Cyberspace Administration of China, Measures for Security Assessments of the Transfer of Personal Information and Important Data Overseas (Draft for Comments)

(2) details of the personal information, including the quantity, scope, type and degree of sensitivity of the personal information as well as whether the subject of the personal information consents to the transfer of his/her personal information overseas;

(3) details of the important data, including the quantity, scope, type and degree of sensitivity of the important data;

(4) the security protection measures, capabilities and level of the recipient of the data, as well as the cybersecurity environment of the country or region where the recipient is located;

(5) the risk of the data being leaked, damaged, altered or abused once it is transferred overseas and further transferred;

(6) the risk potentially posed to national security, the public interest or individuals' lawful interests once the data is transferred overseas and the data transferred overseas are aggregated; and

(7) other important matters that need to be assessed (Article 8).

If any of the circumstances set forth below applies to a transfer of data overseas, the network operator shall request that the competent industry authority or regulator arrange for the conduct of a security assessment:

(1) contain or cumulatively contain the personal information of at least 500,000 persons;

(2) the quantity of data exceeds 1,000GB;

(3) contain data on sectors such as nuclear facilities, chemical biology, national defense industry, population health, or data on large project activities, the marine environment or sensitive geological information;

(4) contain cybersecurity information, such as system vulnerabilities in, or security prevention of, critical information infrastructure;

(5) provision to foreign parties of personal information and important data by an operator of critical information infrastructure; or

(6) other data that could affect national security or the public interest and the competent industry authority or regulator deems the conduct of an assessment necessary.

Where the competent industry department or regulator is not clear, the assessment shall be arranged by the Cyberspace Administration of China (Article 9).

issued:2017-04-11

Issued: April 11 2017

Main contents: If personal information is to be transferred overseas, the objective, scope and content of the data to be transferred overseas, the recipient thereof and the country or region of the recipient shall be stated to the subject of the personal information and the consent of such subject shall be secured. If the personal information of a minor is to be transferred overseas, the consent of his/her guardian must be secured (Article 4).

In a security assessment of the transfer of data overseas, emphasis shall be placed on assessing the following:

(1) the necessity of the transfer of the data overseas;

(2) details of the personal information, including the quantity, scope, type and degree of sensitivity of the personal information as well as whether the subject of the personal information consents to the transfer of his/her personal information overseas;

(3) details of the important data, including the quantity, scope, type and degree of sensitivity of the important data;

(4) the security protection measures, capabilities and level of the recipient of the data, as well as the cybersecurity environment of the country or region where the recipient is located;

(5) the risk of the data being leaked, damaged, altered or abused once it is transferred overseas and further transferred;

(6) the risk potentially posed to national security, the public interest or individuals' lawful interests once the data is transferred overseas and the data transferred overseas are aggregated; and

(7) other important matters that need to be assessed (Article 8).

If any of the circumstances set forth below applies to a transfer of data overseas, the network operator shall request that the competent industry authority or regulator arrange for the conduct of a security assessment:

(1) contain or cumulatively contain the personal information of at least 500,000 persons;

(2) the quantity of data exceeds 1,000GB;

(3) contain data on sectors such as nuclear facilities, chemical biology, national defense industry, population health, or data on large project activities, the marine environment or sensitive geological information;

(4) contain cybersecurity information, such as system vulnerabilities in, or security prevention of, critical information infrastructure;

(5) provision to foreign parties of personal information and important data by an operator of critical information infrastructure; or

(6) other data that could affect national security or the public interest and the competent industry authority or regulator deems the conduct of an assessment necessary.

Where the competent industry department or regulator is not clear, the assessment shall be arranged by the Cyberspace Administration of China (Article 9).

issued:2017-04-11