China: Consultationed closed on CAC draft Measures for Security Assessment of Data Exports

On 28 November 2021, the public consultation on the draft Measures for Security Assessment of Data Exports closes. The draft Measures aim to enact provisions of the "Network Security Law", "Data Security Law", and "Personal Information Protection Law" to protect personal information, safeguard national security, and promote the free flow of cross-border data. Specifically, the draft Measures require a data transfer security assessment to be submitted to the Cyberspace Administration of China (CAC) by processors which transfer certain amounts or types of data abroad. Furthermore, the draft Measures stipulate the conditions and process for the security assessment, starting with a self-assessment. The actual security assessment, the process of which is also determined by the draft Measures, by the responsible department focuses on potential risks to national security, public interest, and individual rights as a result of the data export activities in question. The draft Measures also lay out the minimum conditions to be contained in the export agreement with the overseas recipient, including purpose, scope, location, and duration of data storage, as well as cybersecurity and remedial provisions. A positive assessment is valid for two years or until there are changes in the data processing and use practices of the processor or the level of data protection in the target jurisdiction.