New Legal Framework for Cross-border Data Transfer in China
7 December 2021
With the coming into force of the Personal Information Protection Law on 1 November 2021, the People’s Republic of China (“China”) has established three pillars for the country’s regulatory system on data protection, namely, the Personal Information Protection Law, the Cybersecurity Law, which took effect on 1 June 2017, and the Data Security Law which took effect on 1 September 2021.
The relevant authorities are also proactively drafting regulations to ease the implementation of these three laws. For example, the Cyberspace Administration of China (“CAC”) issued a draft revision of the Measures for Cybersecurity Review for comments, despite the Measures having only been in force for a year. It is uncommon to revise a regulation so soon after it has taken effect, but the ground-breaking changes implemented to China’s data compliance regime has necessitated this revision. The CAC has also released a draft of the Measures on Security Assessments for Cross-border Data Transfer for comment that specifically focuses on security assessments, which are referred to in both the Cybersecurity Law and the Personal Information Protection Law, of the cross-border transfer of all kinds of data.
This article provides an overview of the new cross-border data transfer regime set out in these laws and recent draft regulations. These laws and regulations have attracted great concern from both local and international players.
To read this article, please click here.