and a personal information protection certification.
Establishment of the International Data Industrial Park
The Lingang Special Area has stated that one of its objectives is to accelerate the development of key industries such as data outsourcing, international cloud services and data compliance. It has also stated that it is actively cultivating the offshore data industry, exploring new types of businesses such as offshore data processing, data analysis and data storage, and promoting the establishment of the model center of digital trading. To promote such business in China, it appears the government has recognized that it is necessary to allow for less stringent cross-border data transfer rules.
[1] The “important data catalog” is a list of data elements that are subject to heightened assessment requirements.
[2] Shanghai Pilot Free Trade Zone consists of several areas and Lingang Special Area is one such area.
[3] The specific data protection and data related rules and regulations, as well as participating countries, were yet to be announced at the time of publication.
[4] The Digital Economy Partnership Agreement (DEPA) is currently between Singapore, Chile and New Zealand. China applied for membership on Nov 1, 2021.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code