Hogan Lovells - Asia-Pacific Data, Privacy and Cybersecurity Guide 2025 - Flipbook - Page 25
Asia-Pacific Data Privacy and Cybersecurity Guide 2025
payment, cross-border account opening, and
examination services.
Exemption for emergency:
Where it is really necessary to provide personal
data abroad in an emergency to protect the life,
health and property safety of a natural person.
Exemptions for employment relationship:
Where it is really necessary to provide
employees’ personal data abroad for the
purpose of conducting cross-border human
resources management in accordance with the
employment rules and regulations formulated
in accordance with the law and collective
contracts concluded in accordance with the law.
Exemptions for limited transfer:
Personal data handler other than CIIO who
have cumulatively provided personal data
(excluding sensitive personal data) of less
than 100,000 people to foreign countries since
January 1 of the current year.
Pursuant to CBDT Provisions, Free Trade Zones
(FTZs) are enabled to formulate their own
“negative data lists” stipulating the types of data
which are subject to Data Transfer Review. As of
March 2025, some FTZs such as Beijing, Tianjin,
Shanghai, Fujian, and Hainan have issued their
negative and positive data lists. In practice,
we’ve also seen some multinational companies
benefit from FTZ rules in the context of
cross-border data transfer.
The CBDT Provisions formalise some
long-anticipated exemptions to Data Transfer
Review that will no doubt be welcomed by
organisations in a position to benefit. However,
it is important to understand that even where
exemptions to Data Transfer Review apply,
personal data handlers are still required to
comply with their obligations under the PIPL.
For example, an organisation exempt from
the requirement to file their SCCs, a privacy
assessment report is still required to complete.
More broadly, the CBDT Provisions do not
create general exemptions to PIPL
25
