CAC issues two draft measures on data transfer


To support the implementation of the China Cybersecurity Law, the Cyberspace Administration of China (CAC) published the draft Measures for the Administration of Data Security (Draft data security measures) on 28 May 2019, and the draft Measures for Security Assessment on the Export of Personal Information (Draft Security Assessment Measures) on 13 June 2019.

With these two drafts, the CAC seems to be proposing separate requirements for transfers of important data and for transfers of personal information. Network operators will need to follow a different set of security assessment procedures when transferring these different types of information out of China.

Transferring important data overseas. “Important data” can be broadly defined as data that if leaked, may directly impact national security, economic security, social stability or public health and safety. Under the Draft Data Security Measures, network operators intending to transfer important data overseas must conduct a security assessment and obtain approval from the competent industry regulator or the provincial counterpart of the CAC.

Transferring personal information overseas. “Personal information” can be broadly defined as information that by itself or in combination with other information can be used to identify a person or their birthdate, identification number, physical data, address, phone number, etc.

Under the Draft Security Assessment Measures, network operators intending to transfer personal information overseas must: (1) enter into a contract or other form of legally binding document with the foreign recipient of the personal information to be transferred out of China; (2) conduct a self-assessment of the security risks associated with the intended transfer and the security safeguards and measures adopted to address those risks; (3) prepare a security assessment report.

The contract with the foreign recipient must include:

  • the purpose for transferring the personal information, the information type and the information retention period;
  • the rights and interests of the data subjects;
  • the remedies available to data subjects for the infringement of their rights and interests;
  • the contract termination or the trigger of a new security assessment upon any change in the foreign data recipient’s ability to perform the contract;
  • the stipulation that the responsibilities and obligations of the network operator and the foreign data recipient survive the termination of the contract.

After conducting the self-assessment and preparing the security assessment report, the network operator may submit the security assessment report and other supporting documents to the CAC for its security assessment review of the proposed transfer of personal information. Unlike the CAC’s previous draft measures, the Draft Security Assessment Measures require “all transfers” of personal information from network operators in China to foreign data recipients to undergo the security self-assessment and CAC security assessment review.

This two-step security assessment process also applies to information collected in China by overseas institutions.

Business Law Digest is compiled with the assistance of Baker McKenzie. Readers should not act on this information without seeking professional legal advice. You can contact Baker McKenzie by e-mailing Danian Zhang (Shanghai) at [email protected]