The Cyberspace Administration of China (CAC) published for public comments, new draft guidelines for the cross-border transfer of data. The draft guidelines impose a comprehensive security review obligation on companies who: (1) process personal data of over a million data subjects; (2) process personal data collected or generated by the operators of “critical information infrastructure”; (3) transfer important data; or (4) transfer personal data of more than 100,000 data subjects, or sensitive personal data of more than 10,000 data subjects.
As part of the security review, companies are required to examine, among other things, the necessity and legality of the data transfer, the scope, type and sensitivity of the transferred data, and the potential risk for data leakage, damage, corruption, loss or misuse of data.
The draft guidelines further require companies to engage with the data recipient in a data transfer agreement. The agreement should address, inter-alia, the purpose, method and scope of the cross-border transfer, the location in which the data will be retained and the retention period, restrictions on further transfer of the data, and the security measures that the data recipient should implement.
The draft guidelines are intended to complete the provisions of China’s Personal Information Protection Law, which became effective November 1st.