Separate treatment of personal information and important data
By contrast with the draft Measures on Security Assessment of Cross-Border Transfer of Personal Information and Important Data (the 2017 Draft) published by the CAC back in 2017, the 2019 Draft specifically targets “personal information.” As regards personal information, it is worth noting that the 2019 Draft no longer specifically mentions the “data localization” requirement, instead placing more emphasis on the requirement to fulfill a security assessment before any cross-border transfer. This indicates the CAC’s intention to adopt different approaches to the data localization requirement for personal information and important data (which usually involves national security, social order and public interests), respectively.
Clarification on scope of applicability
The 2019 Draft clearly specifies that “foreign entities” will be required to fulfill the relevant obligations under the 2019 Draft through their authorized representatives or affiliates in China as long as they collect the personal information of Chinese users through the internet; by contrast, the 2017 Draft vaguely referred to “other individuals and entities” being subject to its requirements.
Key obligations of network operators under the 2019 Draft
- Security assessment prior to transfer
Before transferring personal data abroad, network operators must apply to the provincial cybersecurity administration for security assessment of the same (pre-export security assessment). The assessment must be repeated every two years or whenever there is a change in the purpose of such data export, the types of data being exported, or the period of overseas retention of such data.