Cyberspace Administration of China, Measures for Security Assessments of the Transfer of Personal Information Overseas (Draft for Comments)
国家互联网信息办公室个人信息出境安全评估办法 (征求意见稿)
June 27, 2019 | BY
Susan MokA change in the legal environment of the personal data receiving country will trigger a new security assessment
Issued: June 13, 2019
Main contents: If a network operator is to transfer overseas personal information collected in the course of its operations in the People's Republic of China (Transfer Personal Information Overseas), it shall carry out a security assessment in accordance herewith. If it is determined through a security assessment that Transferring the Personal Information Overseas could have an impact on national security or prejudice the public interest, or that the security of the personal information cannot be effectively ensured, the information may not be transferred overseas (Article 2).
The contract or other legally effective document (hereinafter collectively referred to as a “Contract”) executed by the network operator and personal information receiver shall specify:
(1) the purpose for Transferring the Personal Information Overseas, the type of information and the term of preservation;
(2) that the personal information subjects are the beneficiaries of the terms in the Contract concerning the rights and interests of personal information subjects;
(3) that in the event that the lawful rights and interests of a personal information subject are prejudiced, he/she may himself/herself lodge a claim or appoint an agent to lodge a claim against the network operator, the receiver or both of them, and the network operator or receiver shall compensate him/her unless it proves that it is not liable;
(4) that if a change in the legal environment of the country where the receiver is located occurs, making performance of the Contract impossible, the Contract shall be terminated or a new security assessment shall be carried out; and
(5) that the termination of the Contract may not exempt the responsibilities and obligations of the network operator and receiver as specified in the terms of the Contract concerning the lawful rights and interests of the personal information subjects, unless the receiver has destroyed the personal information it has received or anonymized the same (Article 13).
| issued: 2019-06-13This premium content is reserved for
China Law & Practice Subscribers.
A Premium Subscription Provides:
- A database of over 3,000 essential documents including key PRC legislation translated into English
- A choice of newsletters to alert you to changes affecting your business including sector specific updates
- Premium access to the mobile optimized site for timely analysis that guides you through China's ever-changing business environment
Already a subscriber? Log In Now