China publishes detailed draft rules on cross-border data transfers
One key element of the proposed Measures on the Security Assessment of Cross-border Transfer of Personal Information and Important Data (“Proposed Rules”), the two drafts of which are intended to implement the Cyber Security Law’s new regime on cross-border data transfers, is the requirement for security assessment of transfers of personal information and important data outside the PRC.
On 27 May 2017, the Technical Committee for Standardisation of National Information Security Standards published draft guidelines for the conduct of these security assessments (“Draft”).
The Draft’s main purpose is to set out the detailed factors which businesses need to weigh up when making transfers of personal information and important data outside the PRC. Though not mandatory, the Draft merits detailed consideration by businesses, as it is a clear indication of how the authorities view the Proposed Rules in practice. In this alert, we consider the key aspects of the Draft’s proposed methodology and its practical implications.