CAC Circulates New Draft Rules on Cross-border Data Transfers
CAC Circulates New Draft Rules on Cross-border Data Transfers
On 29 October 2021, the CAC circulated for public comment the Measures on Security Assessments of Cross-border Transfers of Data (Draft to Solicit Comments). The draft measures would partially flesh out the data localisation rules under the Cybersecurity Law, DSL and PIPL by establishing the thresholds and procedures for undertaking data export security assessments. The deadline for submitting comments to the CAC ended on 28 November 2021.
In the November edition of GC Agenda China (subscription required), Morrison & Foerster partner Paul McKenzie commented on the measures that, “Among the many remaining uncertainties associated with the PIPL and the DSL, what specific restrictions and formalities will apply to exports of personal information and other data is probably causing greatest concern among international businesses. Release of these draft rules is helpful as companies try to anticipate how profoundly data export restrictions will impact their business. The rules provide valuable clues as to how the formal CAC security assessment process will work when a formal security assessment is required. But the threshold issue of when a formal security assessment will be required seems still uncertain. Doubtless many of the comments CAC received on the draft rules in the consultation process advocated for clearer (and higher) thresholds. With that process just concluded, companies may not need to wait long for the release of updated draft rules or promulgation of final rules.”
Regions