Cross-border transfers of personal data under the Chinese law after the amendment of March 2024. A comparison to the GDPR

The entry into force of China's Personal Data Protection Law on 1 November, 2021 created a statutory comprehensive data protection system from the existing patchwork of regulations, including cross-border personal data transfers. China's PIPL has been considered as one of the most stringent data privacy laws in the world. Indeed, despite its apparent inspiration from the European GDPR, it contains solutions for cross-border data transfers that are unknown to it and much more demanding. However, the latest Regulation of the Cyberspace Administration of China (CAC) on Promoting and Regulating Cross-border Data Flows which were announced and entered into force on 22 March 2024, liberalize the rules for transfers of personal data outside China. It introduces exceptions to cross-border data transfer mechanisms similar to derogations under the GDPR. They also reduce the volume of personal data which, when exceeded, requires the use of certain transfer mechanisms. The amendment simplifies the rules for transferring data outside China by foreign companies operating also in China and by Chinese exporters. Its purpose is, among others, facilitating cross-border e-commerce, cross-border payments, and transferring employee personal data abroad within corporate groups. The topic of the article is Chinese data transfer regulations and their comparison to GDPR from a normative perspective.

Bibliografia/References

 

Aw, Ch. i in. (2023, czerwiec). A practical comparison of the EU, China and ASEAN standard contractual clauses. IAPP. https://iapp.org/resources/article/a-practical-comparison-of-the-eu-china-and-asean-standard-contractual-clauses/

Cao, E., Wang, E., & Goh, B. (2024, March 22). China relaxes security review rules for some data exports. Reuters. ttps://www.reuters.com/technology/cybersecurity/chinas-cyberspace-regulator-issues-rules-facilitate-cross-border-data-flow-2024-03-22/?mkt_tok=MTM4LUVaTS0wNDIAAAGSFdhBgPIqRfBJBA5qHYbdEGl98TA9BxOhALZPiYlpZaQ5skX8pTYvzFUn7b0fhEWpRb4Gofgm553lmNscic3-Pzd0Tn8pLhRaMTXQpglEqx7-

Chen, C., & Roos, M. (2023, August 15). Adequacy: Chinese Law firm Issues FAQ on Standard Contracts for Data Transfers. China Lawyer. https://www.rplawyers.com/qa-on-export-of-personal-information-under-the-standard-contract/

Creemers, R., Triolo, P., Sachs, S., Lu, X., & Webster, G. (2018, March 26). China’s cyberspace authorities set to gain clout in reorganization. New America. https://www.newamerica.org/cybersecurity-initiative/digichina/blog/chinas-cyberspace-authorities-set-gain-clout-reorganization/

Decyzja wykonawcza Komisji (UE) 2021/914 z dnia 4.06.2021 r. w sprawie standardowych klauzul umownych dotyczących przekazywania danych osobowych do państw trzecich na podstawie rozporządzenia Parlamentu Europejskiego i Rady (UE) 2016/679, C/2021/3972, Dz. Urz. L 199, 7.06.2021, s. 31–61.

Decyzja wykonawcza Komisji (UE) 2021/914 z dnia 4.06.2021 r. w sprawie standardowych klauzul umownych dotyczących przekazywania danych osobowych do państw trzecich na podstawie rozporządzenia Parlamentu Europejskiego i Rady (UE) 2016/679, C/2021/3972, Dz. Urz. L 199, 7.06.2021.

Draft Measures for Certification of Personal Information Protection for Cross-Border Transfer of Personal Information, 国家互联网信息办公室关于《个人信息出境个人信息保护认证办法（征求意见稿）》公开征求意见的通知_中央网络安全和信息化委员会办公室.

EDPB. (2018, 25 maja). Wytyczne 2/2018 w sprawie wyjątków określonych w art. 49 rozporządzenia 2016/679. https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_2_2018_derogations_pl.pdf

European Commission. (1997, June 26). Data Protection Working Party. First orientations on Transfers of Personal Data to Third Countries – Possible Ways Forward in Assessing Adequacy. WP 4, XV D/5020/97-EN. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/1997/wp4_en.pdf

Gamvros, A., & Kwok, R. (2023, October 20). China proposes to ease cross border data transfer restrictions. Data Protection Report. https://www.dataprotectionreport.com/2023/10/china-proposes-to-ease-cross-border-data-transfer-restrictions/

Grose, A., & Li, R. (2025, January 24). China releases final regulation on network data security management. XL Insights+. https://www.xllawconsulting.com/post/china-releases-final-regulation-on-network-data-security-management?form=MG0AV3&form=MG0AV3

Guidance on Network Security Standardised Practice – Technical Specification for Certification of Personal Information Cross-Border Processing Activities V2.0 (TC260-PG-20222A) (PI Certification Specification V2.0), 网络安全标准实践指南—个人信息跨境处理活动安全认证规范V2.0. https://www.tc260.org.cn/upload/2022-12-16/1671179931039025340.pdf; https://www.tc260.org.cn/front/postDetail.html?id=20221216161852

https://www.redipd.org/sites/default/files/2023-02/anexo-modelos-clausulas-contractuales-en.pdf

Krzysztofek, M. (2024, kwiecień–czerwiec). Transfer danych osobowych z Turcji. ABI Expert.

Livingston, S., & Nunlist, T. (2024, July 11). Navigating China's new guidelines for exporting 'important data'. IAPP, https://iapp.org/news/a/navigating-china-s-new-guidelines-for-exporting-important-data-

Lu, Y., Wang, Z., & Zhang, M. X. Y. (2025). Draft Measures for Personal Information Protection Certification for Cross-Border Data Transfers Released for Public Comment. National Law Review, XV(59). https://natlawreview.com/article/draft-measures-personal-information-protection-certification-cross-border-data

Luo (Duoqun), D. (2023, January). International: Comparing China's Standard Contract to the EU's SCCs. DataGuidance. https://www.dataguidance.com/opinion/international-comparing-chinas-standard-contract-eus?mkt_tok=MTEzLVpZRC0zODkAAAGMfWajH0VECiF7VC01rXp9L3rojdm61g4QXXYSrw7KsSdvQpXZ9hh0zjuuOrnFkEHiVdc3uolhUy6g9X8BhIw4zW6Qil8e0Y_fV_TfCBzdrA

Oświadczenie prasowe CAC z 22.03.2024 r., 促进和规范数据跨境流动规定》答记者问. http://politics.people.com.cn/n1/2024/0322/c1001-40201502.html

Personal Information Protection Law (PIPL). 中华人民共和国个人信息保护法. https://www.gov.cn/xinwen/2021-08/20/content_5632486.htm

Przepisy dotyczące promowania i regulowania transgranicznego przepływu danych przyjęte przez CAC, 中华人民共和国国家互联网信息办公室) 28.11.2023 r., ogłoszone i weszły w życie 22.03.2024 r. (促进和规范数据跨境流动规定》已经2023年11月28日国家互联网信息办公室2023年第26次室务会议审议通过，现予公布，自公布之日起施行2024年3月22日) (Regulation on Promoting and Regulating Cross-border Data Flows). https://www.cac.gov.cn/2024-03/22/c_1712776611775634.htm

Q&A Measures for the security assessment of transfers of data abroad. http://www.cac.gov.cn/2022-08/31/c_1663568169996202.htm

Smith, G. J. H. (2007). Internet law and regulation. Sweet & Maxwell.

The Guidelines for Application for Security Assessment of Cross-border Data Transfer (2. Edition), 数据出境安全评估申报指南（第二版. https://www.cac.gov.cn/2024-03/22/c_1712783131692707.htm, https://www.cac.gov.cn/cms/pub/interact/downloadfile.jsp?filepath=ekdHFflbXTKqZLE43DV~bbqEydxfUD7/3PLj0VDpAPf56IEYOPwPnP8nt7HBsXliNy0WFZDYOy78MIC8huRxBp3MoQYVYfXaOeBYjB154YQ=&fText=%E6%95%B0%E6%8D%AE%E5%87%BA%E5%A2%83%E5%AE%89%E5%85%A8%E8%AF%84%E4%BC%B0%E7%94%B3%E6%8A%A5%E6%8C%87%E5%8D%97%EF%BC%88%E7%AC%AC%E4%BA%8C%E7%89%88%EF%BC%89 (dostęp: 9.04.2024).

The Guidelines for Filing of Standard Contract for Cross-border Transfer of Personal Information (2. Edition), 个人信息出境标准合同备案指南（第二版. https://www.cac.gov.cn/2024-03/22/c_1712783131692707.htm, https://www.cac.gov.cn/cms/pub/interact/downloadfile.jsp?filepath=ekdHFflbXTKqZLE43DV~bbqEydxfUD7/3PLj0VDpAPf56IEYOPwPnP8nt7HBsXliZ7r2c5/C4/74B6uhMvfMRJ3MoQYVYfXaOeBYjB154YQ=&fText=%E4%B8%AA%E4%BA%BA%E4%BF%A1%E6%81%AF%E5%87%BA%E5%A2%83%E6%A0%87%E5%87%86%E5%90%88%E5%90%8C%E5%A4%87%E6%A1%88%E6%8C%87%E5%8D%97%EF%BC%88%E7%AC%AC%E4%BA%8C%E7%89%88%EF%BC%89

The Ibero-American Data Protection Network. https://www.redipd.org/sites/default/files/2023-02/anexo-modelos-clausulas-contractuales-en.pdf

The Network Data Security Management Regulations. https://english.www.gov.cn/policies/latestreleases/202409/30/content_WS66fab6c8c6d0868f4e8eb720.htm

Wyrok TSUE z 6.11.2003 r. w sprawie Bodil Lindqvist v. Aklagarkammaren i Jönköping (C-101/01),   ECLI:EU:C:2003:596.

Wyrok TSUE z 12.01.2023 r. w sprawie C 154/21, RW przeciwko Österreichische Post AG, ECLI:EU:C:2023:3.

Xiao, E. (2021, August 20). China passes one of the world’s strictest data-privacy laws. The Wall Street Journal. https://www.wsj.com/articles/china-passes-one-of-the-worlds-strictest-data-privacy-laws-11629429138?reflink=desktopwebshare_permalink

Yu, X., & Tham, E. (2024, February 7). Exclusive: Shanghai to allow faster data transfer from China for foreign firms-sources. Reuters. https://www.reuters.com/world/china/shanghai-allow-faster-data-transfer-china-foreign-firms-sources-2024-02-07/

数据出境安全评估办法, Measures for the Security Assessment of Transfers of Data Abroad, 7.07.2022. http://www.cac.gov.cn/2022-07/07/c_1658811536396503.htm