The Chinese agency charged with implementing and enforcing the new Personal Information Protection Law has issued draft measures for cross-border data transfers. Comments are due by November 28. As we detailed previously, the law requires that the Cyberspace Administration of China (CAC) conduct security assessments prior to certain information transfers out of China. Those situations included if the information transferred reached “significant” thresholds. Those thresholds have now been clarified in the draft.

In particular, the draft contemplates security assessments for transfers by entities that handle over one million individuals’ personal information. Security assessments would also occur if the entity is either transferring personal information of more than 100,000 people or “sensitive” information of more than 10,000 people. In most situations security assessments would be valid for two years.

Under PIPL, both entities who do not meet the thresholds for a CAC-led assessment, as well as those who do, must complete an internal self-assessment before transferring data outside of China. The draft outlines the specifics of that self-assessment. This includes looking at the risk of data leaks, the volume and scope of information to be transferred, and the like.

The draft also provides more insight into requirements around having a data transfer agreement when sharing personal information with a third party. Elements to include in the agreement are similar to GDPR, such as outlining security measures that will be used, limiting the scope of use by the data recipient, and having contractual penalties for contract violations. Also included is a requirement to indicate where, physically, data will be stored outside of China.

Putting it into practice: While the law was effective November 1, this draft is still under review. It does, however, provide guidance about expectations about what companies must do under the law, including thresholds for needing a CAC assessment.