CAC Releases Cross-Border Data Transfer Security Assessment Measures

On April 11, the Cyberspace Administration of China (CAC) released the Draft Security Assessment Measures for Cross-Border Transfer of Personal Information and Important Data (referred to as Draft Measures hereafter) for public comments with a deadline of May 11, 2017. The Draft Data Transfer Measures were written in accordance with the National Security Law (article 25) and Cybersecurity Law (CSL), and aim to protect personal information and important data collected and generated by network operators during their operations within China. This will have a far-reaching impact to businesses across all sectors with cross-border data transfer needs in the globalized digital network. 
 
The Draft Measures mandate that all personal information and important data collected and generated by network operators in China should be stored in China and security assessments should be conducted if cross-border transfer is needed. This clearly expands the scope of data localization and the cross-border data assessment stipulated in CSL Article 37, which requires only critical information infrastructure operators to perform data localization and cross-border data transfer assessments.
 
In addition, the Draft Measures also require other individuals and organizations collecting and generating personal information and important data to perform such security assessments on cross-border data transfers.
The cross-border data transfer is viewed as a transfer of data to organizations or individuals outside of China, a physical boundary without differentiating the identity of the recipient, which could impact internal transfer of employee data within MNCs. The definition of "personal information" is identical to the CSL definition and for the first time, the definition of "important data" was put forward as data closely associated with national security, economic development and social public interests. Standards and guides are being developed to guide all parties to identify "important data".
 
The Draft Data Transfer Measures require network operators to perform in-house security assessments for outbound general data, and to report to industry regulators for a security assessment of the following data: 

  1. The outbound data or a batch of outgoing data containing personal information of more than 500,000 people
  2. The size of the outbound data exceeds 1000GB;
  3. Outbound data includes data involving nuclear facilities, chemical biology, defense and military industry and population health, data on large engineering projects, marine environment and sensitive geographical information, etc.;
  4. The outbound data contains cybersecurity information such as vulnerabilities and security protection of critical information infrastructure;
  5. When operators of critical information infrastructure transfer personal information and important data cross-border;
  6. Other data possibly affecting national security and social public interests, in which the sector-specific administrative department or regulator deems an assessment necessary.