The Chinese government is proposing heightened requirements on cross-border transfers of personal information from China, recently publishing draft Measures on Security Assessment of Cross-border Transfer of Personal Information (the “Draft Measures”). This comes less than a month after the Chinese government issued another draft Measures for Data Security Management which require network operators to conduct a security assessment for any transfer of important data (i.e. any data that may directly affect China’s national security, economic security, social stability, or public health and security if leaked) to overseas. The Draft Measures now focus on the cross-border transfer of personal information by network operators and are viewed as a continuous effect of the Chinese government to strengthen the data protection in China.

Again, the scope of the Draft Measures is extremely broad as it applies to all “network operators,” i.e. all network service providers as well as other entities or persons who own or manage a network. According to the Draft Measures, before transferring any personal information collected in China to recipients outside of China, network operators would need to apply for a security assessment by submitting their applications to the respective Cyberspace Administration of China (“CAC”) branch at the provincial level.

The CAC would take into account a number of key factors in conducting a security assessment: whether the proposed cross-border transfer is in compliance with the laws and regulations in China; whether the contractual terms between the network operators and the data recipients are sufficient to protect the rights of the data subjects and whether they can be effectively honored; and what records are maintained with regard to the network operators and the data recipients.

If the CAC determines that the proposed cross-border transfer would “impact China’s national security, endanger public interest or ineffectively protect personal information,” such transfer would be prohibited. Network operators may file an appeal of that determination.

Other than the security assessment, network operators would be required to retain the records of their cross-border data for at least five years for inspection purposes by the CAC. These records would need to include the date of the cross-border data transfer, details of the data recipients, and of the personal information transferred.

The Draft Measures also would require network operators to enter into legally binding contracts with data recipients to specify the purpose, type and retention period of the cross-border transfer at issue. Importantly, the contract would need to specify that the data subject is the beneficiary of the contractual terms and can seek damages from either or both the network operators and recipients if they are responsible for breaches that cause harm to his or her personal information. A copy of such contract would need to be provided to the data subject upon request.

Further, like the EU’s General Data Protection Regulation, the Draft Measures impose direct obligations upon the data recipients—including liability to the data subject as discussed above. The data recipients would be required to confirm that the execution and performance of the contract will not violate the laws of the recipient’s country, and to notify the network operators of any changes to the local laws which render the performance of the contract difficult in a timely manner.

The Draft Measures are open for comment until 13 July 2019.