Recent developments suggest that the Shanghai government is gearing up to simplify the international data transfer process, allowing foreign entities to transfer local data beyond China’s borders.
Although the details of Shanghai’s plan are currently high level, reports indicate that the categorisation of data transferred across borders will be segmented into three distinct risk levels: “general”, “important”, and “core”.
A pilot program is scheduled for the Lingang New Area within the Shanghai Free Trade Zone, enabling foreign businesses in this region to export “general” data without hindrance. The transfer of “core” data is strictly prohibited, while “important” data will face certain restrictions.
Two separate data catalogues for “general” data and “important” data are set to be introduced, with the initial catalogues expected to be unveiled in March 2024, according to this release from the State Council of the People’s Republic of China (the “State Council”). This initiative by the Shanghai government will operate independently of the existing cross-border data transfer regulations enforced by China’s data regulator, the Cyberspace Administration of China (the “CAC”), which will continue to be applicable to foreign enterprises in the rest of the country.
This move by Shanghai to facilitate cross-border data transfers aligns with China’s broader strategy to attract and retain foreign firms, particularly in light of a decline in foreign direct investment into China, the first of its kind since 2012, as reported by Reuters. China’s existing stringent data transfer laws mandate exhaustive legal mechanisms, such as security assessments by the CAC or the acquisition of personal information protection certification, creating challenges for data exporters.
In August 2023, the State Council issued the “Opinion on Further Optimizing the Environment for Foreign Investment” (the “Opinion”), acknowledging the significance of data transfer requirements for foreign entities. The Opinion advocates for the creation of “green channels for qualified foreign-invested enterprises” and data regulations promoting the “safe, orderly and free flow of data”. It also expresses support for pilot programs in select regions, including Shanghai, aimed at forming a “list of general data that can flow freely”. The proposed measures in Shanghai appear consistent with the objectives outlined in this Opinion.
The potential relaxation of China’s cross-border data transfer regulations and a reduction in the compliance burden signals positive news for foreign businesses. In September 2023, the CAC introduced draft Provisions on Regulating and Promoting Cross-Border Data Transfers, suggesting exemptions to the existing data transfer mechanisms. However, the timeline for implementing these provisions remain uncertain. Shanghai’s proposed measures represent a promising stride towards facilitating cross-border data transfer, and contingent on the trial’s outcomes, could serve as a model for the entire country. The introduction of catalogues and data categories is poised to bring clarity to the types of data foreign enterprises can transfer, instilling greater confidence in China’s data protection framework.