When does a business need to submit to a mandatory security assessment by the CAC?
If any of the following criteria are met, a business must submit to a mandatory security assessment by the CAC before it can transfer data out of China:
- The business is transferring ‘critical data’ (as defined below) out of China; or
- The business is: (a) a critical information infrastructure (CII) operator, or (b) processing the personal information of more than one million individuals; or
- The business has transferred out of China: (a) the personal information of more than 100,000 individuals, or (b) the sensitive personal information of more than 10,000 individuals, since 1 January of the previous year.
The CAC may also impose or identify other circumstances in which a security assessment is required.
What constitutes a ‘cross-border transfer’?
It remains to be seen how the CAC will interpret and implement the Measures. However, the following are common scenarios that will likely constitute a cross-border transfer and therefore be subject to the Measures:
- A multinational company with local operations in China has a shared working system for all of its global offices, where employees outside China have remote access to critical data or personal information collected within China.
- Employees who are based outside China have access to critical data or personal information which is collected within China, during their business travel in China.
- A foreign entity collects the personal information of Chinese data subjects for the purpose of selling goods or providing services to them, or assessing their individual behaviour.