China Security Measures for Data Transfer

The need to conduct a security assessment before transferring “important data” and certain amounts of personal data has been previously mentioned in China’s Cybersecurity Law, Data Security Law, and Personal Information Protection Law. This set of draft Measures, for the first time, provides some details on the specifics of these assessments.

According to the draft Measures, any “data processor” that processes over 1 million people’s personal data, or that wishes to transfer abroad personal information of over 100,000 people, or sensitive personal information of over 10,000 people, will be subject to security review by the national cybersecurity authority before it can transfer data abroad.  Data considered “important” and collected/generated by “critical information infrastructure operators” will also be subject to assessments.

Given the vast amount of data being collected and processed by today’s businesses, industry contacts widely believe the threshold of data that triggers the security assessment to be too low. Moreover, they view the two-year validity period for each security assessment as too short. If finalized as drafted, to comply with the draft Measures, both local and foreign companies, especially multi-national companies that routinely transfer data between locations, will need to expend significant resources on compliance. 

For more information, please contact office.beijing@trade.gov.