The Cyberspace Administration of China (CAC) issued Draft Measures for public comment on April 11 on Security Assessment for Cross-border Transmission of Personal Information and Critical Data (the Draft Measures). The Draft Measures provide further clarification surrounding the “localization” requirement and the transmission limitation on personal information and critical data that was adopted in Article 37 of the Network Security Law. In addition, the Draft Measures propose a new mechanism to guide critical information infrastructure operators (CII operators) should they have a valid business need to transmit personal information and data outside of China.
While the definitions of “Data Transmission to Overseas” and “Critical Data” are consistent with the Network Security Act, the Draft Measures’ existing definitions do not specify whether “located out of China” applies virtually, as well as physically.
Notably, the scope of the localization requirement and transmission ban are essentially extended to all internet operators, individuals and organizations. While the Network Security Law sets restrictions on CII operators, articles 2 and 16 of the Draft Measures support subjecting all entities and individuals to the requirement that personal information and critical data gathered in China should be stored in China, as well as requiring that a security assessment is conducted before such data is transmitted out of China for business need.
It is also proposed under Article 7 of the Draft Measures that all internet operators be obliged to conduct a self-evaluation to assess the safety of its data prior to any overseas transfer, with Article 8 providing guidance on the evaluation criteria. If the criteria is not met, Article 9 requires the self-evaluation to be escalated to an assessment by a regulator.
Also notable is the circumstances identified that warrant the general prohibition of transmitting data overseas, which include: transmitting personal information and data without informed consent; transmitting data that will expose the state to political, economic, science and defense risks; and any transmission prohibited by CAC, Public Security, National Security Agencies or other agencies. In addition, Article 15 of the Draft Measures hints at the possibility for a diplomatic approach to handle data transmission through the arrangement of bilateral or regional treaties.