Transfer data outside of China: New security review regulation companies should know

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

The Cyberspace Administration of China (CAC) released the draft Security Review Measures for Cross-Border Data Transfer (the Draft Security Review Measures) for public comments on 29 October 2021 – shortly before the effective date of the Personal Information Protection Law (PIPL), 1 November 2021.

The three pillars of China’s cyber security and data legislation – the Cyber Security Law (CSL, effective on 1 June 2017), the Data Security Law (DSL, effective on 1 September 2021), and the PIPL – all impose some restrictions on cross-border transfers of data and require governmental security reviews as a condition for transferring data overseas in certain situations.

The Draft Security Review Measures provide some clarity on the questions we discuss in this article.

Who needs to do a security review?

Operators of critical information infrastructures (CIIs); Any entity transferring “important data” outside China; Any personal information handler who processes personal information of 1 million individuals or more; Any entity that has, in aggregate, provided personal information of more

Read the article