The Cyberspace Administration of China has issued draft guidance on applying for and conducting security assessments for cross-border data transfers for public comment.
On October 29, 2021, the Cyberspace Administration of China ("CAC") issued draft Measures for the Assessment of Security of the Cross-Border Transfer of Data (the "Measures"). China's triumvirate of cybersecurity and privacy laws—the Cybersecurity Law, Data Security Law, and Personal Information Protection Law—requires a government security assessment before certain data can leave China.
The Measures provide that a data handler (similar to a GDPR "data controller") must apply for government security assessment:
- If the data transferred contains personal information or important data collected or generated by operators of critical information infrastructure or is otherwise deemed to be important data—generally defined as data related to national security, economic development, or public interest;
- If the data handler processes the personal information of more than 1,000,000 data subjects regardless of the number of data subjects whose personal information will be transferred;
- If the personal information of more than 100,000 data subjects, or the sensitive personal information of more than 10,000 data subjects will be transferred; and
- In other situations determined by the CAC.
The numerical thresholds are intended to implement the Personal Information Protection Law and may change before the Measures are finalized depending on comments received.
To determine if a government security assessment is necessary, data handlers must first conduct a self-assessment that will cover similar items to those in a data protection impact assessment under the GDPR. If required, the data handler must then apply to the CAC and submit the specified paperwork, including the self-assessment report. Upon acceptance, CAC must conduct the security assessment in collaboration with other specialized government departments within 45 days or up to a maximum of 60 days for complex cases. The result will be provided to the data handler in writing.
In anticipation of these Measures being adopted, companies must be mindful of the type of data they are exporting, how much data they are exporting, and whether they have any special obligations under the various Chinese cybersecurity and privacy laws.
The Measures are open for public comment until November 21, 2021.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.