Skip to content
Schedule a Call
Call Now

Draft measures on Security Assessment of Cross Border Data Transfer in China

Article by Tsaaro

7 min read

Introduction

The Cyberspace Administration of China (“CAC”) on October 29, 2021, distributed the draft Measures on Security Assessment of Cross-Border Data Transfer (“Draft Measures”) for input through November 28, 2021. The Draft Measures are defined dependent on the Cybersecurity Law(“CSL”), Data Security Law (“DSL”), Personal Information Protection Law (“PIPL”) and related guidelines. Before the Draft Measures were distributed, a few draft measures and public norms had effectively centred around controlling cross-border information transfer. The Draft Measures, once officially declared, are probably going to supplant these recently distributed draft gauges and may set the establishment for extra public principles in such a manner.

What is the scope and application of this draft?

When finalised, the Draft Measures would apply to cross border movement of individual data and “significant information” gathered and produced in China in specific situations.

Data Controllers will be mandatorily required to take security assessments by the CAC under the following circumstances:

  • Transfer of personal information and important data collected and generated by Critical Information Infrastructure (CII) operators.
  • Transfer of important data. 
  • Transfer of personal information by data controllers who process over a million individuals’ personal information. 
  • Cumulatively transferring personal information of more than 1 lakh or “sensitive” personal information of more than 10,000 individuals. 
  • Any other requirements as specified by the CAC. 

What are the various types of Security Assessments prescribed?

  1. Self-Security Assessment

A data controller on whom the mandatory security assessment will be applicable is required to conduct a self-security assessment and check the following requirements:

  • The legality and necessity of the proposed cross border data transfer. 
  • The sensitivity of the data that is being transferred and whether it poses any potential threats to national security. 
  • Whether the management and the technical measures will ensure the safety of the  data that is transferred outside of China. 
  • The risk assessment of data leakage, corruption and how individuals may defend their rights. 
  • Weather data transfer allocated relevant responsibilities for data protection. 
  1. Mandatory Security Assessment

Information controllers would have to present specific materials regarding a compulsory security appraisal, including an application structure, the information overseer’s self-security evaluation, and the pertinent information move to understand. In assessing an information overseer’s obligatory security appraisal, the CAC would zero in on:

  • The legality and necessity of the proposed cross border data transfer. 
  • Weather data transfer allocated relevant responsibilities for data protection. 
  • Compliance with Chinese laws. 
  • Any other matters stated to be necessary by the CAC.

CAC led security assessment of cross-border data transfer

  • The Draft Measures require information processors to direct a security appraisal prior to moving abroad “significant data” and individual data (“PI”) gathered and delivered in China (Article 2). The security appraisal for processors of significant information or PI might involve both an inside hazard evaluation and an administration-driven security appraisal (Article 3), as clarified underneath. 

“Abroad” seems to allude to topography rather than ethnicity, so moving to unfamiliar people or unfamiliar put ventures in China would not establish an abroad exchange, essentially without information that the transferee planned to move such information or data abroad.

  • Article 4 of the Draft Measures forces a CAC-drove security evaluation necessity dependent on the sort of information processor (a. Basic Information Infrastructure Operator (“CIIO”), b. gigantic PI processor, or c. different information processor) and the kind of information (I. significant information, or ii. PI meeting any of a few quantitative edges). The Draft Measures interestingly explain the limit for assignment as a gigantic PI processor (PI processor which processes PI of at least 1,000,000 people) and the edge for PI subject to security evaluation (cross-line move of PI of at least 100,000 people or delicate PI of at least 10,000 people). These limits are not high in a nation as crowded as China.
  • CIIOs and enormous PI processors are needed to apply for a CAC-drove security appraisal at whatever point they move abroad significant information or PI (no limit necessity). Information processors other than CIIOs and enormous PI processors need to apply for such security appraisal just while moving abroad significant information or PI meeting a quantitative limit, and don’t have to do as such while moving abroad PI that doesn’t meet the applicable edge. Such different information processors don’t have to apply for a security evaluation while moving abroad information that isn’t significant information or PI, except if such exchange would somehow embroil public safety or the public interest.

Conclusion

The Draft Measures interestingly explain the limits for the sorts of information processors and kinds of information that are liable to cross-line security evaluation and set up a course of events for the public authority audit. While the Draft Measures give explanations about topics and timetables, the inclination is against abroad exchange and the technique and length of government survey might end up being troublesome. The draft will be available to the public for comment until the end of November 2021 and after that, it will be finalised or modified accordingly.

1,148 thoughts on “Draft measures on Security Assessment of Cross Border Data Transfer in China”

  1. Murielt

    Very well written! The points discussed are highly relevant. For further exploration, I recommend visiting: LEARN MORE. Keen to hear everyone’s opinions!

Leave a Reply

Your email address will not be published. Required fields are marked *

Eu Ai act
First Rules of the EU AI Act Come into Effect: What Does it Mean?
Tsaaro Consulting

First Rules of the EU AI Act Come into Effect: What Does it Mean?

The evolving digital landscape in the 21st century have placed a challenge for governments and organizations as they attempt to …

March 7, 2025
Digital Personal Data Protection (DPDP) Act
Exemptions Under the Digital Personal Data Protection (DPDP) Act, 2023  
Tsaaro Consulting

Exemptions Under the Digital Personal Data Protection (DPDP) Act, 2023  

Introduction  The Digital Personal Data Protection (DPDP) Act, 2023, and the Digital Personal Data Protection Rules, 2025 establish a comprehensive …

February 27, 2025
cybersecurity,
WHAT DRIVES CYBERSECURITY: A COMPREHENSIVE OVERVIEW 
Tsaaro Consulting

WHAT DRIVES CYBERSECURITY: A COMPREHENSIVE OVERVIEW 

In today’s interconnected world, cybersecurity plays a crucial role in protecting our digital lives. From protecting personal data to safeguarding …

February 21, 2025
Transfer Impact Assessments
Understand Transfer Impact Assessments: Insights from CNIL’s Practical Guide 
Tsaaro Consulting

Understand Transfer Impact Assessments: Insights from CNIL’s Practical Guide 

Introduction  A Transfer Impact Assessment (TIA) is a critical evaluation conducted under the General Data Protection Regulation (GDPR) to assess …

February 20, 2025
Draft DPDP Rules
The DPDP Act, 2023 and the Draft DPDP Rules, 2025: What Do They Mean for India’s AI Start-Ups?
Tsaaro Consulting

The DPDP Act, 2023 and the Draft DPDP Rules, 2025: What Do They Mean for India’s AI Start-Ups?

Introduction The Digital Personal Data Protection Act (DPDPA), 2023 and the Draft DPDP Rules, 2025 have ushered in a new …

February 12, 2025
Recent Comments

SHARE THIS POST

Would you like to read regular updates from Tsaaro.
Subscribe to our newsletter

Our Latest Blogs

Read what the latest hapennings in the cyber world are and learn what the
experts have to say about them

© 2024 Tsaaro Consulting. All rights reserved.
Linkedin Instagram Youtube

About Tsaaro

Resources

Other Links

Tsaaro Netherlands Office

Regus Schiphol Rijk Beech Avenue 54-62, Het Poortgebouw, Amsterdam, 1119 PW, Netherlands

Tsaaro Pune Office

Tech Centre, Rajiv Gandhi Infotech Park, Hinjewadi, Pune, Maharashtra

Tsaaro Noida Office

302, Tower C, ATS Bouquet, Noida Sector – 132, Uttar Pradesh, India

Tsaaro Bengaluru Office I

Manyata, Embassy Business Park, Outer Ring Road, Bengaluru, Karnataka

Tsaaro Bengaluru Office II

Second State, CMH Road, Indiranagar, Bengaluru, Karnataka

Call Our Experts:

+91 95577 22103

small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png

We’d love to help your organization achieve your Data Protection goals!

Schedule a complimentary consultation with our Team of Experts.