China Publishes New Draft Measure on Cross-Border Data Transfer

On October 29, 2021, China released the Draft Measures on Data Cross-Border Security Assessment (the “Draft Measures”) for public comments. Following its two previous versions in 2017 and 2019, this new draft is developed based on the very recent adoption of the Personal Information Protection Law (“PIPL”) and the Data Security Law, and provides the detailed requirements on the security assessment organized by the Cyberspace Administration for cross-border data transfer. Most importantly, the Draft Measures clarify the definition of “large volume” personal information under PIPL in connection with data localization and cross-border transfer, and also add new circumstances that will significantly expand the application of government security assessment.

Specifically, data processors are required to pass government security assessment for cross-border transfer of data in any of the following circumstances:

  1. Transfer of personal information (“PI”) and important data by Critical Information Infrastructure Operators. This is in line with the PIPL.
  2. Transfer of “important data”. “Important data” a concept under Data Security Law, meaning such data as classified by the government as “important data”.
  3. By a PI processor processing the PI of over 1,000,000 The PIPL provides the PI processors processing a “large volume” of PI must pass the security assessment prior to any cross-border transfer of PI, and such volume threshold is now defined in the Draft Measures as one million individuals.
  4. Transfer of PI of over 100,000 individuals accumulatively. This is a new requirement that is not provided the PIPL. The difference between this clause and the one above is unclear. It seems that item (3) above refers to a processor having more than 1 million individuals PI, regardless how much data is transferred to overseas; item (4) instead focuses on the number of PI actually transferred.
  5. Transfer of sensitive PI of over 10,000 individuals accumulatively. Again, this is a new requirement, not under the PIPL. It seems that sensitive PI is considered separately from other PI in terms of cross-border transfer. It may significantly expand the application of government security assessment, especially to employees PI transfer by large corporations.
  6. Other circumstances as required by the CAC.

The public comment period of the Draft Measures will expire on November 28, 2021.