International companies doing business in China and Chinese companies doing business internationally have been awaiting clarification on the rules of the road governing the cross-border transfer of data out of China.  On October 29, 2021, the Cyberspace Administration of China (“CAC”) released long-awaited Draft Measures on Outbound Data Transfer Security Assessments (the “Draft Measures”) for public comment.  The Draft Measures, once finalized, will provide needed clarification as to which companies covered by the Personal Information Protection Law (“PIPL”) and other applicable laws will be subject to mandatory security assessments in order to transfer data overseas.  The comment period of the Draft Measures will end on November 28, 2021 and final Measures are expected to be issued in the next few months.

The Draft Measures would require a government security assessment process for cross-border data transfers enshrined in recent Chinese laws, specifically the Cybersecurity Law (“CSL”), the Data Security Law (“DSL”), and the PIPL.  The last of these, the PIPL, became effective November 1, 2021.

The Draft Measures don’t answer all lingering questions following the implementation of the PIPL.  Specifics related to the security assessment, such as what materials would need to be submitted to the CAC as part of the assessment, remain outstanding, as does other necessary information, such as the standard form contract for use between transferor and transferee required by the PIPL.  Nor is completion of the security assessment process the end of the road for companies that meet the thresholds—separate consent must still be obtained from data subjects whose personal data will be transferred outside of China.

The Draft Measures would require that the following covered companies, referred to as “data processors”, undergo a security assessment:

  • Critical Information Infrastructure Operators (“CIIO”) which transfer personal information or “important” data. CIIOs are generally entities operating in the communications, information technology, finance, transportation, and energy sectors.  According to the Security Protection Regulations on Critical Information Infrastructure (effective September 1, 2021), CIIOs will be identified and notified by competent authorities.
  • Any data processor that transfers “important data”. This threshold applies to any data processors (not just CIIOs) transferring “important data.” “Important data” remains undefined under current law, but would likely include at least data that impacts national security, economic security, social stability, and public health and security.
  • Data processors that process over 1 million individuals’ personal information. The Draft Measures fill in an intentional gap found in the PIPL by proposing a threshold of processing of over 1 million individuals’ personal information.
  • Data processors that cumulatively transfer personal information of more than 100,000 individuals or sensitive personal information of more than 10,000 individuals. Another gap filler for the PIPL, this provision relies on the volume of personal information actually transferred rather than the volume of data processed to trigger the security assessment requirement.
  • “Other circumstances to be specified by the CAC”. A typical catch-all phrase in PRC legislation serves as a reminder that material changes can always occur even after the Draft Measures have been finalized.

It is unclear how much the Final Measures adopted by CAC will reflect these Draft Measures.  In light of this uncertainty, we wouldn’t be surprised if many companies wait until the Final Measures are adopted before evaluating compliance with the security assessment requirements.

This isn’t the first time the CAC has issued similar proposed guidance—previous iterations published in 2017 and 2019 were never finalized.  This time, the Draft Measures will likely be finalized in the coming months, given that China’s three-pillar framework for China’s cybersecurity, data security, and data protection has crystalized.

We look forward to providing an in-depth analysis of the Measures once finalized.

***

Debevoise & Plimpton LLP, like other international firms in China, is not admitted to practice PRC law. Our views are based on our general experience in dealing with similar matters and consultation of published compilations of Chinese law. We would be pleased to arrange for assistance from licensed Chinese counsel should you require a formal opinion as to any of the matters set forth in this update.

To subscribe to the Data Blog, please click here.

Author

Luke Dembosky is a Debevoise litigation partner based in the firm’s Washington, D.C. office. He is Co-Chair of the firm’s Data Strategy & Security practice and a member of the White Collar & Regulatory Defense Group. His practice focuses on cybersecurity incident preparation and response, internal investigations, civil litigation and regulatory defense, as well as national security issues. He can be reached at ldembosky@debevoise.com.

Author

Avi Gesser is a Debevoise cybersecurity and litigation partner. He is a member of the Debevoise Data Strategy & Security Group, as well as the White Collar & Regulatory Defense Group. Avi has extensive experience advising on a wide range of cybersecurity matters, incident response issues, data strategy concerns and artificial intelligence risks. He can be reached at agesser@debevoise.com.

Author

Mark Johnson is a partner in the firm’s Hong Kong office and a member of the International Dispute Resolution Group. His practice focuses on commercial litigation, international arbitration and white collar/regulatory defense matters, particularly in the financial services sector. He can be reached at mdjohnson@debevoise.com.

Author

Philip Rohlik is a member of Debevoise’s Litigation Group whose practice focuses on international investigations, securities law and dispute resolution. Mr. Rohlik’s varied practice has included representation of U.S. and multinational companies in complex litigation and investigations, as well as in cybersecurity and data privacy issues, with a particular focus on Asia. He is recommended by The Legal 500 Asia Pacific (2021), with the guide describing him as “very thorough and hands on.” Based in Asia since 2011, Mr. Rohlik leads Debevoise's dispute resolution team in Shanghai. He can be reached at prohlik@debevoise.com.

Author

Ralph Sellar is an international counsel and English and Hong Kong qualified member of the firm’s International Dispute Resolution Group based in the Hong Kong office. Mr. Sellar is a commercial litigator with extensive experience in a range of banking litigation, including disputes relating to investment and wholesale banking, listed securities, OTC derivatives and structured products. He can be reached at rsellar@debevoise.com.

Author

Johanna Skrzypczyk (pronounced “Scrip-zik”) is a counsel in the Data Strategy and Security practice of Debevoise & Plimpton LLP. Her practice focuses on advising AI matters and privacy-oriented work, particularly related to the California Consumer Privacy Act. She can be reached at jnskrzypczyk@debevoise.com.

Author

Eva is a PRC legal consultant resident in Debevoise's Shanghai office. She is a member of the Shanghai office disputes team focusing on compliance and litigation matters. She can be reached at eniu@debevoise.com.