The Office of the Privacy Commissioner for Personal Data (PCPD) notes that the Security Assessment Measures on Cross-border Transfers of Data (the Measures) promulgated by the Cyberspace Administration of China (CAC) come into operation today (1 September 2022).
The PCPD reminds local enterprises, such as banks, insurance companies and securities companies, which conduct businesses on the Mainland that if the conditions prescribed in the Measures are met, they may need to report their security assessments on cross-border transfers of data to the CAC in accordance with the relevant regulations.
The Privacy Commissioner for Personal Data, Ms Ada CHUNG Lai-ling, said, “Where cross-border data transfers carried out before the effective date of the Measures do not conform with the provisions of the Measures, the relevant enterprises or organisations must take steps to rectify the situation within 6 months since the Measures take effect, namely, before 28 February 2023. Given that the CAC may take some time to process the reports, it is advisable that early steps be taken by data transferors to understand the provisions of the Measures and assess the impacts of the Measures on cross-border data transfers. They should also take timely follow-up actions and seek professional advice if necessary, so as to comply with the relevant requirements of the Measures.”
According to the Measures, data processors (including enterprises or organisations) which effect cross-border transfers of data shall, in any of the following situations, carry out their own security assessments and report such security assessments to the CAC through local cyberspace administration authorities at the provincial level:
- where the data processor transfers important data across the border;
- where the data processor which transfers personal information across the border is an operator of Critical Information Infrastructure;
- where the data processor which transfers personal information across the border processes personal information of over 1 million persons;
- where the data processor which transfers personal information across the border has cumulatively made outbound transfers of personal information of over 100,000 persons, or sensitive personal information of over 10,000 persons since 1 January of the preceding year; and
- in other situations as prescribed by the CAC where a report on security assessment is required.