Reed Smith Client Alerts

On June 13, 2019, the Cyberspace Administration of China (CAC) published for comment the draft Measures on Security Assessment of Cross-Border Transfer of Personal Information (the 2019 Draft). The 2019 Draft sets out the detailed legal obligations and compliance requirements associated with the cross-border transfer of personal information that companies doing business in multiple jurisdictions including China may face in their day-to-day activities. This article aims to provide a summary of the key changes resulting from the 2019 Draft and offers our observations.

Authors: Amy Yin

Separate treatment of personal information and important data

By contrast with the draft Measures on Security Assessment of Cross-Border Transfer of Personal Information and Important Data (the 2017 Draft) published by the CAC back in 2017, the 2019 Draft specifically targets “personal information.” As regards personal information, it is worth noting that the 2019 Draft no longer specifically mentions the “data localization” requirement, instead placing more emphasis on the requirement to fulfill a security assessment before any cross-border transfer. This indicates the CAC’s intention to adopt different approaches to the data localization requirement for personal information and important data (which usually involves national security, social order and public interests), respectively.

Clarification on scope of applicability

The 2019 Draft clearly specifies that “foreign entities” will be required to fulfill the relevant obligations under the 2019 Draft through their authorized representatives or affiliates in China as long as they collect the personal information of Chinese users through the internet; by contrast, the 2017 Draft vaguely referred to “other individuals and entities” being subject to its requirements.

Key obligations of network operators under the 2019 Draft

  • Security assessment prior to transfer

Before transferring personal data abroad, network operators must apply to the provincial cybersecurity administration for security assessment of the same (pre-export security assessment). The assessment must be repeated every two years or whenever there is a change in the purpose of such data export, the types of data being exported, or the period of overseas retention of such data.