Data Protection in 2023

With the Measures on Standard Contract for Overseas Transfer of Personal Information (个人信息出境标准合同办法) coming into effect on June 1, 2023, a comprehensive overseas data transfer framework began operating fully. The framework is based on the mechanisms of government-organized security assessment, a standard contract for overseas transfer of personal information, and certification for overseas transfer of personal information.

The security assessment mechanism that started in September 2022 saw its first batch of successful cases by January 2023, with numerous multinational and domestic enterprises across various industries, including healthcare, finance, manufacturing, e-commerce and retail, gaining clearances for their application for security assessment of overseas data transfer. Regulatory bodies, led by the Cyberspace Administration of China (CAC), have accumulated experience and accelerated the assessment process, resulting in an increasing number of approved cases in the latter half of 2023.

By the end of June 2023, the Cyberspace Administration of Beijing announced the country’s first case completing the record-filing process of the standard contract. Subsequently, the cyberspace administrations of other provinces and cities handled a substantial number of personal information standard contract record filings. The standard contract mechanism became the primary legal basis for small and medium-sized companies to transfer personal information overseas. The scrutiny level of record-filing has shifted from comprehensive substantive review to a hybrid approach focusing on core elements. Consequently, it has become easier for companies to get approval for their standard contracts, and the corresponding protection impact assessment reports.

In December 2023, the Institute of Technology Research at Macau University of Science and Technology obtained the country's first “Personal Information Protection Certification” issued by the China Cybersecurity Review, Certification and Market Regulation Big Data Center. This event was seen as representing a real grounding for the certification of overseas transfer of personal information, signifying that the overseas data transfer mechanisms established by the Cybersecurity Law, Data Security Law, and Personal Information Protection Law had fully entered the implementation phase.

Simultaneously, in the face of businesses’ increasing demand for data transfer, China’s regulatory bodies explored more pragmatic regulatory adjustments to reduce compliance burdens while ensuring national security and promoting the orderly flow of data. Among the most significant adjustments was the Provisions for Regulating and Promoting the Cross-Border Flow of Data (Draft for Comments) (规范和促进数据跨境流动规定（征求意见稿）), released by the CAC on September 28, 2023. If implemented, these measures would significantly ease the obligations related to ordinary cross-border flow of data and concentrate regulatory focus on key cross-border scenarios involving important data and export of large-scale personal information, thereby balancing national security with promotion of data flow.

Then, on December 10, the CAC and the Innovation, Technology and Industry Bureau of Hong Kong jointly released the Guidelines for Implementing the Standard Contract for the Cross-Boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland and Hong Kong)      (粤港澳大湾区（内地、香港）个人信息跨境流动标准合同实施指引). This document provides a more streamlined mechanism for cross-border data transfer within the region, representing an innovative approach to the regulation of overseas data transfer on a regional level.

Throughout 2023, a series of data protection rules and standards, including drafts for public comment, were progressively implemented or published for public consultation. These rules and standards, pertinent to specific protected subjects and sectors, were designed to complement general data protection laws, thereby forming a complete data protection framework. This includes the Regulations on the Protection of Minors on the Internet (未成年人网络保护条例) aimed at securing the personal information of minors. Additionally, national standards such as the Information Security Technology – Implementation Guidelines for Notices and Consent in Personal Information Processing (信息安全技术 个人信息处理中告知和同意的实施指南) were published to explicitly regulate the notification and consent requirements in personal information processing. In the realm of sensitive personal information protection, the National Information Security Standardization Committee released the Information Security Technology - Security Requirements for the Processing of Sensitive Personal Information (Draft for Comment) (信息安全技术 敏感个人信息处理安全要求（征求意见稿）) for public consultation. Moreover, the CAC specifically addressed societal concerns about facial recognition technology by issuing the Security Management Regulations for Facial Recognition Technology Application (Trial) (Draft for Comment) (人脸识别技术应用安全管理规定（试行）（征求意见稿）) .

From an industry perspective, the field of industry and information technology saw particular activity in data governance legislation. The Data Security Management Measures in the Field of Industry and Information Technology (Trial) (《工业和信息化领域数据安全管理办法（试行）》) officially took effect on January 1, 2023. Building on this, the Ministry of Industry and Information Technology successively published the Data Security Risk Assessment Implementation Details in the Field of Industry and Information Technology (Trial) (Draft for Comment) (工业和信息化领域数据安全风险评估实施细则（试行）（征求意见稿）) and the Data Security Administrative Penalty Discretion Guidelines in the Field of Industry and Information Technology (Trial) (Draft for Comment) (工业和信息化领域数据安全行政处罚裁量指引（试行）（征求意见稿）). These documents aim to establish clear rules for data protection, safety assessments and administrative enforcement within this industry.

Meanwhile, in the financial sector, the Ministry of Finance, in collaboration with the CAC, released the Interim Measures for Data Security Management for Accounting Firms (Draft for Comment) (会计师事务所数据安全管理暂行办法（征求意见稿）) on November 16, 2023. These measures specifically target data processing activities conducted by accounting firms. Finally, the People’s Bank of China issued the Data Security Management Measures in the Business Domain of the People's Bank of China (Draft for Comment) (中国人民银行业务领域数据安全管理办法（征求意见稿）) on July 24, 2023, intending to set compliance baselines for data security in the central bank’s related business areas.

In February 2023, the CAC issued the Administrative Law Enforcement Procedure Regulations for Cyberspace Departments (网信部门行政执法程序规定) which came into effect on June 1 of the same year. These regulations provide a detailed procedural rule for the enforcement of data protection laws by cyberspace departments, marking a significant shift towards a more regulated and institutionalized approach in data protection law enforcement. Correspondingly, throughout the remainder of 2023, China’s cyberspace administrations at different levels, and other law enforcement agencies including public security authorities, intensified their enforcement efforts in the realm of data protection.

The scope of enforcement covered a wide range of entities, including nationally operating state-owned enterprises such as CNKI, as well as grassroots government agencies. A significant number of local small and medium-sized enterprises, as well as some traditional offline service businesses, also faced penalties. These cases illustrate that the focus of data protection has extended far beyond the earlier confines of the IT, internet and telecommunications industries, now encompassing all scenarios involving data collection and processing activities. This expansion serves as a caution to traditional industry businesses that previously may not have prioritized data compliance. It signals the urgent need for these businesses to take actions and address any gaps or deficiencies in their data compliance practices.

Promoting data circulation and the development of the data element market has always been a key objective of the Chinese government in the data sector. In October 2023, the National Data Administration was officially unveiled. This agency has undertaken significant responsibilities for promoting the construction of “Digital China”, coordinating the establishment of foundational data systems and facilitating the integration, sharing, and utilization of data resources. Unlike the CAC, which primarily oversees data security, the new National Data Administration focuses more on promoting the construction of basic data-related systems, such as the mechanism to determine data ownership, setting rules for data transactions, and developing and utilizing public data. On the last day of 2023, the National Data Administration, in collaboration with other ministries, released the Data Element × Three-Year Action Plan (2024–2026) (“数据要素×”三年行动计划（2024—2026年）). This document proposes the application of data in 12 industries and fields, including industrial manufacturing, based on optimizing the data circulation environment and strengthening data security.

Another significant initiative in the construction of the data element market is the promotion of accounting rules for data assets. On August 21, 2023, the Ministry of Finance issued the Interim Regulations on Accounting Treatment Related to Enterprise Data Resources (企业数据资源相关会计处理暂行规定) , which clarifies the scope, criteria, and disclosure requirements for data as an asset in financial statements, emphasizing the importance of information disclosure.

In addition to these national policies and regulations, various provinces and cities in China also formulated and issued their own local regulations and rules related to data governance in 2023. The areas covered included the opening and use of public data, rules for data transactions, and comprehensive data governance norms. These regulations provide a foundation and impetus for the construction and development of the data element market.

2023 marked a year of rapid advancement in the application of artificial intelligence (AI) technology. In response to the compliance challenges posed by emerging technologies and business models, the Chinese regulatory authorities adopted a strategy of rapid response. The Tentative Measures for the Administration of Generative Artificial Intelligence Services (生成式人工智能服务管理暂行办法) issued jointly by the CAC and other ministries, is regarded as the world’s first governmental rule directly governing generative AI services. Implemented from August 15, 2023, it includes specific norms for the processing of training data by generative AI service providers, the requirement on the training data, and the protection of personal information involved in training data. It also covers the protection of users’ input information and usage records.

Another AI-related regulation, the Measures for Scientific Ethics Review (Trial) (科技伦理审查办法（试行）) was released by the Ministry of Science and Technology and other ministries in September 2023. According to these measures, institutions involved in the research and operation of AIGC technology are required to establish a scientific ethics review committee and fulfill related compliance obligations. The obligations particularly emphasize the review of data processing activities, the compliance of developing new data technologies, and the monitoring and emergency response to data security risks in scientific activities involving data and algorithms.