On August 27, the European Union and China launched a new Cross-Border Data Flow Communication Mechanism to address problems regarding cross-border flows of non-personal data.
The resulting conversations may signal how China plans to regulate transfers of non-personal data it deems important to its national security and other strategic interests.
On August 27, the Vice-Minister of the Cyberspace Administration of China (CAC) and the Director-General of Trade at the European Commission chaired the inaugural bilateral dialogue in a new communication mechanism aiming to address practical challenges of cross-border flows of non-personal data. The mechanism is the result of high-level dialogues between European and Chinese officials, touted on December 7, 2023, at the EU-China Summit in Beijing. One topic likely on the agenda for the closed-door discussions is the current uncertainty about what constitutes “Important Data” under China’s Data Security Law, a challenge for corporations engaged in international trade that the EU press release noted “is particularly relevant for sectors such as finance and insurance, pharma, automotive, and information and communication technology (ICT).”
Relevance to U.S. Institutions of Higher Education: Clarification of “Important Data”?
Following the promulgation of the PIPL Measures on Facilitating and Regulating the Cross-Border Flow of Data Flows on March 22, 2024, understanding whether the non-personal data an organization processes is Important Data is significant because cross-border transfers of Important Data are permitted only if the organization passes a CAC Security Assessment. Important Data may not be transferred across borders under other Article 38 Safeguards from the PIPL.
Though the category of Important Data is central to China’s cybersecurity and data security laws and its possession triggers significant compliance obligations, guidance about what constitutes Important Data is developing slowly. The newly enacted Regulation for Administration of Network Data Security, which took effect on January 1, 2025, defines Important Data as “data covering specific fields, specific groups, or specific regions, or with certain level of precision and scale, where, if tampered with, destroyed, leaked, or illegally obtained or used, it may directly endanger national security, economic operations, social stability, or public health and safety.” As we explained in our XL Insights+ article on China’s Rules for Data Classification and Grading, Important Data is distinguished from “core data,” which would pose an even greater hazard, and “general data,” which would impose only a general hazard.
Though both the March 22, 2024 Measures on Facilitating and Regulating the Cross-Border Flow of Data Flows and the September 24, 2024 Regulations for Administration of Network Data Security permit an organization to proceed with data transfers on the assumption that the non-personal data they process is not Important Data unless relevant government bodies or departments have (1) notified them that their data is Important Data or (2) listed that data in a yet-to-be-published catalog of Important Data, we can anticipate that such catalogs are forthcoming. The discussions that take place between the EU and China in the new Cross-Border Data Flow Communication Mechanism might well inform the process as Chinese officials consider what data to categorize as Important Data and whether other mechanisms to permit its cross-border transfer might be approved.
For now, U.S. colleges and universities engaged in processing non-personal data in China should monitor this communication mechanism closely for signals as to how the regulations related to the data they process might continue to develop.