On 13 June 2019, the Cyberspace Administration of China (“CAC”) issued the draft Measures for Security Assessment of Cross-Border Transfer of Personal Information (the “Draft”) for public comment.

In accordance with the Draft, if a network operator intends to transfer any personal information collected in China out of China, it shall go through security assessments conducted by the competent provincial CAC branch. If the transfer is considered to have negative influence on national security, public interest or security of personal information, the transfer shall be prohibited.

The Draft also provided that, the provincial CAC shall regularly conduct inspections regarding cross-border transfers of personal information. If any infringement of legitimate rights of personal information subjects or data leakage occurs, the competent local CAC shall require the network operator or the receiver of information via the network operator to rectify. If any significant data leakage or data abuse is incurred, or data subjects are unable to protect their legitimate rights, or a network operator or receiver cannot protect the security of personal information, the competent local CAC shall suspend or stop the cross border transfer of personal information.

It is worth noting that, the Draft refers to network operators as “network owners and administrators, and network service providers”, therefore, if this Draft is implemented, it could potentially affect all entities that operate a business through the Internet in China. We will continue to monitor the status of the Draft and update accordingly.

Please click here to read the full text of the Draft (Chinese only).