Blog/CRM/Navigating China's Cross-Border Data Transfer in 2024

In this article, we’ll discuss the complexities of cross-border data transfer in China, recent regulation updates, and why brands need to localize their client database and build a comprehensive Customer Relationship Management (CRM) system with Salesforce China.

Disclaimer

Please be aware that the information in this blog article does not, and is not intended to, constitute legal advice regarding any laws of the People's Republic of China (PRC).

Although well researched, all information and materials in this article only serve as a general guide to help you understand the legal outline and implications on your business while operating in and/or working with the China market.

Any suggestions made are based on ITC's experiences as a Shanghai-based digital transformation consultancy that helps clients navigate the digital landscape in China.

It should also be noted that all relevant laws and regulations will continue to evolve going forward. Thus, this article may not be fully relevant or exact in the future.

Disclaimer
Introduction
What to Know about Cross-Border Data Transfer in China
What is the New Data Transfer Mandate in China? [March 2024]
- How China Proposes to Relax Rules on Cross-Border Data Transfer
- What Does This New Update Mean for International Companies in China?
Do Businesses Still Need to Localize Database in China?
- Why Data Localization in China is a Must
- How IT Consultis (ITC) Can Help

Introduction

Distinct China digital ecosystem due to the Great Firewall and the China Personal Information Protection Law (PIPL)

Due to the Great Firewall, China has developed its own distinct digital ecosystem compared to the rest of the world. Furthermore, the country operates under its own set of regulatory frameworks, including the Personal Information Protection Law (PIPL) that strictly controls where and how data are stored and processed.

This makes data collection, utilization, and cross-border transfer quite daunting, especially for international and B2B businesses operating in China with global headquarters.

Nonetheless, to reduce unnecessary compliance burdens, the Regulations on Promoting and Regulating Cross Border Data Flows was recently passed, aiming to better streamline the data transfer process without compromising data security.

What does this mean for brands in China? Let’s break things down.

What to Know about Cross-Border Data Transfer in China

What Does Cross-Border Data Transfer Mean?

Cross-border data transfer refers to moving data from one country or jurisdiction to another through any means, whether it’s done electronically, online, or physically using storage or recordings.

In China, cross-border data transfers are mainly regulated by the Personal Information Protection Law (PIPL), which serves as the legal framework for handling personal data while ensuring consumer data privacy and cybersecurity are in place.

Key Requirements of China Cross-Border Data Transfer Regulations

In general, the China PIPL permits brands to move information (including personal and sensitive data) across the border through either of the following 3 legal pathways:

Passing the National Cyberspace Department's Security Assessment
Obtaining the Personal Information Protection Certification from a relevant institution
Signing a Standard Contract stipulating rights and obligations with the overseas recipient

Many can qualify for the 3rd option (the most feasible of all) as long as they meet the following 4 criteria:

Qualifications for China cross-border data transfer by signing standard contracts

Otherwise, brands would need to go through a lengthy, convoluted process of either the government’s security assessment or acquiring certification to be able to transfer data to their global headquarters.

Why Is This Important for International Brands in China?

As the PIPL applies to all businesses that work with data originating from China, whether you’re based inside or outside of China, compliance is a must.

Therefore, global brands need to carefully navigate cross-border data transfers from China (i.e., to their global headquarters) to ensure they meet PIPL regulations, as any breaches could lead to heavy financial penalties.

With authorities enforcing stringent measures to safeguard user data, businesses worldwide are facing rising expenses to manage risks and maintain legal compliance.

Moreover, according to Financial Times, as of January 3^rd, 2024, only 25% of applications for data exports have allegedly been approved. Thousands of requests from both local and international businesses are still pending, involving various types of data like personal credit histories and online sales records, all meant for overseas partners.

This poses a significant challenge for businesses as their expansion plans hit a data wall, while grappling with a slowing economy and heightened geopolitical tensions.

Fortunately, a new regulatory publication has emerged to alleviate the challenges in cross-border data transfer from China.

What is the New Data Transfer Mandate in China? [March 2024]

On March 22nd, 2024, the Cyberspace Administration of China (CAC) has published the Regulations on Promoting and Regulating Cross Border Data Flows, clarifying and loosening guidelines for China data transfers between Foreign Invested Enterprises (FIEs) and their overseas headquarters.

Keep in mind that as of mid-May 2024, this regulation has yet to come into effect.

How China Proposes to Relax Rules on Cross-Border Data Transfer

Cross-border data transfers now exempt from CAC Data Security Assessment, standard contract, or personal information protection certification primarily include the following:

Data (not including personal information or important data) collected and generated in activities such as international trade, cross-border transportation, academic cooperation, cross-border manufacturing, and marketing
Personal information collected and generated overseas, sent to China for processing, then provided overseas without adding domestic personal information or important data during the processing in China
Personal information needed to be transferred for a contract performance to which the individual is a party (e.g. cross-border shopping, cross-border delivery, cross-border remittance, cross-border payment, cross-border account opening, air ticket and hotel booking, visa processing, examination services, etc.)
Aggregated transfer of non-sensitive personal information involving no more than 100,000 individuals since January 1st of the current year

What Does This New Update Mean for International Companies in China?

With compliance burdens reduced, the process for China cross-border data transfer can be streamlined more effectively. This is an immense relief for all businesses urgently waiting for clarification on many aspects, as they now have help in finding a clearer direction, doing their jobs, and setting up infrastructure in China.

Brands can operate under a more efficient data flow to generate insights, make faster data-driven decisions, and respond more promptly to market demands, all with reduced legal risks. International and B2B enterprises are particularly large beneficiaries as they often deal with large volumes of data and complex global operations.

This is also significant for luxury brands whose clienteles demand personalization across global markets that they often travel to. The In:China Monitor report touched on what exactly Chinese clients seek when buying luxury in foreign countries: When visiting a brand or store in Italy:

- 51% expect staff to understand the Chinese language or culture
- 44% wish to receive special experiences and services

Contact us for access to the full report on China and APAC luxury evolutions.

Chinese luxury clienteles demand personalized catering when traveling to global markets

Do Businesses Still Need to Localize Database in China?

The short answer is: Yes.

Why Data Localization in China is a Must

To ensure PIPL compliance and mitigate risks associated with data sovereignty issues, brands must store 100% of the personal data within Mainland China and set up infrastructure in China with a centralized Customer Relationship Management system. This is especially crucial for Critical Information Infrastructure Operators (CIIOs) who work with important or sensitive information.

Once the locally captured data is processed and anonymized, it is much easier to transfer it abroad to global headquarters for consolidation and further analysis.

Moreover, hosting databases in China can improve data access speed and reliability for local users. This is vital for providing a seamless user experience, especially for applications that require real-time data processing or low latency.

How IT Consultis (ITC) Can Help

At ITC, we are helping many Fortune 500 companies to localize their database in China and establish a comprehensive CRM system that centralizes various data flows using Salesforce China. This also ensures seamless integration with all relevant local business systems and with their global CRM system.

China data residency approach with Salesforce China enable brands to store and process data captured from China within the China CRM and transferring their anonymized version to the global CRM

Salesforce China allows brands to consolidate data from a wide range of touchpoints (including WeChat Official Account, WeCom clienteling, Mini Programs, offline retail, events, Public Traffic domains, etc.) to build 360-degree customer profiles and empower data-driven personalized engagement and customer experiences with greater precision.

Ultimately, this approach enables brands to effectively nurture customer relationships, drive conversions, foster loyalty, and optimize performance, all while maintaining compliance with local regulations.

For more details, read more on why exactly brands need to fortify CRM in China and key strategies to approach the initiative.

Looking to Localize Your Business and Database in China?

FAQs

Do the Consumer Data Regulations Apply to Hong Kong SAR?

What Regulator Procedure is Needed to Transfer Data Overseas?

Data may leave China through the following 3 legal pathways:

Passing the government’s Security Assessment
Obtaining the Personal Information Protection Certification from a relevant institution
Signing a Standard Contract with the overseas recipient

As of now, since the Regulations on Promoting and Regulating Cross-Border Data Flows are in effect, many data transfers are exempt from assessment or certification, including the following:

Data (with no personal or critical information) from activities like international trade, cross-border transportation, academic cooperation, manufacturing, and marketing.
Overseas-collected personal information processed in China, then provided overseas without adding domestic personal or critical data.
Personal information transferred for contract performance (e.g., cross-border shopping, delivery, visa processing), and examination services.
Aggregated non-sensitive personal info concerning less than 100,000 individuals.

What Are Other Laws in China that Concern Cross-Border Data Transfer?

Cross-border data transfers are affected by legal means of protecting personal data of Chinese users, which is mainly addressed by the aforementioned PIPL. However, cybersecurity and data processing laws, primarily Cyber Security Law (CSL) and Data Security Law (DSL), also have a key influence that brands should be aware of.

CSL is the primary regulation for cybersecurity and national security and public interest safeguarding, whereas DSL concerns data handling, usage, and movement, for the legal protection of citizens and organizations.

Can You Transfer Personal Data Out of China?

Yes, brands can transfer personal data out of China, but they need to adhere to certain procedures and requirements outlined by Chinese regulations, especially PIPL. As personal data and information is more sensitive, these processes are more convoluted and take a longer time than non-personal data.

The most optimal method is signing a standard contract with a foreign party according to standards set by the CAC. It is simpler compared to other options as no external audits are needed.

However, there are eligibility criteria for using the standard contract method, and brands must undergo a Personal Information Protection Impact Assessment (PIPIA) before transferring personal data overseas using this method.

Furthermore, as granted by the Regulations on Promoting and Regulating Cross-Border Data Flows, cross-border personal data transfers exempt from assessments and procedures include:

Data (with no personal or critical information) from activities like international trade, cross-border transportation, academic cooperation, manufacturing, and marketing.
Overseas-collected personal information processed in China, then provided overseas without adding domestic personal or critical data.
Personal information transferred for contract performance (e.g., cross-border shopping, delivery, visa processing), and examination services.
Aggregated non-sensitive personal info concerning less than 100,000 individuals.

Does the General Data Protection Regulations (GDPR) Apply for Data Transfers in China?

If the company is set up in the EU, then the GDPR regulates all personal data processing activities carried out by the company, regardless of location. The GDPR focuses on the “establishment” (where the country is set up) of the company which conducts business that involves the processing of personal information.

It should be noted that despite the similarities, China’s PIPL and the EU’s GDPR do not overlap perfectly, so being compliant with one does not guarantee compliance with the other.