New regulations re: cross-border personal data transfer (Beijing Free Trade Zone)

Introduction

The Beijing Free Trade Zone (FTZ) has recently introduced new regulations to manage and facilitate cross-border data transfers:

• Data Export Management List (Negative List)
• Administrative Measures for the Negative List

These were issued by the Beijing Municipal Internet Information Office, Beijing Municipal Commerce Bureau, and Beijing Municipal Government Services and Data Administration Bureau on August 30, 2024.? These measures aim to streamline data transfer processes while ensuring data security and compliance.

(Note - the Beijing FTZ was one of three pilot FTZs established by the State Council in August 2020, with one of its key aims being on encouraging technology. With an area of 119.68 sq km, it has three sub?zones: the Sci?Tech Innovation Area (31.85 sq km), the International Business Services Area (48.34 sq km including the 5.466 sq km Beijing Tianzhu Comprehensive Bonded Zone), and the High?End Industries Area (39.49 sq km).)

Key Components of the Regulations

Data Export Management List (Negative List)

The Negative List identifies specific industries and scenarios where cross-border data transfers are subject to stricter regulations.? The list includes five key industries: automotive, pharmaceutical, retail, civil aviation, and artificial intelligence (AI).? It outlines 23 business scenarios and 198 data elements that are critical for these industries.

Administrative Measures

The Administrative Measures provide detailed rules for the identification and management of important data.? They reference 13 categories and 41 subcategories of data, specifying compliance requirements for various industries.? The measures also outline the procedures for data handlers to follow when exporting data, including the need for security assessments, standard contract filings, and certifications of personal information protection.

Important Data Categories

Data classified as "important" under these regulations includes:

??????? Personal information of more than 10 million individuals (excluding sensitive personal information)

??????? Sensitive personal information of more than one million individuals

??????? Certain sensitive personal information of more than 100,000 individuals (e.g., personal bank accounts, personal insurance accounts, personal diagnostic and treatment data)

??????? Personal information held by operators recognized as critical information infrastructure (CII)

??????? High-value sensitive data related to industry competitiveness and production safety

??????? Data related to the supply chain involving national security

??????? Parameters of automatic control systems and related data

Industry-Specific Regulations

Retail and Modern Services

For the retail industry, the Negative List relaxes thresholds for membership management scenarios.? For example, the security assessment is required for the cross-border transfer of more than five million individual customers' membership personal information or more than one million individual customers' membership sensitive personal information.

Automotive Industry

In the automotive industry, important data includes geographic information, vehicle flow data, and key telematics data.? The thresholds for security assessments and other compliance measures remain unchanged.

Pharmaceutical Industry

The pharmaceutical industry benefits from relaxed thresholds for data transfers. For instance, the security assessment is required for the cross-border transfer of personal data of more than 50,000 individuals in clinical trials and pharmaceutical development scenarios.? The Negative List also exempts certain data transfer activities from the need for a transfer mechanism, provided they fall outside the scope of the Negative List.

Civil Aviation Industry

Important data in the civil aviation industry includes flight data recorder data, voice recorder data, and aircraft health condition monitoring data.? The thresholds for security assessments and other compliance measures have been relaxed for customer service scenarios.

Artificial Intelligence (AI)

In the AI industry, important data includes high-value sensitive data related to industry competitiveness and content that may endanger national security.? The Negative List specifies thresholds for the cross-border transfer of sensitive personal information, such as voice, image, and text data.

Procedures for Cross-Border Data Transfer

Data handlers must submit specified documentation through the Facilitated Service Platform of Beijing Municipal Data Cross-border Transfer to the competent department of the Pilot Free Trade Zone.? The department will review the application and publish the conclusion within five business days.? If the data export activities fall outside the Negative List, the data handler may proceed freely.? If they fall within the Negative List, the data handler must conduct a security assessment, file the standard contract, or certify the protection of personal information.

Conclusion

On the back of similar FTZ regulations in Shanghai and Tianjin - these new regulations in Beijing FTZ represent a significant advancement in the management of cross-border data transfers.? By identifying specific industries and scenarios, and relaxing certain thresholds, these measures aim to balance the need for data security with the facilitation of international data flows.?