China: Opened consultation on Administrative Measures for Personal Information Protection Compliance Audit including cross-border data transfer measures

On 3 August 2023, the Cyberspace Administration of China (CAC) opened a consultation on the draft Administrative Measures for Personal Information Protection Compliance Audit until 2 September 2023. According to the Measures, service providers processing personal information on more than 1 million people, and providers who have processed the personal information of 100,000 people or sensitive personal information of 10,000 people overseas during the previous year, must undergo security assessments by the CAC. In addition, transfers of personal data overseas to foreign judicial or law enforcement agencies require approval from Chinese authorities. Any data transfers may only occur after the processor has ensured recipients meet China's personal information protection standards, by assessing the recipient's data protection capabilities, informing them of China's requirements, and signing agreements requiring protection measures. Organisations should also regularly check that overseas recipients are processing the data according to agreements and urge them to fulfil protection obligations.