欧盟企业在中国建议书（2024-2025）网络安全子工作组（英文）

2024/2025

EuropeanBusinessinChinaPositionPaper欧盟企业在中国建议书

CybersecuritySub-workingGroup

RecentDevelopments

China’scybersecuritylandscapeisgovernedbytheCybersecurityLaw(CSL),1&2theDataSecurityLaw(DSL),3thePersonalInformationProtectionLaw,4theCryptographyLaw5andnumerousimplementingregulations,whichhaveresultedinrapidlyevolvingregulatoryrequirementsforcybersecurity.

AccordingtotheStateCouncil’s2024LegislativeWorkPlan,theCSLisunderrevision,6withafocusonincreasingadministrativepenaltiesaccordingtoareviseddraftpublishedin2022.7Atthesametime,the

RegulationsonNetworkDataSecurityManagementarecurrentlybeingdrafted.TheRegulationswillofferanofficialdefinitionfortheoften-citedterm‘importantdata’.

TheNationalTechnicalCommittee260onCybersecurityofStandardizationAdministrationofChina(TC260)hasreleasedandisworkingonanumberofrecommendednationalstandardsasimportantreferencesforrollingoutcyberanddatasecurityrequirements.TheseincludebutarenotlimitedtoGB/T43697-2024DataSecurityTechnology—RulesforDataClassificationandGrading,8whichwasappendedwiththeGuidelinesfortheIdentificationofImportantData;InformationSecurityTechnology—SecurityRequirements

1TheCybersecurityLaw,CyberspaceAdministrationofChina,7thNovember2016,viewed29thMay2024,<

/2016-11/07/c_1119867116.htm

>

2On14thSeptember2022,theCACreleasedtheDecisiononAmendingtheCybersecurityLawofthePeople’sRepublicofChina(DraftforComments),whichproposestheimpositionofmorestringentlegalliabilitiesforcertainviolationsoftheCSL.

3TheDataSecurityLaw,NationalPeople’sCongress,10thJune2021,viewed29thMay2024,<

/npc/c2/c30834/202106/t20210610_311888.

html

>

4ThePersonalInformationProtectionLaw,StateCouncil,20thAugust2021,viewed29thMay2024,<

/xinwen/2021-08/20/content_5632486.htm

>

5TheCryptographyLaw,StateCryptographyAssociation,4thJune2023,viewed29thMay2024,<

/sca/xxgk/2023-06/04/content_1057225.

shtml

>

6LegislativeWorkPlanoftheStandingCommitteeoftheNationalPeople'sCongressfortheYear2024,NationalPeople'sCongress,8thMay2024,viewed20thMay2024,<

/c2/c30834/202405/t20240508_436982.html

>

7DecisiononAmendingtheCybersecurityLawofthePeople’sRepublicofChina(DraftforComments),CyberspaceAdministrationofChina,14thSeptember2022,viewed8thMay2024,<

/2022-09/14/c_1664781649609823.

htm

>

8DataSecurityTechnology-RulesforDataClassificationandGrading,TheNationalTechnicalCommittee260onCybersecurityofStandardisationAdministrationofChina,15thMarch2024,viewed20thMay2024,<

/gb/search/

gbDetailed?id=14156507D2210337E06397BE0A0AE656

>

forProcessingofImportantData(DraftforPublicComments);9andInformationSecurityTechnology—SecurityRequirementsforProcessingofSensitivePersonalInformation(DraftforPublicComments).10Thesub-workinggroupalsolooksforwardtothestandardondataanonymisation,assuggestedinTC260’s2024workplan.11

AnotherregulatorydevelopmentwasthereleaseofthedraftMeasuresontheAdministrationofCybersecurityIncidentNotificationbytheCyberspaceAdministrationofChina(CAC)forpubliccommentson8thDecember2023.12Thedraftmeasuressetoutspecificnotificationtimelinesandotherrequirementswithrespectto

SectionFour:Services

cybersecurityincidents.Notably,cybersecurityincidentsaredividedinto‘extremelysignificant’,‘significant’,‘relativelysignificant’and‘general’,withthefirstthreetypesneedingtobereportedtotheregulatorswithinonehouroftheiroccurrence.On15thDecember2023,theMinistryofIndustryandInformationTechnology(MIIT)releasedtheEmergencyResponsePlanforDataSecurityIncidentsintheFieldsofIndustryandInformationTechnology(Trial)(Draftforcomments).13ItispresentlyunclearhowtheMIIT’sdraftplanandtheCAC’sdraftmeasureswillinteractwitheachother,especiallyinareastheyoverlap,suchasregulatoryreporting,incidentclassificationcriteriaandpenaltiesfornon-compliance.Tosomeextent,MIIT’sdraftplanandCAC’sdraftmeasuresunavoidablyoverlapregardingthegoverningofincidentreporting,especiallyintherealmsofpurpose,legislativebasisandscope.Someof

9InformationSecurityTechnology-SecurityRequirementsforProcessingofImportantData(Draftforpubliccomments),TheNationalTechnicalCommittee

260onCybersecurityofStandardizationAdministrationofChina,25thAugust2023,viewed7thMay2024,<

/front/postDetail.

html?id=20230830131050

>

10InformationSecurityTechnology—SecurityRequirementsforProcessingofSensitivePersonalInformation(DraftforPublicComments）,TheNationalTechnicalCommittee260onCybersecurityofStandardisationAdministrationofChina,9thAugust2023,viewed3rdJuly2024,<

/front/

postDetail.html?id=20230809175241

>

11NoticeontheIssuanceofthe2024WorkPointsoftheNationalCybersecurityStandardisationTechnicalCommittee,NationalInformationSecurityStandardisationTechnicalCommittee,8thApril2024,viewed20thMay2024,<

.

cn/front/postDetail.html?id=20240408133953

>

12MeasuresontheAdministrationofCybersecurityIncidentReporting(DraftforComments),CyberspaceAdministrationofChina,8thDecember2023,viewed7thMay2024,<

/2023-12/08/c_1703609634347501.htm

>

13PubliclySolicitingOpinionsontheEmergencyResponsePlanforDataSecurityIncidentsintheFieldsofIndustryandInformationTechnology(Trial)(Draftforcomments),MIIT,15thDecember2023,viewed3rdJuly2024,<

.

cn/gzcy/yjzj/art/2023/art_7c903aac87514e26b2dbbc42f5e60347.html

>

CybersecuritySub-workingGroup341

SectionFour:Services

Europeanchamber中国欧盟商会

thearticlesalsopresentinconsistencies,suchasrolesandresponsibilities.

Inaddition,on3rdAugust2023,theCACissuedthe

AdministrativeMeasuresforComplianceAuditofPersonalInformationProtection(DraftforComment),whichspecifiedthatpersonalinformationhandlersthathandlethepersonalinformationofmorethanonemillionpeoplemustconductapersonalinformationprotectioncomplianceauditatleastonceayear.Otherpersonalinformationprocessorsmustconductapersonalinformationprotectioncomplianceauditatleastonceeverytwoyears.14

Cross-borderDataTransfer(CBDT)

China’sCBDTmechanismiscomprisedofthreedifferenttransferchannels,includingtheCAC-ledsecurityassessment,thestandardcontractfilingandthepersonalinformationprotectioncertification.On22ndMarch2024,theCACreleasedthemuch-awaited

ProvisionsonPromotingandRegulatingCross-borderDataFlows(CBDTProvisions),15withimmediateeffect.TheCBDTProvisionsalleviatedthecomplianceburdenassociatedwithCBDTs,albeitstillleavingafewambiguitiesandchallengestoclarifyandaddress,andwillprevailoverexistingCBDTrulesorguidelinesgoverningthesecurityassessment,standardcontractandcertification,incaseofanydiscrepancies.

Atthesametime,theVersion2.0GuidelinesforSecurityAssessmentandtheVersion2.0ofGuidelinesforstandardcontractfilingwerereleased,whichfurtherstreamlinedrequirementsforthesecurityassessmentandthestandardcontractfiling.16

Sectoralandlocalcyberanddatasecurityrules

Overthepastyear,draftandfinalisedsectoralcyberanddatasecurityruleshavebeenreleasedforindustryandinformationtechnology(IT),financialservices,transportation,andmailinganddelivery,tonameafew.Thesub-workinggroupnotesbothtightened,oratleastmorecomprehensive,regulatory

14NoticeoftheCAConthePublicConsultationontheAdministrativeMeasuresforComplianceAuditofPersonalInformationProtection(DraftforComments),

CyberspaceAdministrationofChina,3rdAugust2023,viewed3rdJuly2024,<

/2023-08/03/c_1692628348448092.htm

>

15ProvisionsonPromotingandRegulatingCross-borderDataFlows,CyberspaceAdministrationofChina,22ndMarch2024,viewed8thMay2024,<

https://www.cac.

/2024-03/22/c_1712776611775634.htm

>

16Version2.0ofGuidelinesforSecurityAssessmentandVersion2.0ofGuidelinesforStandardContractFiling,CyberspaceAdministrationofChina,22ndMarch2024,viewed8thMay2024,<

/2024-03/22/c_1712783131692707.

htm

>

342CybersecuritySub-workingGroup

requirements,andsomepositivedevelopmentsthataddtoregulatorycertainty.

Forexample,theMIIT’sdraftAdministrativePenaltyGuidelinesforDataSecurityintheIndustrialandInformationTechnologyFields(TrialImplementation)17putsforwardclearersubstantiverequirementsforcompliance,andstatesthatunintentionalviolationswillnotbepunished,andthatonlyaone-timepunishmentshouldbeimposedforthesameoffence.Atthesametime,certainsectoralimportantdataidentificationguidelinesremainquiteambiguousandrestrictive,asdescribedinKeyRecommendation2ofthispaper.

LocalitieshavebeenempoweredtodeveloptheirownrulesondataclassificationandgradingpertheDSL,andpilotfreetradezoneshavebeenpermittedbytheCBDTProvisionsandtheStateCounciltoformulatepositiveandnegativelistsforCBDTs.Thishasresultedinamultitudeoflocalregulatorydevelopmentstakingplaceatthetimeofwriting,suchasinBeijing,Tianjin,Shanghai,HainanandtheGreaterBayArea.

Conformityassessment

Article23oftheCSLdefined“criticalnetworkequipment”and“specialisedcybersecurityproducts”,withproductsfallingunderthesetwocategoriesthataresubsequentlylistedinadedicatedcataloguebeingsubjecttomandatorycertification.ThecataloguewasinitiallyreleasedbytheCACandseveralothergovernmentagenciesin2017,andupdatedinJuly2023.Comparedwiththepreviousversion,thelatestcataloguesignificantlyexpandedthescopeofspecialisedcybersecurityproductsfrom11to34,coveringsecurestorage,securitymanagement,trafficcontrol,loadbalanceandloganalysis,amongmanyothers.18Whilethepreviouscataloguedefinedtheaffectedproductcategoriesbyperformance,theupdatedcataloguecontainsnoreferencestotechnicalparameters,sothatbothhigh-endandlow-endproductsarecovered.

On26thDecember2023,theMinistryofFinance(MOF)andtheMIITjointlyreleasedstandardsdefiningalonglistofgovernmentprocurement

17AdministrativePenaltyGuidelinesforDataSecurityintheIndustrialandInformationTechnologyFields(TrialImplementation),MinistryofIndustryandInformationTechnology,23rdNovember2023,viewed18thMay2024,<

/

jgsj/waj/wjfb/art/2023/art_e14338d7b2684c79bec7931b75336520.html

>

18CatalogueofCriticalNetworkEquipmentandSpecialisedCybersecurityProducts,CyberspaceAdministrationofChina,3rdJuly2023,viewed8thMay2024,<

http://

/2023-07/03/c_1690034742530280.htm

>

requirementsforseventypesofbasichardwareandsoftwareproducts,includingoperatingsystems,databases,generalservers,workstations,all-in-onePCs,portablecomputers,anddesktopcomputers.19CriticalcomponentssuchasCentralProcessingUnits(CPUs)andoperationsystemsneedtopassanewlyestablishedsecurityandreliabilityevaluationperformedbytheChinaInformationTechnologySecurityEvaluationCentre,largelybuiltuponactivitiesrelatingtoInformationTechnologyApplicationInnovation(alsoknownas‘Xinchuang’).Atthetimeofwriting,twobatchesofproductshavepassedtheevaluation,withanumberofdomesticCPUs,operatingsystemsandcentraliseddatabaseslisted.20Additionally,on20thMarch2024,theChinaNationalInformationTechnologyStandardizationTechnicalCommittee(TC28)releasedabatchofstandardsforpublicreviewonproductsthatneedtobesecureandreliable.21

Emergingtechnologies

Therehavebeenanumberofrecentregulatorydevelopmentsaimedatkeepingpacewiththerapidevolutionofemergingtechnologies.On10thJuly2023,intheabsenceofanoverarchingAILaw,ChinareleasedthefinalversionoftheTrialMeasuresfortheAdministrationofGenerativeArtificialIntelligence(AI)Services,effectiveasof15thAugust2023.22Thesemeasuresimposeanumberofcomplianceobligationsongenerativeserviceproviders,includingtheneedtosubmitsecurityassessments,completealgorithmfilingsandensurethetrainingdata’sveracity,accuracy,objectivityanddiversity.On7thSeptember2023,the

TrialMeasuresfortheEthicalReviewofScienceandTechnologyActivitieswerereleasedbyChina’sMinistryofScienceandTechnology(MOST)andothergovernmentdepartments,23requiringentitiesengagedinAIamongotherscienceandtechnologyactivitieswhoseresearchinvolvesethicallysensitiveareastosetupascientificandtechnologicalethicsreviewcommittee.

19RulesandRegulations,MOF&MIIT,26thDecember2023,viewed8thMay2024,<

/guizhangzhidu/

>

20ChinaInformationTechnologySecurityEvaluationCentre,viewed8thMay2024,<

/aqkkcp/cpgg/

>

21NoticeonSolicitingOpinionson9IndustryStandards,ChinaNationalInformationTechnologyStandardizationNetwork,20thMarch2024,viewed3rdJuly2024,<

/s/fY8sL2C8-l2rK9RzzQhc6A

>

22TrialMeasuresfortheAdministrationofGenerativeArtificialIntelligenceServices,CyberspaceAdministrationofChina,10thJuly2023,viewed8thMay2024,<

https://

/2023-07/13/c_1690898327029107.htm

>

23CircularontheIssuanceoftheTrialMeasuresforEthicalReviewofScienceandTechnologyActivities,MinistryofScienceandTechnology,7thSeptember2023,viewed8thMay2024,<

/xxgk/xinxifenlei/fdzdgknr/fgzc/

gfxwj/gfxwj2023/202310/t20231008_188309.html

>

2024/2025

EuropeanBusinessinChinaPositionPaper欧盟企业在中国建议书

KeyRecommendations

1.EnsurethatChineseCybersecurity

LegislationDoesNotCreateDiscriminatoryMarketAccessBarriers

Concern

Notwithstandingsomerecentpositivedevelopmentstoeaseregulatoryrequirements,certaincybersecurityschemesmayleadtothecreationofabusinessenvironmentthatisdiscriminatorytowardsinternationalbusinesses,inwhichtheyarerestrictedorevenprohibitedfromprovidingproductsandservicestosegmentsoftheChinesemarket.

Assessment

CertainrequirementsunderChinesesecuritylegislationmaypresentdefactomarketaccessbarriersforinternationalbusinesses.

a)ForeigninvestmentsecurityreviewsinITandinternetservices

Theforeigninvestmentsecurityreviewhasbeeninforcesince18thJanuary2021,followingthereleaseoftheForeignInvestmentSecurityReviewMeasuresbytheNationalDevelopmentandReformCommissionandtheMinistryofCommerce.24Thesecurityreviewrequiresforeigninvestorstopassrelevantreviewswheninvestingin“importantITandinternetproductsandservices,keytechnologiesandotherimportantfieldsdeemedasbeingrelatedtonationalsecurity”.However,thescoperemainsunclear,possiblyleadingtodiscretionaryenforcementofregulations.Thisuncertaintyincreasestheburdenonforeigninvestors,astheymustconductanassessmentandconsultwithregulatoryauthoritiesinadvancetoidentifyiftheywillbeliableforasecurityreview.Theconsultationprocessmayinvolvethedisclosureoftransactionsandotherdocuments,whichcouldpotentiallyexposeforeigninvestorstotheriskofconfidentialdatabeingrevealed.

b)ClassifiedCybersecurityProtectionSystem(CCPS)

TheCCPSclassifiesnetworksintofiveascendingprotectionlevelsbasedontheirsensitivitytoindividuals’rightsandinterests,aswellasgeneralpublicandnationalsecurity,andspecifiesthecorrespondingsecuritysafeguardsforeachlevel.Thesystemisbased

24ForeignInvestmentSecurityReviewMeasures,MinistryofCommerce,19thDecember2020,viewed7thMay2024,<

/zfxxgk/article/

xxyxgz/202112/20211203230801.shtml

>

CybersecuritySub-workingGroup343

SectionFour:Services

SectionFour:Services

Europeanchamber中国欧盟商会

onadraftCCPSRegulationreleasedbytheMinistryofPublicSecurity(MPS)inJune2018,25aswellasseveralalreadyeffectivestandards.

Inadditiontobeingburdensome,theCCPSisincreasinglybeingleveragedtoadvancerestrictionsoninformationandcommunicationstechnology(ICT)productsandservices,byexpandingthescopeofapplicationofsecurityrequirementsthatfavourspecifictechnologyroadmaps.Forexample,itrequiresnetworksleveltwoandabovetousecryptographytechnology,productsandservicesaccreditedbytheStateCryptographyAdministration,andthatnetworksabovelevelthreeundergosecurityassessmentforcommercialcryptographyapplications.Suchaccreditationandassessmentprocessesfavourdomestictechnology,andhavelongremainedanobstacleformanymultinationalcorporations(MNCs)inChina.AstheserequirementsgobeyondtheCryptographyLaw,itisofparamountimportancethattheyarenotreintroducedintootherstateandlocalprovisions.

c)CyberSecurityReviewMeasures(CSRM)

TheCSRMmandatethatCriticalInformationInfrastructure(CII)operatorsmustproactivelyapplyforanon-transparentcybersecurityreviewwhentheirpurchasesofnetworkproductsandservicesaffectormayaffectnationalsecurity.TheCSRMincludesbroadlydefinedtriggers,includingsupplychain,political,diplomaticandtradefactors.26Thesenon-technicalfactors,aswellasthereview’slengthyprocessesandlackoftransparency,posemarketaccessrestrictionsforMNCswhosupplytoCIIoperators.Furthermore,suppliersmaybeputatriskofdataexposurethroughtheneedtodiscloseconfidentialinformationandtradesecrets,sincedisclosureoftransactionsandotherdocumentsmayberequired.

d)CryptographyLaw

AmbiguitiesinboththeCryptographyLawanditsimplementingregulationshavegivenrisetorequirementsthatareincompatiblewithwell-establishedinternationalprinciples,whichcallforgovernmentstoavoidrestrictiveorburdensomelicensing,certificationandotherobligationsthatlimitordelaytheimport,trade

25RegulationonClassifiedCybersecurityProtection(DraftforComments),MinistryofPublicSecurity,27thJune2018,viewed7thMay2024,<

/

n2254536/n4904355/c6159136/content.html

>

26CybersecurityReviewMeasures,CyberspaceAdministrationofChina,28thDecember2021,viewed7thMay2024,<

/2022-01/04/

c_1642894602182845.htm

>

344CybersecuritySub-workingGroup

andexportofmass-marketedICTproductstowhichcommercialcryptographyisubiquitous.27&28

Toavoidunnecessarymarketaccessbarriers,itisimportantthatthevariousregulatorymechanismsthelawseekstoestablishremaintransparentandnarrowinscope.Thisincludesensuringthatcommercialproductswithcryptographyasasecondaryfeaturearenotsubjecttocertificationandimportandexportrestrictions;thattermssuchas‘nationalsecurity’,‘nationaleconomyandpeople’slivelihood’,and‘publicinterests’arenotinterpretedextensively;thatthecategoryofmassconsumerproductsexemptedfromimportandexportrestrictionsisbroadlydefined;thatvoluntarycertificationisnotenforcedasadefactomandataryrequirement;thatrequirementsapplicableonlytoCIIandpartyandgovernmentorgansarenotexpandedtonetworksabovelevelthree;andthattheadoptionofinternationalstandards,protectionofsensitiveintellectualproperty(IP)andmutualrecognitionforcertificationandattestationarealltakenintoconsideration.

e)DatalocalisationandCBDT

Whilethesub-workinggroupcommendstherelaxationintheCBDTProvisions,inthenearterm,someforeigncompaniesinstrategicanddata-drivensectorsmaystillfinditdifficulttomoveforwardwithdecisionstobringinnovativeproductsandservicestotheChinamarketasaresultofcertainremainingrestrictionsoruncertaintiesassociatedwithboththesecurityassessmentandthedefinitionof‘importantdata’,thelatteroftenhavingaclosebusinesscorrelation.Thesub-workinggroupthereforerecommendsthatthesectoralregulatorsclearlyandnarrowlydefinethescopeofimportantdataassoonaspossible,especiallybynotcapturingtheproduction,R&DandsupplychaindataofMNCsingeneral,whileallowingCBDTswithsufficientbusinessnecessitytobeapprovedprovidedthatrelevantsecuritysafeguardsareinplace.Inlightoftheoveralltrendofpromotingcross-borderdataflows,thesub-workinggroupwouldalsoliketounderlinetheimportanceofensuringequaltreatmentinbiddingprocesses,insteadofconsideringMNCstobeinherentlylesssecure,

27JointStatementofthe17thMeetingoftheWorldSemiconductorCouncil,WorldSemiconductorCouncil,23rdMay2013,viewed7thMay2024,<

http://www.

/wp-content/uploads/2016/07/May_2013_WSC_-_

GAMS_version_Joint_Statement_of_the_17th_Meeting_of_the_WSC_Final_23_

M-1.pdf

>

28Formoredetailsoncryptography-relatedmarketaccessissues,pleaserefertoKeyRecommendation3oftheInformationandCommunicationTechnologyWorkingGroupPositionPaper2024/2025.

becausetheyhavetotransferdataacrossborders.

f)ConformityAssessment

Withregardtothecriticalnetworkequipmentandspecialisedcybersecurityproductstestingandcertificationprogramme,theoverlyextensivemandataryproductcertificationrequirementsresultingfromtheexpandedscopeof‘specialisedcybersecurityproducts’—asoutlinedintheRecentDevelopmentssection—couldcreatesignificantandunnecessaryeconomicburdensfortheindustry,delayproductdeliveryandcreateunduemarketaccessbarriers.Itisthusimportantfortheregulatorstoavoidunnecessarymandatoryproductcertification,andtofullyalignwiththeindustryinadoptingnewproductcategoriessubjecttosuchcertification,ensuringthateverynewadditionisfullycommunicatedandpublicallyreviewedbeforetheeventualrelease.

Atthesametime,thesub-workinggroupismonitoringprogressandimpactsrelatingtothesecurityandreliabilityevaluationandtheinformationtechnologyapplicationinnovation,especiallyasthelatterisreportedlybeingexpandedtobroaderindustries.

Recommendations

•Define‘nationalsecurity’asnarrowlyaspossibleand

differentiateitfrom‘commercialsecurity’inaclearmanner.

•NarrowthescopeofindustriessubjecttoforeigninvestmentsecurityreviewandscenariossubjecttotheCSRM.

•RefrainfromimposingunduerestrictionsontheuseofICTproductsandservicesinlevelthreenetworksundertheCCPS.

•Limittheapplicabilityandinfluenceofnon-bindingcybersecurityregimes,insuchamannerthattheydonotgobeyondbindinglegislation.

•Minimisethescopeofmandataryproductcertificationonlytowhatisabsolutelynecessary,toreducemarketaccessbarriers.

•Promotemutualrecognition,adoptionandrelianceuponapplicableinternationalstandardsandglobalindustrybestpractices.

•EnsurethatMNCs’intellectualpropertyandtradesecretsareprotected.

2024/2025

EuropeanBusinessinChinaPositionPaper欧盟企业在中国建议书

2.ContinuetoOptimiseChina’sCyberand

DataSecurityPoliciestoEnsuretheyFacilitateIndustry,ForeignInvestmentandGlobalExchanges

Concern

Continuedoptimisationofcyberanddatasecurityschemesisneededtohelpfurtherminimiseuncertaintyandoperationalchallengesforinternationalcompanies.

Assessment

Dataregulations

Atthebeginningof2024,theChineseGovernmentmadehigh-levelpledgestosupportdataflowsbetweenforeign-investedenterprisesandtheirheadquartersinordertobetterattractforeigninvestment.29Thesub-workinggroupispleasedtonotethatthesubsequentreleaseoftheCBDTProvisionsbytheCAC,30incorporatedorpartiallyincorporatedmanyindustrycommentssubmittedbytheEuropeanChamber.Asaresult,anumberofcompanieshavebeen‘downgraded’tostandardcontractorexemptfromtheCBDTchannelsaltogether;andthosestillneedingtoapplyforsecurityassessmentgenerallyenjoyasmootherprocess.

NotablepositivechangesintheCBDTProvisionsincludebutarenotlimitedto:theexemptionofcertainfrequent,low-volumeandnecessaryCBDTtransfers;loweredvolumetriggersfortheCBDTsecurityassessment,standardcontractandpersonalinformationprotectioncertification;greaterflexibilityfordatahandlerstoassessthenecessityoftheirtransfersthemselves;streamlineddocumentationrequirementsandapplicationprocesses;andtheclarificationthatthesecurityassessmentofimportantdataisonlywarrantedwhenthedatahavebeencategorisedorpubliclyannouncedbytherelevantauthoritiesorregionsasimportantdata.

Atthesametime,thesub-workinggroupnotesanumberofremainingissuesincluding:31

29ActionPlanonSteadilyPromotingHigh-levelOpeningupandMakingGreaterEffortstoAttractandUtiliseForeignInvestment,StateCouncil,19thMarch2024,viewed4thMay2024,<

/zhengce/content/202403/

content_6940154.htm

>

30ProvisionsonPromotingandRegulatingCross-borderDataFlows,CyberspaceAdministrationofChina,22ndMarch2024,viewed4thMay2024,<

https://www.cac.

/2024-03/22/c_1712776611775634.htm

>

31Zhuo,X,andMa,J,LiuLiehong:Chinatocontinueiteratingcross-borderdatatransferregulations,andestablishingcooperationmechanismswithmajoreconomicandtradepartners,DigitalProductivity,25thMarch2024,viewed4thMay2024,<https://m.21

/article/20240325/herald/b719db4610f7ad370ec04fbf2

e5ce002.html

>

CybersecuritySub-workingGroup345

SectionFour:Services

SectionFour:Services

Europeanchamber中国欧盟商会

•Anyoutboundtransferofsensitivepersonalinformationofpersonalinformationsubjectsrequirestandardcontractfilingorasecurityassessment,regardlessofthevolumeconcerned,aslongasthetransferscenarioisnotexempted.Consideringthebroadscopeof‘sensitivepersonalinformation’,the

likelihoodoftriggeringstandardcontractfiling,orevenasecurityassessment,remainshighincertaininstances.

•Non-restrictiveinterpretationoftheexemptions,especiallythatof“cross-borderhumanresourcesmanagementinaccordancewithlawfulemp