On29 October 2021, the Cyberspace Administration of China (“CAC”) releasedthe Draft Measures on Security Assessment of Cross-border DataTransfer (“Draft Measures”) for comment through 28November.
If this Draft Measures made final, all data handlers arerequired to conduct an internal self-assessment before transferring dataoutside China. Thisself-assessment shall focus on reviewing the legality, appropriateness, andnecessity of cross-border data transfer, the volume, scope, sensitivity ofdata, and the risks possibly imposed on the national security, publicinterests, and individual interests, etc. Additionally, in one of the followingcircumstances, data handlers would also be subject to a mandatory securityassessment conducted by the provincial cyberspace administration authorities orthe CAC:
- Personal informationand important data collected and generated by critical informationinfrastructure operators;
- Transfer of importantdata;
- Transfer by datahandlers who process personal information of over one million individuals;
- Accumulativelytransferring of personal information of more than 100,000 individuals orsensitive personal information of more than 10,000 individuals;
- Other circumstancesspecified by the CAC.
Upon applicationsubmitted by data handlers, the CAC would confirm whether to accept theapplication of assessment within 7 business days and would have 45 businessdays (or 60 business days for complex cases) to complete the assessment. Moreover,data handlers would have to provide the internal self-assessment report, datatransfer agreement between the data handler and overseas data recipient, andother supplementary materials. The result of the assessment would be effectivefor two years unless (1) the purpose, means, use, scope, and type of thecross-border transfer change; (2) the retention period extends; (3) applicablelaws to the data recipient changes or the data transfer agreement is amendedand (4) other circumstances that might affect the security of transferred data.
