international employment law firm alliance L&E Global
China

China Releases New Regulation on Cross-border Transfer of Data

Authors: Carol Zhu and Yinbing Chen

The Cyber Administration of China recently released the Regulation on Security Assessment for Cross-border Transfer of Data (“Regulation”), which has been formulated to further administrate cross-border data transfer activities and promote the free and secured flow of data. The Regulation has been viewed as an important supplement to PRC Data Security Law and PRC Cybersecurity Law. Specifically, the Regulation clarifies that (1) the applicable scenarios where data processors should declare security assessment for cross-border data transfer; (2) the key matters that data processors shall evaluate during their self-assessment prior to the official declaration; (3) the required materials for declaring security assessment; and (4) the incidents that will compel data processors to re-declare for security assessment. In addition, the Regulation stipulates that any violation will be penalised according to PRC Cybersecurity Law, PRC Data Security Law as well as PRC Personal Information Protection Law. The Regulation will come into effect as of 1 September 2022.

Key Action Points for Human Resources and In-house Counsel

The Cyber Administration of China recently released the Regulation on Security Assessment for Cross-border Transfer of Data (“Regulation”), which has been formulated to further administrate cross-border data transfer activities and promote the free and secured flow of data. The Regulation has been viewed as an important supplement to PRC Data Security Law and PRC Cybersecurity Law. Specifically, the Regulation clarifies that (1) the applicable scenarios where data processors should declare security assessment for cross-border data transfer; (2) the key matters that data processors shall evaluate during their self-assessment prior to the official declaration; (3) the required materials for declaring security assessment; and (4) the incidents that will compel data processors to re-declare for security assessment. In addition, the Regulation stipulates that any violation will be penalised according to PRC Cybersecurity Law, PRC Data Security Law as well as PRC Personal Information Protection Law. The Regulation will come into effect as of 1 September 2022.