China: PRC Regulations On Data Security: CAC Issues Administrative Measures On Security Assessment Of Cross-Border Data Transfer Of Personal Information (Draft For Comments)

On June 13, 2019, the Cyberspace Administration of China ("CAC") released a draft of the Administrative Measures on Security Assessment of Cross-border Data Transfer of Personal Information for public comment (the "Draft Measures"). The comment period ends on July 13, 2019.

Compared with the draft of the Measures on Security Assessment of Cross-border Data Transfer of Personal Information and Important Data released by CAC for public comment in 2017("2017 Draft"), important data issues are not addressed by this new draft, however, it covers oversea entities that collect of personal information of domestic users through internet, which shall fulfill the same responsibilities and obligations as network operators through its legal representative or entities in China. 

Same as the 2017 Draft, not only for "operators of Critical Information Infrastructure" ("CII"), but all "network operators" are required to conduct self-assess the security of their cross-border data transfer of personal information and file report with CAC's provincial branches. CAC's provincial branches will organize experts and technicians for a security assessment within 15 working days (which may be extended for complicated situations) upon verifying the completeness of the fillings. Network operators shall conduct fillings for each of the recipient for the cross-border data transfer. The fillings or recordal are generally valid for 2 years for repetitive/continuous transfer to the same recipient, unless the purpose for such data transfer, the type of the data transfer or the time of oversea retention of such data has been changed.

Other than the fillings for cross-border data transfer, network operators are also required to file annual report for cross-border data transfer of personal information and the performance of the relevant contracts with the CAC's provincial branches. The cross-border data transfer can be terminated by CAC in certain circumstances.

Lastly, for oversea entities that collect of personal information of domestic users through internet shall fulfill the same responsibilities and obligations as network operators through its legal representative or entities in China. It is unclear as to how the oversea entities that collect of personal information of domestic users through internet to conduct the security assessment fillings with CAC, especially those without legal representative or entities in China.

The Draft Measures, if enacted as proposed, may materially impact the cross-border data transfer of Chinese users' personal information. For companies seeking collecting China domestic users' personal information through internet or network operators in China shall consider taking steps to proactively self-assess their cross-border data flows and be prepared for the government's security assessment.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.