China Takes Steps Towards New Security Measures for Data Transfers

    May 08, 2017

    As reported on, in April the Cyberspace Administration of China published a draft of its proposed Measures for the Security Assessment of Outbound Transmission of Personal Information and Critical Data. The document offers guidance on how “security assessments” would be carried out. Such assessments were mandated in the Cybersecurity Law of China, passed in November, which requires entities to perform them before transmitting critical data or personal information to a destination outside of China.

    The draft extends the data localization requirement from “operators of key information infrastructure” to all “network operators.” The definition of “network operator” remains consistent with the definition given under the Cybersecurity Law, which refers to an owner or an administrator of a computerized information network system, or a network service provider. In other words, all  “network operators” must store, within China, personal information and critical data they collect or generate in the course of operating their business in China and undergo a security assessment if they have a business need to transmit data outside of China.

    So far, the draft has only been published for comment and does not necessarily reflect a final regulation, but it does represent a real possibility of what the final regulation may require.

    The draft has divided the security assessment into two types, self-assessments and assessments conducted by the competent authority. The assessment would focus on (1) the necessity of the outbound transfer; (2) the quantity, scope, type, and sensitivity of the personal information and critical data to be transferred; (3) the security measures and capabilities of the data recipient, as well as the cybersecurity environment of the nation where the data recipient is resident; (4) the risk of leakage, damage, or abuse of the data after the outbound transfer; and (5) possible risks to the national security, public interests, and individual’s legal rights that are involved in the outbound data transfer and data aggregation.

    The online Global Policy Brief is intended to help you stay current on international news and events. Further information about the issue is accessed by clicking on the link provided at the end of each summary.

    Want to sign up to receive an email version of the Global Policy Brief? It's free! Just tell us a little about yourself and you'll receive a monthly dose of the latest in legislation, regulation, and more.

    © 2017, ARMA International