Viewpoint | Understanding the basic concepts of data compliance from the "China (Tianjin) Pilot Free Trade Zone Data Exit Management List (Negative List)"

According to Article 37 of the Cybersecurity Law, Article 31 of the Data Security Law, and Article 4 of the Measures for Data Exit Security Assessment, data processors that provide important data collected and generated within the territory of the the People's Republic of China shall pass The data exit security assessment organized by the national cybersecurity department. According to the results of public channel inquiries, by the end of 2023, only 29 enterprises had successfully passed the data outbound declaration ("approval" or "filing" by the national network information department). Compared with the more than 1,000 declarations accepted by the national network information office and provincial network information offices, the data outbound declaration pass rate was only 1%. The strict declaration process of data exit security assessment is in contrast with the urgent needs of booming data economy and cross-border data circulation. It is urgent to build a more specific and conducive system guarantee at the implementation level through administrative norms on the basis of the basic legal framework of data exit security management. The first thing to be solved is to build a clear list of data scope including important data that need to be included in data exit security assessment.

In this context, on July 25, 2023, the State Council issued the Opinions on Further Optimizing the Foreign Investment Environment and Increasing the Attraction of Foreign Investment, supporting pilot exploration in Beijing, Tianjin, Shanghai, Guangdong-Hong Kong-Macao Greater Bay Area and other places to form a free-flowing list of general data. On March 22, 2024, the State Cyberspace Administration of China issued the Regulations on Promoting and Regulating the Cross-border Flow of Data, proposing that the free trade pilot zone can formulate its own data lists (hereinafter referred to as negative lists) that need to be included in the management scope of data exit security assessment, personal information exit standard contracts, and personal information protection certification under the framework of the national data classification and classification protection system. The above documents are the Tianjin Municipal Bureau of Commerce and the China (Tianjin) Pilot Free Trade Zone Management Committee jointly issued the "China (Tianjin) Pilot Free Trade Zone Data Outbound Management List (Negative List)" (referred to as "" Negative List ") provides a basis for policy compliance.

As the first specific regulation at the implementation level in the field of data exit management, the negative list can be said to fill the institutional gap in this field. it has opened a new stage for the system construction of effectively solving the problem of enterprise data exit and helping to cultivate new advantages in international economic cooperation and competition. The author believes that its core significance is sufficient to use the sentence in the first "purpose meaning" of the document to "facilitate the orderly and efficient exit of enterprise data in accordance with the law--

The so-called "in accordance with the law" means that the documents strictly implement the "the People's Republic of China Cyber Security Law", "the People's Republic of China Data Security Law", "the People's Republic of China Personal Information Protection Law", "Data Exit Security Assessment Measures", "Personal Information Exit Standard Contract Measures", and "Promotion and Standardization Laws and regulations such as the Regulations on Cross-border Data Flow, coordinate development and security, and adhere to the bottom line of national data security.

The so-called "orderly" refers to the formulation of documents, which fully takes into account the requirements of laws and regulations and national industry authorities for data classification and classification, and the standards for the scale and type of personal information. On the one hand, important data identified by national industry authorities or local authorities should be included in the scope of list management to ensure compliance with relevant national data exit management requirements. On the other hand, focusing on protecting the rights and interests of personal information, standardizing personal information processing activities, and promoting the rational use of personal information, the exit of personal information that meets the requirements of scale and type is included in the management scope of the "Negative List.

The so-called "high efficiency" means that the document fully embodies the advantages of the pilot free trade zone's first trial policy, and based on the principle of simplicity and practicality, explores and forms a set of operational, landing, easy to grasp and implement cross-border data flow facilitation management mechanism.

The main content of the "Negative List" is actually an 11-page form, which consists of only two parts--

The first part lists thirteen data categories (strategic materials and commodities, natural resources and environment, etc.) that need to pass the data exit security assessment. Each category has 2 to 11 data subcategories (46 subcategories in total). Each subcategory describes the basic characteristics of the data in detail and gives specific examples.

In the second part, the scope of the list of data that needs to be entered into a standard contract for the exit of personal information and certified through the protection of personal information will be concise and clear, it is limited to "data processors other than critical information infrastructure operators have cumulatively provided personal information of more than 100000 people, less than 1 million people (excluding sensitive personal information) or less than 10000 people's sensitive personal information overseas since January 1 of that year (except for the circumstances stipulated in Articles 3 and 4. of the provisions on promoting and standardizing cross-border flow of data)".

It is true that there is still some controversy in the academic and practical circles as to whether or whether the "Negative List" can fully cover the important data types that should be assessed for data exit safety. However, the author believes that there is no shortage of gold, not to mention an innovative exploratory document. The "Negative List" is undoubtedly a useful exploration that is conducive to inspiring "data exit in an orderly and efficient manner in accordance with the law", and this may be the main significance of the "Negative List. For this reason, the ''Negative List'' clearly stated that new situations and new problems that arise in the use process will be negotiated by the Tianjin Cyberspace Administration, the Municipal Bureau of Commerce, the Municipal Data Bureau, and the Tianjin Pilot Free Trade Zone Management Committee in conjunction with relevant departments. Communicate, jointly study and formulate countermeasures, and make explanations. At the same time, the relevant policies and regulations of the national industry authorities have changed, and if the contents of the Negative List are inconsistent with them, the provisions shall be followed.

The remarks in the Negative List are supplementary explanations for their corresponding subcategories, which can be roughly divided into 3 categories:

One is to exempt from management remarks. For example, the remarks for marine subcategories in the natural resources and environment category are "except for data that have been publicly released by relevant departments such as natural resources", and the data that have been publicly released by competent departments in the industry are exempted from being included in the list of data that need to be declared for data exit safety assessment. Most of the remarks in the Negative List belong to this category;

The second is to include management remarks. For example, the remarks of the environmental protection sub-category in the natural resources and environment category are "data that have been individually disclosed but have not been disclosed according to regional and industry statistics are included in the list management", which specifies the special circumstances that need to be included in the list of outbound safety assessment data for declared data;

The third is to explain the remarks. For example, the remarks of the emergency management subcategory in the public safety category are "a certain precision, a certain range, and a certain scale". The specific requirements shall be subject to the policy documents issued by relevant departments such as emergency management ", which further explains the more general concepts in the subcategory description.

For enterprises in Tianjin Pilot Free Trade Zone, the following seven types of data exit activities are exempt from reporting data exit security assessment, concluding personal information exit standard contracts, and passing personal information protection certification:

First, the data collected and generated in activities such as international trade, cross-border transportation, academic cooperation, transnational manufacturing and marketing are provided overseas, and do not contain personal information or important data.

Second, personal information collected and generated abroad is provided to overseas after being transmitted to domestic processing, and no domestic personal information or important data is introduced in the processing process.

Third, in order to conclude and perform contracts in which an individual is a party, such as cross-border shopping, cross-border delivery, cross-border remittance, cross-border payment, cross-border account opening, air ticket hotel reservation, visa processing, examination service, etc., it is really necessary to provide personal information to overseas.

Fourth, cross-border human resources management is implemented in accordance with the labor rules and regulations formulated in accordance with the law and the collective contract signed in accordance with the law, and it is really necessary to provide employees' personal information abroad.

Fifth, in order to protect the life, health and property safety of natural persons in an emergency, it is really necessary to provide personal information abroad.

Sixth, data processors other than key information infrastructure operators have cumulatively provided personal information (excluding sensitive personal information) of less than 100000 people abroad since January 1 of that year.

The seventh is to provide data outside the Negative List to overseas. Among them, the personal information provided abroad under the third to seventh conditions does not include personal information that has been notified by relevant departments or regions or publicly released as important data.

On September 1, 2021 and November 1, 2021, the state implemented the data security law and the personal information protection law almost simultaneously, which constitute the three basic laws in the field of data compliance with the network security law implemented on June 1, 2017. In the conceptual meaning of relevant provisions, there are both "data" and "information". What is the relationship between the two and can they be mixed?

The author understands that, just as the definition of data-"any record of information by electronic or other means" in the national standard GB/T 43697-2024 "Data Security Technology Data Classification Rules" to be officially implemented on October 1, 2024, data is the carrier of information, while information is the connotation of data and the substantive content to be conveyed. The two interact with each other and even are the origin of each other, the cognitive processing of data can form information, and the analysis of information collection will produce new levels of data.

According to the "Data Exit Security Assessment Measures", important data refers to data that may endanger national security, economic operation, social stability, public health and safety once it has been tampered with, destroyed, leaked, illegally obtained, illegally used, etc.

The "Data Security Law" stipulates that the national data security work coordination mechanism coordinates relevant departments to formulate important data catalogues and strengthen the protection of important data. All regions and departments shall, in accordance with the data classification and grading protection system, determine the specific catalogues of important data in their respective regions, departments and related industries and fields, and focus on the protection of the data listed in the catalogue.

According to the "Personal Information Protection Law", personal information refers to various information related to identified or identifiable natural persons recorded electronically or otherwise, excluding anonymized information. Anonymization refers to the process by which personal information cannot be identified by a specific natural person and cannot be recovered. Sensitive personal information refers to personal information that, once leaked or illegally used, can easily lead to the infringement of the personal dignity of natural persons or the personal and property safety of natural persons, including biometrics, religious beliefs, specific identities, medical health, financial accounts, whereabouts, etc. Information, as well as personal information of minors under the age of 14. For the identification and differentiation of personal information and sensitive personal information, please refer to the national standard Information Security Technology-Personal Information Security Specification (GB/T 35273-2020).

According to the Guidelines for the Application of Data Exit Security Assessment (Second Edition) and the Guidelines for the Filing of Personal Information Exit Standard Contracts (Second Edition) issued by the State Cyberspace Administration of China on March 22, 2024, data exit behavior includes the following situations: (1) Data processors transmit the data collected and generated in domestic operations abroad; (II) the data collected and generated by data processors to be stored in the country, overseas institutions, organizations or individuals may inquire, retrieve, download and export; (III) they comply with the second paragraph of Article 3 of the personal information protection law, they may handle other data processing activities such as personal information of domestic natural persons abroad.

Among them, the situations in which data exit security assessment should be declared (see the following figure for the specific process) include: (1) key information infrastructure operators provide personal information or important data abroad; Data processors other than (II) key information infrastructure operators provide important data abroad, or cumulatively provide personal information of more than 1 million people (excluding sensitive personal information) or sensitive personal information of more than 10000 people abroad since January 1 of that year. In the case of the provisions of Articles 3, 4, 5 and 6 of the Provisions on Promoting and Regulating Cross-Border Flow of Data, the provisions thereof shall apply.

It can be clearly seen that the thirteenth category (personal information) of the "list of data that need to pass the data exit security assessment" and the "list of data that need to enter into a standard contract for personal information exit and pass the personal information protection certification" in the "negative list" are consistent with the "guidelines for the declaration of data exit security assessment (second edition)" about the personal information in the situation of data exit security assessment that should be declared, the rest of the "Negative List" is an enumerative description of the term "important data" in the "Guidelines for the Declaration of Data Exit Security Assessment (Second Edition)" regarding the situation of data exit security assessment that should be declared.

Image source: Corporate Data Compliance Officer

According to the scope of application stipulated in the Negative List, enterprises with data exit needs in Tianjin Free Trade Pilot Zone shall identify whether their data to be exported are within the scope of the list against the Negative List. Data within the scope of the list shall be subject to national regulations, declaration of data exit security assessment according to actual conditions, conclusion of personal information exit standard contracts or personal information protection certification, and data outside the list can flow freely across borders. For example, if a bank, as a financial enterprise, needs to transmit some data information (e. g. bank security data, account information of important enterprises and institutions, loan data, transaction data, etc.) that may threaten national security or the security of banking institutions or above 1 million to an overseas company, it shall be included in the data list management that needs to declare data for exit security assessment, and the information shall be declared for exit security assessment.

Declaring data exit security assessment, filing personal information exit standard contract can be logged into the data exit declaration system, website: https://sjcj.cac.gov.cn. For specific methods, please refer to the "Guidelines for the Declaration of Data Exit Security Assessment (Second Edition)" and the "Guidelines for the Filing of Personal Information Exit Standard Contracts (Second Edition)" published by the National Netcom Office. If the safety assessment declaration and standard contract filing materials have been submitted offline, they do not need to be resubmitted through the data exit declaration system.

To apply for personal information protection authentication, you can log in to the personal information protection authentication management system, website: https://data.isccc.gov.cn. Critical information infrastructure operators or others who are not suitable to declare data exit security assessment through the data exit declaration system shall declare data exit security assessment offline.

Appendix: "China (Tianjin) Pilot Free Trade Zone Data Exit Management List (Negative List)(2024 Edition)"