Chinafy - Do you know the terms of the Cross-border data transfer?

On 7 July 2022, the Cyberspace Administration of China (the CAC) released the long-awaited final version of its Measures for Security Assessment of Cross-border Data Transfers. These Measures will apply to relevant businesses which are looking to transfer data from China to overseas. The Measures take effect on 1 September 2022. A grace period of six months applies for cross-border transfers carried out before the effective date.

When does a business need to submit to a mandatory security assessment by the CAC?

If any of the following criteria are met, a business must submit to a mandatory security assessment by the CAC before it can transfer data out of China:

• The business is transferring important data out of China

• The business is transferring personal information out of China by:

  • CIIO (Critical Information Infrastructure Operators)
  • Data processor who processes the personal information of 1 million individuals or more.

• The business has transferred out of China since 1 January of the previous year:

  • The personal information of more than 100,000 individuals
  • The sensitive personal information of more than 10,000 individuals

The CAC may also impose or identify other circumstances in which a security assessment is required.

What is "Important Data"?

In Measures of Security Assessment for Cross-Border Data Transfer, important data refers to data that if it is altered, destroyed, leaked, illegally acquired or illegally used, etc., may harm national security, economic operations, social stability, public health or security, etc. (art. 19)

Who is classified as a Critical Information Infrastructure Operators?

In Regulations on the Security and Protection of Critical Information Infrastructure, CIIO is defined as companies engaged in "important industries or fields", including:

• Public communication and information services;
• Energy;
• Transport;
• Water;
• Finance;
• Public services;
• E-government services;
• National defense; and
• Any other important network facilities or information systems that may seriously harm national security, the national economy and people’s livelihoods, or public interest in the event of incapacitation, damage, or data leaks.

What's meaning of personal information and sensitive personal information?

According to The PRC Personal Information Protection Law (PIPL)

Personal information

Personal information refers to various kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding the information processed anonymously. (PIPL art. 4)

Sensitive Personal information

Sensitive personal information refers to the personal information that can easily lead to the infringement of the personal dignity or natural persons or the harm of personal or property safety once leaked or illegally used, including such information as biometrics, religious belief, specific identities, medical health, financial accounts, whereabouts, or the personal information of minors under the age of 14. (PIPL art. 28)