China’s CAC publishes guidance on cross-border data transfers, including draft standard contractual clauses and regulatory guidance on certification and security assessment.
Key Points:
..Security Assessment: Effective September 1, 2022, personal information processors (PI Processors) under the Personal Information Protection Law (PIPL) must file for a Security Assessment with the Cyberspace Administration of China (CAC) if any of the following circumstances apply: (i) important data will be transferred; (ii) personal information will be transferred by a critical information infrastructure operator (CIIO) or a PI Processor who processes personal information of more than 1 million individuals; or (iii) in each case, the personal information of more than 100,000 individuals or sensitive personal information of more than 10,000 individuals will be cumulatively transferred since January 1 of the previous year.
..Certification: A PI Processor may obtain a personal information security certification from agencies designated by the CAC. According to the certification specification, the certification is suitable for (i) intra-group data transfers, similar to the Binding Corporate Rules under the General Data Protection Regulation (GDPR); and (ii) cross-border data transfers by foreign PI Processors subject to the PIPL’s extraterritorial reach.
..Draft China SCCs: A draft of the China standard contractual clauses (China SCCs), a template contract for cross-border data transfers (similar to the EU standard contractual clauses under the GDPR), were released for public consultation. The China SCCs are intended for adoption for cross-border transfers of personal information, except those transfers subject to the Security Assessment.
Please see full publication below for more information.