ARTICLE
17 November 2021

China Draft PIPL Measures Outlines Thresholds For CAC Security Assessments

SM
Sheppard, Mullin, Richter & Hampton LLP

Contributor

Sheppard, Mullin, Richter & Hampton LLP logo
Businesses turn to Sheppard to deliver sophisticated counsel to help clients move ahead. With more than 1,200 lawyers located in 16 offices worldwide, our client-centered approach is grounded in nearly a century of building enduring relationships on trust and collaboration. Our broad and diversified practices serve global clients—from startups to Fortune 500 companies—at every stage of the business cycle, including high-stakes litigation, complex transactions, sophisticated financings and regulatory issues. With leading edge technologies and innovation behind our team, we pride ourselves on being a strategic partner to our clients.
Explore Firm Details
The Chinese agency charged with implementing and enforcing the new Personal Information Protection Law has issued draft measures for cross-border data transfers.
China Privacy
Liisa M. Thomas,Samuel J. Cohen, and Michael X.Y. Zhang
Your Author LinkedIn Connections
Sheppard, Mullin, Richter & Hampton LLP are most popular:
  • within Cannabis & Hemp topic(s)

The Chinese agency charged with implementing and enforcing the new Personal Information Protection Law has issued draft measures for cross-border data transfers. Comments are due by November 28. As we detailed previously, the law requires that the Cyberspace Administration of China (CAC) conduct security assessments prior to certain information transfers out of China. Those situations included if the information transferred reached "significant" thresholds. Those thresholds have now been clarified in the draft.

In particular, the draft contemplates security assessments for transfers by entities that handle over one million individuals' personal information. Security assessments would also occur if the entity is either transferring personal information of more than 100,000 people or "sensitive" information of more than 10,000 people. In most situations security assessments would be valid for two years.

Under PIPL, both entities who do not meet the thresholds for a CAC-led assessment, as well as those who do, must complete an internal self-assessment before transferring data outside of China. The draft outlines the specifics of that self-assessment. This includes looking at the risk of data leaks, the volume and scope of information to be transferred, and the like.

The draft also provides more insight into requirements around having a data transfer agreement when sharing personal information with a third party. Elements to include in the agreement are similar to GDPR, such as outlining security measures that will be used, limiting the scope of use by the data recipient, and having contractual penalties for contract violations. Also included is a requirement to indicate where, physically, data will be stored outside of China.

Putting it into practice: While the law was effective November 1, this draft is still under review. It does, however, provide guidance about expectations about what companies must do under the law, including thresholds for needing a CAC assessment.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Liisa M. Thomas
Liisa M. Thomas
Photo of Samuel J. Cohen
Samuel J. Cohen
Photo of Michael X.Y. Zhang
Michael X.Y. Zhang
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More