On 14 November 2021, the Draft Regulations on the Administration of Network Data Security have been introduced. The draft in question is intended to implement and further specify the details of the (i) Cybersecurity Law, (ii) Data Security Law and the (iii) Personal Information Protection Law (PIPL). As the draft provides, data shall be classified and thus fall under the categories of (a) general data, (b) important data and (c) core data. Chapter 5 of the draft is devoted to the "data cross-border security management", which includes data transfer requirements. Art. 35 of the draft requires that one of the four conditions for cross-border data transfers is met. Furthermore, a data processor, who intends to provide personal information outside the People's Republic of China, shall inform the individual of the name, contact information, processing purpose, processing method, type of personal information and the individual's exercise to the overseas data recipient. Additionally, the individual's consent shall be obtained (see Art. 36). Additionally, in case a data processor falls under certain categories, it shall pass the data exit security assessment organized by the cybersecurity and informatization department (Art. 37). These mentioned categories include (i) data containing "important data"; (ii) critical information infrastructure operators and data processors that process the personal information of more than one million people; and (iii) in other circumstances stipulated by the national network information department. Art. 39 consists of further obligations for data processors providing data overseas.
Original source