News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | What you need to know about China's new draft measures on cross-border data transfers Related reading: Chinese regulator says apps are collecting excessive personal data

rss_feed

""

""

Recently, the Cyberspace Administration of China released new draft "Measures on Security Assessment on Cross-border Transfer of Personal Data" for public consultation. The June 13 release presents another approach to cross-border data transfer under the China Cyber Security Law. These CAC New Draft Measures superseded the previous efforts of CAC on cross-border data transfer, i.e., CAC’s draft "Measures on Security Assessment on Cross-border Transfer of Personal Data and Important Data" and the draft "Guidelines on Security Assessment for Cross-border Data Transfer," both of which were released for public consultation in 2017.

It's not unusual that certain ministry-level measures can be passed within a short period of time and leave a short grace period (as short as only a month) for companies to comply with. As such, it's worth considering planning certain actions to reduce unnecessary pressure to meet the compliance deadlines once the new rules are adopted

August 20, China started to implement its pilot policy on cross-border data transfer in Lin Gang Zone located in the Shanghai Pilot Free Trade Zone. The pilot policy briefly mentions the implementation of security assessments for cross-border data transfer, setting up information security maturity models and the filing of the cross-border data transfer for certain sectors such as integrated circuit, artificial intelligence and life sciences and pharmaceutical, and for multinational companies that register their headquarters in the new zone. It is not clear for now how Chinese authorities intend to implement rules for facilitating the cross-border data transfer in this particular free trade zone as a pilot program for the purpose of attracting foreign investors.   

New approach to cross-border transfer of personal data

The new CAC draft measures require all network operator’s cross-border transfer of personal data to go through a security assessment to be conducted by a provincial branch of CAC. The cross-border transfer of personal data is prohibited if the security assessment concludes that such cross-border data transfer is likely to impact national security or public interest or impact the effective protection of personal data. This is the significant change in approach because, in the 2017 CAC draft measures, CAC positioned themselves as coordinator for various sectoral regulators that were proposed to undertake the specific security assessment. Previously, the security assessment was in general proposed as self-assessment unless the involvement of sectoral regulators in such security assessment becomes necessary in certain prescribed circumstances. When cross-border transferring to different data receivers, each transfer warrants a security assessment, whereas transferring to the same data receiver in multiple batches or continuously does not require repeating the security assessment. The security assessment shall be revisited every two years or when the purposes or data categories in the cross-border data transfer or the period of data retention by the data receiver change.

Another notable change is that the CAC new draft measures do not address cross-border transfer of important data, which is separately addressed in draft "Measures on Administration of Data Security," released by CAC for public consultation May 28, 2019. In the draft data security measures, CAC proposed that the collection of important data shall be filed with the sectoral regulators (or the provincial branch of CAC in the event that there is no specific sectoral regulator) and cross-border transfer of important data is subject to the pre-approval of CAC. And yet, the key question remains: What is important data? CAC is drafting a guideline on how to identify important data, which is highly expected.  

Cross-border data transfer can be a one-off activity, such as copying personal data and/or important data in the thumb drive and courier to an overseas data receiver, or a continuing transfer, such as granting a user outside Mainland China remote access to an information system that is used and hosted in China. 

Areas of assessment

The focus of security assessment also changed in the CAC new draft measures. In them, a self-assessment of the potential risks and the security measures in relation to the cross-border transfer of personal data is required, as well as the cross-border data transfer agreement between the domestic network operator and the overseas data receiver.

CAC’s clear stance on extraterritorial application of the CSL?

CAC proposed to make its stance clear on the extra-territorial application of the CSL in the new draft measures. In them, it states foreign companies that collect personal data of data subjects in China via the internet are required to appoint representatives in China to perform the obligations and responsibility of a network operator. It is not clear yet whether such remote collection of personal data outside China needs to first meet the targeting criteria, such as Article 3(2) of the EU General Data Protection Regulation. A similar attempt was made in the 2017 draft measures and the 2017 draft guidelines, where the “domestic operation” was extended to include any remote provision of products and/or services to data subjects in China as long as such company targets the data subjects in China (the targeting criteria was proposed to include use of Chinese, use of RMB as payment, or arrangement of domestic logistic services, etc.).

Alternative proposal from industry 

Many representatives of various industries in China proposed an alternative proposal for cross-border data transfer, i.e., a filing system of cross-border data transfer coupled with random sampling and inspection from time to time. Some suggested adding a list of exemptions for cross-border data transfer, such as cross-border data transfer that is initiated by the data subject or that is for the purpose of performing the legal obligations under Chinese laws, the personal data that has been made public by the data subject voluntarily.

Plan for imminent changes

Many changes, such as change of system provider (e.g., customer relationship management, human relations system, or "know your customer" system for banks, cloud services) with backup hosted outside China need to be planned ahead, and these imminent local nuances in China must be embraced.

A cross-border data transfer agreement will be inevitable in China

The new draft measures seem to favor the approach of having a contractual arrangement to ensure the overseas data receiver must protect the personal data and facilitate the exercise of data subject rights. Some mandatory clauses have been proposed for such cross-border data transfer agreements, such as that the network operator in China shall first compensate the data subject in the event of infringement of the right to data protection by the overseas data receiver, unless the network operator can prove that it is not at fault. Companies shall avoid directly using standard contractual clauses under the GDPR without further tailoring for China.

Self-assessment can be prepared in advance either for submission as part of the security assessment or as documentation of compliance

While the rules may take time to finalize, the obligation to protect the personal data regardless of the data processing in China or outside China is provided in Article 42 of China's cybersecurity law. Given this, the network operators in China have to address the change of control and the difference in the level of protection of personal data when transferring personal data outside China.

Reconciliation with sectoral rules is important 

While the CAC proposed to take over the security assessment in its new draft measures, there are many sectoral rules that are currently in effect stipulating the pre-approval for collection, processing and cross-border transfer of certain data categories. There have been long-standing data localization requirements for personal financial information that is collected by banks in China, surveying data (i.e., ground data) and personal health data that is collected by medical institutions in China. For example, recently China also revised and passed the Regulation on Administration of Human Genetic Resources, which regulates the collection, processing and cross-border transfer of human genetic resources (including human samples and genetic data).

While it is not yet clear how the CAC will reconcile with the sectoral regulators’ security assessment or whether CAC will set up an interoperability mechanism to recognize the sectoral regulators’ security assessment, it is beneficial to check with sectoral regulators to pre-empt their questions in the process of conducting self-assessment. 

Photo by Hanson Lu on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Authors
Headshot Gil Zhang, CIPP/A, CIPP/E, CIPM, FIP IAPP Member Contributor
Headshot Kate Yin Nonmember Contributor
Tags
Asia-Pacific
Privacy Law
Privacy Operations Management
Security Operations Management
Transborder Data Flow
Comments

If you want to comment on this post, you need to login.

Related Stories
China's biggest private sector company embraces data
Ping An, China’s second-largest insurer and the country’s largest private sector company by revenue, now spans finance, health care, autos, real estate and smart cities and relies on a team of artificial intelligence experts and data scientists as much as it does insurance managers. Pin An Deputy CE...
Read More queue Save This
Related Stories
Tags
Asia-Pacific
Privacy Law
Privacy Operations Management
Security Operations Management
Transborder Data Flow
Recent Comments