On 11 April 2017, China’s Cyberspace Administration (CAC) published the draft of a new regulation called Measures for the Security Review of Cross-Border Transfers of Individual and Important Data (chin. 个人信息和重要数据出境安全评估办法).
The draft is based on the new Cyber Security Law and China’s National Security Law, which were passed in 2016 and 2015 respectively. It forms the legal basis for a security assessment for data transfers out of China by internet operators. These include internet providers, administrators and online service providers (Art. 17).
Art. 9 of the draft states that a security review is mandatory for data transfers meeting the following conditions:
The following data must not leave China (Art. 10):
According to the current text, the operators are required to conduct their own security review at least once a year (Art. 12). The assessment report should include the following information (Art. 8):
If the assessment is mandatory (see Art. 9), the assessment has to be submitted to the relevant industry or control agencies, which have to deliver their feedback within 60 working days (Art. 10).
When: Tuesday, 18 April 2017 Time 7:30...
When: Tuesday, 20 April 2017 Time 5 pm...
When: Wednesday, 22 March 2017...
When: Monday, 17 March 2017 Time 9 am...