International companies doing business in China and Chinese companies doing business internationally have been awaiting clarification on the rules of the road governing the cross-border transfer of data out of China. On October 29, 2021, the Cyberspace Administration of China (“CAC”) released long-awaited Draft Measures on Outbound Data Transfer Security Assessments (the “Draft Measures”) for public comment. The Draft Measures, once finalized, will provide needed clarification as to which companies covered by the Personal Information Protection Law (“PIPL”) and other applicable laws will be subject to mandatory security assessments in order to transfer data overseas. The comment period of the Draft Measures will end on November 28, 2021 and final Measures are expected to be issued in the next few months.
The Draft Measures would require a government security assessment process for cross-border data transfers enshrined in recent Chinese laws, specifically the Cybersecurity Law (“CSL”), the Data Security Law (“DSL”), and the PIPL. The last of these, the PIPL, became effective November 1, 2021.
The Draft Measures don’t answer all lingering questions following the implementation of the PIPL. Specifics related to the security assessment, such as what materials would need to be submitted to the CAC as part of the assessment, remain outstanding, as does other necessary information, such as the standard form contract for use between transferor and transferee required by the PIPL. Nor is completion of the security assessment process the end of the road for companies that meet the thresholds—separate consent must still be obtained from data subjects whose personal data will be transferred outside of China.
The Draft Measures would require that the following covered companies, referred to as “data processors”, undergo a security assessment:
- Critical Information Infrastructure Operators (“CIIO”) which transfer personal information or “important” data. CIIOs are generally entities operating in the communications, information technology, finance, transportation, and energy sectors. According to the Security Protection Regulations on Critical Information Infrastructure (effective September 1, 2021), CIIOs will be identified and notified by competent authorities.
- Any data processor that transfers “important data”. This threshold applies to any data processors (not just CIIOs) transferring “important data.” “Important data” remains undefined under current law, but would likely include at least data that impacts national security, economic security, social stability, and public health and security.
- Data processors that process over 1 million individuals’ personal information. The Draft Measures fill in an intentional gap found in the PIPL by proposing a threshold of processing of over 1 million individuals’ personal information.
- Data processors that cumulatively transfer personal information of more than 100,000 individuals or sensitive personal information of more than 10,000 individuals. Another gap filler for the PIPL, this provision relies on the volume of personal information actually transferred rather than the volume of data processed to trigger the security assessment requirement.
- “Other circumstances to be specified by the CAC”. A typical catch-all phrase in PRC legislation serves as a reminder that material changes can always occur even after the Draft Measures have been finalized.
It is unclear how much the Final Measures adopted by CAC will reflect these Draft Measures. In light of this uncertainty, we wouldn’t be surprised if many companies wait until the Final Measures are adopted before evaluating compliance with the security assessment requirements.
This isn’t the first time the CAC has issued similar proposed guidance—previous iterations published in 2017 and 2019 were never finalized. This time, the Draft Measures will likely be finalized in the coming months, given that China’s three-pillar framework for China’s cybersecurity, data security, and data protection has crystalized.
We look forward to providing an in-depth analysis of the Measures once finalized.
Debevoise & Plimpton LLP, like other international firms in China, is not admitted to practice PRC law. Our views are based on our general experience in dealing with similar matters and consultation of published compilations of Chinese law. We would be pleased to arrange for assistance from licensed Chinese counsel should you require a formal opinion as to any of the matters set forth in this update.
To subscribe to the Data Blog, please click here.