Thinking Forward: Complying with Heightened Regulatory Requirements on Overseas Data Transfer

Summary

---

|

• The Draft Measures aim to standardize the overseas transfer of data from mainland China for the purpose of safeguarding personal information, national security, and public interest.
• It provides a criterion for data processors who are required to apply for assessment with CAC and the procedure for such assessment.
• Companies should actively seek counseling and create internal policies when dealing with heightened regulatory requirements on overseas data transfer.

On October 29, 2021, the Cyberspace Administration of China (the CAC) issued the Measures for the Security Assessment of Overseas Transfer of Data (Draft for Comments) (the Draft Measures) (数据出境安全评估办法（征求意见稿）), after two official drafts had been issued in 2017 and 2019 and after the promulgation of the Data Security Law (DSL) (数据安全法) and the Personal Information Protection Law (PIPL) (个人信息保护法) in 2021. The public has until November 28, 2021 to comment on the Draft Measures.

The Draft Measures incorporate the spirit of data security protection under the current regime established by the three pillars: (1) the Cybersecurity Law (网络安全法); (2) the PIPL; and (3) the DSL. In the Draft Measures, the CAC provides for scenarios, process and procedures for assessing overseas data transfer as a prerequisite prior to the transfer. It is noteworthy that the Draft Measures did not specifically touch upon contentious issues such as cross-border data transfer in relation to foreign legal proceedings and investigations as raised in Article 36 of the DSL, and we expect that detailed regulations on this issue will come into place soon.