Introduction

The Cyberspace Administration of China (“CAC”) on October 29, 2021, distributed the draft Measures on Security Assessment of Cross-Border Data Transfer (“Draft Measures”) for input through November 28, 2021. The Draft Measures are defined dependent on the Cybersecurity Law(“CSL”), Data Security Law (“DSL”), Personal Information Protection Law (“PIPL”) and related guidelines. Before the Draft Measures were distributed, a few draft measures and public norms had effectively centred around controlling cross-border information transfer. The Draft Measures, once officially declared, are probably going to supplant these recently distributed draft gauges and may set the establishment for extra public principles in such a manner.

What is the scope and application of this draft?

When finalised, the Draft Measures would apply to cross border movement of individual data and “significant information” gathered and produced in China in specific situations.

Data Controllers will be mandatorily required to take security assessments by the CAC under the following circumstances:

• Transfer of personal information and important data collected and generated by Critical Information Infrastructure (CII) operators.
• Transfer of important data. 
• Transfer of personal information by data controllers who process over a million individuals’ personal information. 
• Cumulatively transferring personal information of more than 1 lakh or “sensitive” personal information of more than 10,000 individuals. 
• Any other requirements as specified by the CAC. 

What are the various types of Security Assessments prescribed?

1. Self-Security Assessment

A data controller on whom the mandatory security assessment will be applicable is required to conduct a self-security assessment and check the following requirements:

• The legality and necessity of the proposed cross border data transfer. 
• The sensitivity of the data that is being transferred and whether it poses any potential threats to national security. 
• Whether the management and the technical measures will ensure the safety of the  data that is transferred outside of China. 
• The risk assessment of data leakage, corruption and how individuals may defend their rights. 
• Weather data transfer allocated relevant responsibilities for data protection. 

2. Mandatory Security Assessment

Information controllers would have to present specific materials regarding a compulsory security appraisal, including an application structure, the information overseer’s self-security evaluation, and the pertinent information move to understand. In assessing an information overseer’s obligatory security appraisal, the CAC would zero in on:

• The legality and necessity of the proposed cross border data transfer. 
• Weather data transfer allocated relevant responsibilities for data protection. 
• Compliance with Chinese laws. 
• Any other matters stated to be necessary by the CAC.

CAC led security assessment of cross-border data transfer

• The Draft Measures require information processors to direct a security appraisal prior to moving abroad “significant data” and individual data (“PI”) gathered and delivered in China (Article 2). The security appraisal for processors of significant information or PI might involve both an inside hazard evaluation and an administration-driven security appraisal (Article 3), as clarified underneath. 

“Abroad” seems to allude to topography rather than ethnicity, so moving to unfamiliar people or unfamiliar put ventures in China would not establish an abroad exchange, essentially without information that the transferee planned to move such information or data abroad.

• Article 4 of the Draft Measures forces a CAC-drove security evaluation necessity dependent on the sort of information processor (a. Basic Information Infrastructure Operator (“CIIO”), b. gigantic PI processor, or c. different information processor) and the kind of information (I. significant information, or ii. PI meeting any of a few quantitative edges). The Draft Measures interestingly explain the limit for assignment as a gigantic PI processor (PI processor which processes PI of at least 1,000,000 people) and the edge for PI subject to security evaluation (cross-line move of PI of at least 100,000 people or delicate PI of at least 10,000 people). These limits are not high in a nation as crowded as China.
• CIIOs and enormous PI processors are needed to apply for a CAC-drove security appraisal at whatever point they move abroad significant information or PI (no limit necessity). Information processors other than CIIOs and enormous PI processors need to apply for such security appraisal just while moving abroad significant information or PI meeting a quantitative limit, and don’t have to do as such while moving abroad PI that doesn’t meet the applicable edge. Such different information processors don’t have to apply for a security evaluation while moving abroad information that isn’t significant information or PI, except if such exchange would somehow embroil public safety or the public interest.

Conclusion

The Draft Measures interestingly explain the limits for the sorts of information processors and kinds of information that are liable to cross-line security evaluation and set up a course of events for the public authority audit. While the Draft Measures give explanations about topics and timetables, the inclination is against abroad exchange and the technique and length of government survey might end up being troublesome. The draft will be available to the public for comment until the end of November 2021 and after that, it will be finalised or modified accordingly.