China streamlines cross-border data transfer: what does this mean for Australia?

China, one of Australia's largest trading partners, has relaxed its cross-border data transfer rules. The changes will facilitate data exchange between mainland China and Australia and benefit many industries including banking, insurance, logistics and education.

Australian companies operating in mainland China need to navigate the stringent cross-border data transfer requirements under mainland China's Personal Information Protection Law (PIPL), particularly those with a sizable Chinese customer base relying on regular data exchange with Australian headquarters. Chinese companies with Australian affiliates, partners and customers face similar hurdles, often diverting resources to comply with data transfer rules and sometimes postponing Australian business plans as a result.

Acknowledging the importance of cross-border data flow in today's global digital economy, the Cyberspace Administration of China (CAC) has recently enacted the Provisions on Promoting and Regulating Cross-border Data Flow (Provisions), which became effective on March 22, 2024. The provisions relax and clarify data export conditions, allowing Australian and mainland Chinese companies to move personal information between Australia and mainland China with increased confidence.¹

Key changes

The key regulatory changes affecting data transfers from mainland China to Australia are as follows:

1. Entities exporting personal information of fewer than 100,000 individuals per year from mainland China are now exempted from the data export requirements under the PIPL (this exemption previously only applied to transfers of the personal information of fewer than 10,000 individuals per year).
   
   
2. Entities exporting personal information of 100,000 individuals or more per year, or sensitive personal information of fewer than 10,000 individuals per year, have two data export options available. While the Provisions have not introduced new options, the higher threshold noted above means fewer entities need to comply with these requirements.
   
   
   • Option 1 (Standard Contract): Entities may use the standard contract made available by the CAC for data transfers and register the executed contract with the CAC. The Provisions have established a centralised online portal to facilitate and streamline these registrations.
     
     
   • Option 2 (Protection Certificate): Entities may seek a personal information protection certificate from institutions authorised by the CAC.
     
     
3. Entities exporting personal information of one million individuals or more per year, or sensitive personal information of 10,000 individuals or more per year, or any 'important data', are required to undergo a security assessment arranged by the CAC, which seeks to evaluate the risks to national security, public interest and interests of individuals and organisations arising from the data transfer.
   
   'Important data' is "data that may endanger national security, economic operation, social stability, or public health and safety once tampered with, destroyed, leaked, or illegally obtained or used". There was previously some uncertainty around the precise scope of this term in practice. The Provisions have clarified that data will only be important data if it is classified as such in subsequent regulations made by relevant authorities.
   
   
4. The Provisions exempt entities from using the CAC standard contract, obtaining a protection certificate or undergoing a security assessment when transferring personal information overseas in some cases for certain transfers, including transfers of:
   
   
   • personal information of less than 100,000 individuals per year;
     
     
   • personal information originally collected outside mainland China;
     
     
   • personal information which is necessary for the conclusion or performance of a contract with the subject of the personal information; or
     
     
   • personal information which is necessary for cross-border human resource management.

Key next steps

Given mainland China's data privacy regime and the proposed changes to Australia's privacy laws, entities transferring personal information between Australia and mainland China should consider the following:

• Reassessing corporate structures, data practices, business plans and partner/supplier choices considering the updated regulations.
• Developing cross-border data transfer strategies based on new exemption thresholds, considering the type of data and number of individuals to whom it relates, and noting exemptions may not apply to entities operating critical network facilities and information systems in key industries and sectors.
• Understanding regulatory procedures and expectations, which may vary across provinces in mainland China, and being aware of ambiguities around exemptions (e.g. what constitutes 'necessary' personal information transfer for cross-border human resource management). There may also be different requirements in China's free trade zones and select cities in the Guangdong-Hong Kong-Macao Greater Bay Area.
• Mainland Chinese authorities' standards, guidance and recommendations, including those made under the Provisions or related to the 'Important Data' regime.
• Conducting a cost / benefit analysis to evaluate data storage and transfer options that balance risks and opportunities.

Footnote

¹ Personal information is defined under the PIPL as 'any type of information that identifies or can identify natural persons recorded electronically or by other means, but does not include anonymised information', which broadly aligns with the definition under Australia's Privacy Act 1988 (Cth).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Lawyers Weekly Law firm of the year 2021	Employer of Choice for Gender Equality (WGEA)