On October 29, 2021, the Cyberspace Administration of China (CAC) released a call for public comments through the Measures on Security Assessment of Cross-border Data Transfer (draft for comments, hereinafter referred to as “the Draft Measures”).
It’s CAC’s third legislative attempt at building a more advanced cross-border data transfer mechanism in China. With the releasing and implementation of several important laws to establish a better framework in the field (Cybersecurity Law of the People's Republic of China, Data Security Law of the People's Republic of China, Personal Information Protection Law of the People's Republic of China), CAC finally issued the Draft Measures three days before the November 1, 2021, effective date of the Personal Information Protection Law (“PIPL”). The previous two attempts include the Assessment Measures for Cross-Border Transfer of Personal Information and Important Data (released for comments on October 13, 2017), and the Assessment Measures for Cross-Border Transfer of Personal Information (released for comments on June 13, 2019).
The latest Draft Measures depict security processes and approval materials, along with data scope and industry regulatory bodies for data transfer assessment outside mainland China. The main contents covered:
I. Data assessing scope:
a) Personal information and important data collected and generated by Critical Information Infrastructure Operator (CIIO)
b) Important data involved in the to-be transferred batch.
c) Data transfer applicant is a handler who deals with or possesses more than one million people’s information.
d) The applied data involves more than 100 thousand people’s information or over 10 thousand people’s sensitive information.
II. Self-evaluation for data operators required in different aspects before submitting application which should mainly cover:
a) Basic information of the data: scope, reason to transfer, method, quantity, category.
b) The necessity, legitimacy of the transfer.
c) Managing methods of data security and precaution measures against potential leakage or breach.
d) Technical skills and responsibilities of the abroad data receiver.
III. Administration and assessment authorities:
a) CAC is the direct bodies to accept applications.
b) Sector watchdogs of the applicant, relevant department of the State Council, provincial cyberspace administration and relevant professional institutions will be the reviewers.
IV. Specify critical contents that should be included in the contract signed by the data collector and the receiver.
V. The assessment result will be valid for two years in general.
China’s efforts on protecting data security have accelerated in the past two years, and cross-border data transfer seems to be one of the critical control points. Despite the first two attempts failing to be officially implemented, the Draft Measures are very likely to take decisive action.
Still, regardless of the administrative measures that’ll be implemented, China’s policies on cross-border data management would initiate impact on existing business models, system architecture, and potential scope of financial costs, efforts, and technical adjustments for both MNCs and foreign stakeholders. First, extensive capital and ongoing expenses would be spent on building up the IT environment and data management for mainland China. Secondly, we suggest MNCs and foreign stakeholders engage or build a local cybersecurity team (including security governance and security operations) to ensure proper cybersecurity protection and market compliance.
If you need more information or any help on the topic, please contact:
assistant@bestao-consulting.com