On October 29, 2021, the Our on-line world Administration of China (“CAC”) launched for public remark “Draft Measures on Safety Evaluation of Cross-border Knowledge Switch” (“Draft Measures”). The CAC, in its third legislative try to construct a cross-border knowledge switch mechanism in China, issued the Draft Measures three days earlier than the November 1, 2021 efficient date of the Private Data Safety Regulation (“PIPL”).
Scope and Utility
If made remaining, the Draft Measures would apply to cross-border transfers of non-public data and “necessary knowledge” collected and generated in China below sure circumstances.
Knowledge handlers could be topic to necessary safety assessments by the CAC within the following circumstances:
- switch of non-public data and necessary knowledge collected and generated by crucial data infrastructure (“CII”) operators (as outlined below China’s Cybersecurity Regulation);
- switch of necessary knowledge;
- switch of non-public data by knowledge handlers who course of over 1 million people’ private data;
- cumulatively transferring private data of greater than 100,000 people. or “delicate” private data of greater than 10,000 people; or
- different circumstances to be specified by the CAC.
The proposed thresholds for triggering such necessary safety evaluation typically are decrease than what was anticipated, and certain will influence many worldwide corporations.
A knowledge handler topic to a compulsory safety evaluation would first must conduct a self-security evaluation that addresses the next standards:
- the legality, propriety and necessity of the proposed cross-border switch/processing carried out by the info recipient outdoors of China;
- the quantity, scope, sort and sensitivity of the info to be transferred, and the potential dangers to nationwide safety, public pursuits and the professional pursuits of particular person and entities;
- whether or not related administration and technical measures applied by the info exporter and knowledge importer in reference to the switch will make sure the safety of information to be transferred outdoors of China;
- the chance of information leakage, injury, corruption, loss or misuse, and whether or not people might simply defend their rights; and
- whether or not the info switch settlement adequately allocates related duties for knowledge safety.
Obligatory Safety Evaluation
Knowledge handlers would want to submit sure supplies in reference to a compulsory safety evaluation, together with an software type, the info handler’s self-security evaluation, and the related knowledge switch settlement. In evaluating an information handler’s necessary safety evaluation, the CAC would concentrate on:
- the legality, propriety and necessity of the cross-border switch;
- the info safety legal guidelines and laws of the info recipient’s jurisdiction, the safety of the info being transferred, and whether or not the protections supplied by the info recipient fulfill Chinese language legal guidelines and laws and necessary nationwide requirements;
- the quantity, scope, sort and sensitivity of the info being transferred and the chance of leakage, injury, corruption, loss and misuse;
- whether or not the info switch settlement adequately allocates duties for knowledge safety;
- compliance with Chinese language legal guidelines, administrative laws and departmental laws; and
- different issues which can be deemed obligatory by the CAC.
Knowledge Switch Settlement
The info switch settlement between the info handler and knowledge recipient would want to incorporate the next content material:
- the aim, methodology and scope of the cross-border switch, and the strategy and goal of processing by the info recipient;
- the placement the place the info might be saved outdoors of China and the info retention interval (in addition to the measures to be taken upon expiration of the retention interval, termination of the info switch settlement, or in any other case when the aim of processing has been met);
- provisions proscribing re-transfer of the info to different people or entities;
- the safety measures to be taken within the occasion of a cloth change to the info recipient’s enterprise or related authorized necessities, or if the recipient in any other case can’t make sure the safety of the info;
- legal responsibility for violations of contractual knowledge safety duties, in addition to binding and enforceable dispute decision provisions;
- within the occasion of an information leak or different breach, provisions requiring the info recipient to reply appropriately and safeguard the rights and pursuits of people’ private data.
Process of Obligatory Safety Evaluation
Upon receipt of the info handler’s software, the CAC would verify whether or not it would settle for the appliance inside seven enterprise days. After issuing the discover of acceptance, the CAC would have 45 enterprise days to finish the evaluation. This era may very well be prolonged in advanced instances or the place the CAC requires supplementary paperwork, however typically the timeline mustn’t exceed 60 enterprise days.
The CAC’s necessary safety evaluation outcome could be efficient for 2 years. Throughout this era, the info handler would want to conduct a re-assessment in reference to any of the next circumstances:
- adjustments to the aim, means, scope and kind of the cross-border switch or processing of non-public data and/or necessary knowledge by the info recipient;
- an extension of the retention interval for the private data and/or necessary knowledge;
- adjustments to legal guidelines relevant to the info recipient, materials adjustments to the recipient’s enterprise, or amendments to the info switch settlement that may have an effect on the safety of the transferred knowledge; or
- different circumstances that may have an effect on the safety of transferred knowledge.
On condition that the PIPL is now efficient, corporations ought to put together for the finalization of those Draft Measures and guarantee they’ve plans in place to handle compliance with cross-border switch necessities.