Enterprise Resource Planning Blog Posts by SAP
Get insights and updates about cloud ERP and RISE with SAP, SAP S/4HANA and SAP S/4HANA Cloud, and more enterprise management capabilities with SAP blog posts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Getting to know about the Cross-Border Data Transfer (CBDT) Requirements in China

TeresaTD
Product and Topic Expert
Product and Topic Expert
‎2024 Oct 18 4:26 PM
2,109

In Brief

Cross-Border Data Transfer (CBDT) requirements in China can be complex and challenging to navigate. This blog aims to provide businesses with a starter-kit to understand the legal framework and implications of CBDT in China with following structure:

  1. Introduction and Background of CBDT
  2. Understanding CBDT in China
  3. Navigate the Complexities of CBDT
  4. SAP's Support and Recommendations

 

1. Introduction and Background of CBDT

Legislation trend and framework of relevant Laws

The Chinese government accords high priority to data security and the protection of personal information, having established a comprehensive suite of laws and regulations to govern cross-border data transfer.

The Cybersecurity Law of the People's Republic of China (CCSL), enacted in 2017, was the first in defining the protocols for cross-border data transfer, stipulating that operators of critical information infrastructure operators (CIIO)must store within the country's borders the personal information and important data collected and generated domestically. For instances requiring data provision overseas, a stringent security assessment is mandated.

In 2021, China introduced the Data Security Law (DSL) and the Personal Information Protection Law (PIPL) of the People's Republic of China, further refining the legal framework for data protection. On September 1, 2022, the Measures for the Security Assessment of Data Export issued by the Cyberspace Administration of China (CAC) were officially implemented, providing specific procedures for the security assessment of data export.

On March 22, 2024, the Cyberspace Administration of China further issued the Provisions on Promoting and Regulating Cross-border Data Flow (“Provisions”), along with the second version of the Guideline on the Application for Security Assessment for Cross-border Data Transfer and the second version of the Guideline on the Registration of Standard Contracts for Cross-border Transfer of Personal Information, further clarifying the implementation details of the security assessments, standard contracts, and personal information protection certifications.

In the context of CBDT, the introduction of these laws and regulations aims to balance data flow and security, protect the rights and interests of personal information, and promote the orderly and free flow of data in accordance with the law. For enterprises, these regulations mean that when carrying out cross-border data transfer, they need to pay more attention to data security and compliance, conduct necessary security assessments, and take corresponding technical and management measures to ensure the security of data transmission.

Moreover, data localization has emerged as a critical consideration for enterprises. Data localization entails confining data storage and processing activities within mainland China to comply with local data protection regulatory requirements.

In summary, the legislative and regulatory trends regarding cross-border data transfers in China are becoming increasingly mature and explicit, necessitating that enterprises closely monitor changes in relevant laws and regulations and adopt corresponding compliance measures.

 

2. Understanding CBDT in China

2.1 What is CBDT?

What is China cross-border data transfer (CBDT)?

  • A data transfer occurs when personal information moves from an entity based in mainland China to another entity outside of mainland China. Mainland China excludes Hong Kong SAR, Taiwan and Macau SAR.

Examples:

  • A product or service is used in mainland China and personal information is transferred to a data center in the US due to modules deployed abroad.
  • A product or service is used in mainland China and a support team from Bangalore / India accesses personal information due to a support case.

2.2 What are the CBDT implications?

The regulations governing CBDT have been developed and expanded over the past few years through a series of legislative measures and regulatory frameworks. Among these regulations, the Personal Information Protection Law (PIPL) is a key component, imposing compliance requirements on companies that need to export a specific volume of data.

According to PIPL Art. 38, companies are required to undergo one of the following measures to legitimize their cross-border data transfer depending on the purpose, the volume and type of the data being exported, and certain thresholds met:

  1. CAC Security Assessment: (Sep 2022) Measures of CBDT Security Assessment.
  2. China SCC: (June 2023) Provisions on Standard Contractual Clauses for CBDT of Personal Information.
  3. CBDT Certification: (March 2023) Certification requirements for CBDT of Personal Information 2.0
  4. Meet other conditions set by the CAC or relevant laws and regulations. 

Under the recent published “Provisions”, certain exemptions have been now introduced meaning qualified CBDTs are exempted from having to undergo any one of the legitimizing measures:

Exemption: (March 2024): Exempt scenarios where applicable according to Facilitation Guidance.

If Personal Information and Important Data are entirely localized within China, and there is no Cross-Border Data Transfer (remote access, then data localization is effectively implemented. Consequently, there would be no action in the context of CBDT.

 

3. Navigate the Complexities of CBDT

There are different scenarios of CBDT to be reviewed case by case, depends on the circumstances like the purpose, data type, data volume, or method of data transfer abroad, or changes in data security protection policies and regulations in the country or region of the overseas recipient, etc.

What we ended up below is the CBDT mechanisms adoption tree that might help for self-assessment. In this adoption tree:

  • The measures are reflected as ending points in the rounded rectangle below.
  • And depending on data controller’s identity and the nature and volume of the transferred data, the data controllers should be able to navigate through step 1 to step 4 in order to identify the applicable the ending point.

In addition, if data localization is fully implemented without CBDT activities, customer doesn’t need to enter any of these pathways to the ending points.

CBDT adoption tree.png

Terminology:

  • CIIO - Critical Information Infrastructure Operator
  • FTZ - Free Trade Zone
  • PI Handler - Personal Information Handler(equal to data controller under GDPR)
  • China SCC – China Standard Contractual Clauses

 

4. SAP's Support and Recommendations

We understand the updated CBDT regulations may bring along adjustments to SAP and customers’ compliance obligations concerning cross-border data transfer activities relating to personal information and important data. SAP’s regulatory compliance team is currently evaluating the impact of the updated CBDT regulations and is actively considering ways that can better assist customers to achieve their business and compliance objectives.

SAP as a technology provider has developed a variety of technical features and product functionalities to support customers’ compliance obligations. SAP is also constantly monitoring the development of the Laws and considering other possible measures that may be able to support customers’ compliance obligations. Customers are encouraged to review SAP’s offerings, and work with us to explore ways in using our products and solutions in a manner that can better align with their business and compliance needs.

We recommend that customers review the updated compliance requirements brought on by the updated CBDT regulations and consider how they may impact their use of SAP’s solutions and products. Customer may wish to take into account factors such as types and volume of data processed, choice of data centers, business operation structures, technical requirements and the preferred deployment models, etc., and evaluate their CBDT compliance obligations pursuant to the Laws (particularly the updated CBDT regulations) based on their usages. Moreover, customers in specific industries may also have additional or distinct CBDT and/or data localization obligations that apply to their industry.

Regretfully, SAP is not a law firm and is not able to provide any legal advice. SAP recommends customers obtain independent legal advice or seek guidance from the relevant Chinese regulator(s) to understand their compliance obligations that are applicable to their use of SAP’s solutions and products. If customers have any compliance support requests after understanding their legal obligations applicable to their use of SAP’s products and solutions, customers can reach out to SAP Account team.

 

Relevant SAP Resources:

SAP Blog: Offshore vs. Onshore Instance: China Subsidiary-based Rollout for SAP S/4HANA Cloud Public Edition

Wechat Blog: SAP North Star Service Package for Instance Strategy

SAP Trust Center: https://www.sap.cn/about/trust-center/data-privacy.html

Reference:

[1] China issues regulations on cross-border data flows (Updated: March 23, 2024 07:08 Xinhua):

https://english.www.gov.cn/news/202403/23/content_WS65fe0f84c6d0868f4e8e5612.html

[2] Please refer to the official site of CAC for Provisions on the Regulation and Facilitation of Cross-border Data Flows:

促进和规范数据跨境流动规定

https://www.gov.cn/gongbao/2024/issue_11366/202405/content_6954192.html

[3] Please refer to the official site of CAC for Guideline on the Application for Security Assessment for Cross-border Data Transfer and the second version of the Guideline on the Registration of Standard Contracts for Cross-border Transfer of Personal Information:

国家互联网信息办公室发布《数据出境安全评估申报指南(第二版)》和《个人信息出境标准合同备案指南(第二版)》

https://www.cac.gov.cn/2024-03/22/c_1712783131692707.htm

[4] Please refer to below national standards for definitions of different sets of data:

Personal Information and Sensitive Information: 《GB/T 35273—2020 Information security technology – Personal information security specification 信息安全技术 个人信息安全规范》

Important Data: 《GB/T 43697—2024 Data security technology – Rules for data classification and grading 数据安全技术 数据分类分解规则》附录G

Disclaimer:

SAP is not a law firm and is not able to provide any legal advice.

This blog, or any related comment, SAP's strategy and possible future developments, products and or platforms directions and functionality are all subject to change and may be changed at any time for any reason without notice. This blog is not a commitment, promise or legal obligation to deliver any material, code or functionality. This blog is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

 

Popular Blog Posts