China’s cybersecurity watchdog is seeking public comments on a draft rule outlining a legal path for cross-border transfer of personal data.

Under the draft rule released Thursday by the Cyberspace Administration of China (CAC), qualified data processing entities could legitimately transfer personal data abroad by signing standard contracts with overseas recipients. Such contracts would embed terms in line with China’s data protection law, experts said.

Companies eligible to adopt such a method should not be key information infrastructure operators, should collect data involving fewer than 1 million people, can have made overseas data transfers since the beginning of the previous year involving fewer than 100,000 people, and can have sensitive data on fewer than 10,000 people, according to the draft.

Wu Shenkuo, a law professor at Beijing Normal University, said companies must meet all four criteria to qualify to adopt the standard contracts for cross-border data transfer.

Entities collecting personal data would be responsible for assessing the legality, legitimacy and the need for the data before they sign contracts for data transfers, according to the draft rule. Companies also need to register with local cybersecurity regulators after the contracts take effect.

The context: The draft rule is part of Chinese regulators’ broader drive to strengthen oversight of the collection and use of personal data amid growing concerns over data security.

The draft is a supplement to the Personal Information Protection Law which took effect Nov. 1, 2021. The law stipulated that companies facilitate overseas data transfers through three legal paths — signing standard contracts, having security reviews by regulators or obtaining data protection certification from designated institutions.

Compared with the two other methods, use of standard contracts is a more common practice globally and is more feasible for many companies, experts said.

Source: Caixin Global