China Issues Draft Measures to Restrict the Overseas Transmission of Personal Data

Gail Crawford, Wei-Chun (Lex) Kuo, Xuechu (Sean) Wu, Hui Xu
Latham & Watkins LLP
Contact
LinkedIn
Facebook
X
Send
Embed

The Cyberspace Administration of China (CAC) issued Draft Measures for public comment on April 11 on Security Assessment for Cross-border Transmission of Personal Information and Critical Data (the Draft Measures). The Draft Measures provide further clarification surrounding the “localization” requirement and the transmission limitation on personal information and critical data that was adopted in Article 37 of the Network Security Law. In addition, the Draft Measures propose a new mechanism to guide critical information infrastructure operators (CII operators) should they have a valid business need to transmit personal information and data outside of China.

While the definitions of “Data Transmission to Overseas” and “Critical Data” are consistent with the Network Security Act, the Draft Measures’ existing definitions do not specify whether “located out of China” applies virtually, as well as physically.

Notably, the scope of the localization requirement and transmission ban are essentially extended to all internet operators, individuals and organizations. While the Network Security Law sets restrictions on CII operators, articles 2 and 16 of the Draft Measures support subjecting all entities and individuals to the requirement that personal information and critical data gathered in China should be stored in China, as well as requiring that a security assessment is conducted before such data is transmitted out of China for business need.

It is also proposed under Article 7 of the Draft Measures that all internet operators be obliged to conduct a self-evaluation to assess the safety of its data prior to any overseas transfer, with Article 8 providing guidance on the evaluation criteria. If the criteria is not met, Article 9 requires the self-evaluation to be escalated to an assessment by a regulator.

Also notable is the circumstances identified that warrant the general prohibition of transmitting data overseas, which include: transmitting personal information and data without informed consent; transmitting data that will expose the state to political, economic, science and defense risks; and any transmission prohibited by CAC, Public Security, National Security Agencies or other agencies. In addition, Article 15 of the Draft Measures hints at the possibility for a diplomatic approach to handle data transmission through the arrangement of bilateral or regional treaties.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Latham & Watkins LLP | Attorney Advertising

Written by:

Latham & Watkins LLP
Latham & Watkins LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Latham & Watkins LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide