On 14 November 2021, the consultation for the Draft Regulations on the Administration of Network Data Security opened. The draft in question is intended to implement and further specify the details of the (i) Cybersecurity Law, (ii) Data Security Law and the (iii) Personal Information Protection Law (PIPL). As the draft provides, data shall be classified and thus fall under the categories of (a) general data, (b) important data and (c) core data. Chapter 5 of the draft is devoted to the "data cross-border security management", which includes data transfer requirements. Thus, Art. 35 of the draft requires that one of the following four conditions is met: (1) Data export security assessment by the national cybersecurity department is passed; (2) Both, the data processor and the data recipient have passed the personal information protection certification conducted by a professional organization recognized by the national cybersecurity department; (3) Entering into a contract with the overseas data recipient in accordance with the provisions on standard contracts formulated by the national cybersecurity department, stipulating the rights and obligations of both parties; or (4) other conditions stipulated by laws. Furthermore, a data processor, who intends to provide personal information outside the People's Republic of China, shall inform the individual of the name, contact information, processing purpose, processing method, type of personal information and the individual's exercise to the overseas data recipient. Additionally, the individual's consent shall be obtained (see Art. 36). Furthermore, if a data processor falls under certain categories, it must pass the data exit security assessment organized by the cybersecurity and informatization department (Art. 37). These mentioned categories include (i) data containing "important data"; (ii) critical information infrastructure operators and data processors that process the personal information of more than one million people; and (iii) in other circumstances stipulated by the national network information department. Art. 39 consists of further obligations for data processors providing data overseas. The consultation closes on 13 December 2021.
Original source