China’s New Draft Measures for Data Cross-border Transfer

On October 29, 2021, the Cyberspace Administration of China (“CAC”) published the Security Assessment Measures of Data Cross-border Transfer (Draft for Comments) (the “New Draft Measures”) for public comments.

The New Draft Measures intends to set up clear implementation rules for the general principles of data cross-border transfer set forth in the Cyber Security Law, the Data Security Law and the Personal Information Protection Law. Although the current draft may be subject to further revisions before finalization, the following potential impacts of the New Draft Measures are worthy of attention:

  1. Possibility to trigger assessment by the PRC government may impact the daily operations of many multinational companies.

Article 4 of the New Draft Measures specifies five scenarios under which data cross-border transfer will trigger safety assessment by the central CAC or the relevant provincial branch of CAC (as applicable):

(1) Cross-border transfer of personal information (“PI”) or important data collected or generated by the operators of critical information infrastructures;

(2) Cross-border transfer of data containing important data;

(3) Cross-border transfer of PI by a processor who has processed PI of one million or above;

(4) Cumulative cross-border transfer of PI of 100,000 or above or sensitive PI of 10,000 or above;

(5) Other scenarios as specified by CAC.

Among the abovementioned five triggers, for many multinational companies in the PRC, the third and the fourth ones are most relevant to their daily operations, where these multinationals might need to transfer PI of its users, customers, suppliers and employees to their overseas headquarters or global data processing centers.  For compliance purpose, these multinationals might need to start to closely audit and monitor existing, ongoing and future transfer and storage of PI from the PRC, and assess and prepare for possible application of safety assessment by the PRC authorities.

Please note that the current formulation of the triggers under Article 4 still need further clarification.  For example, (i) the definition of “important data” needs to be further specified; (ii)…