Media Statements

The Office of the Privacy Commissioner for Personal Data (PCPD) notes that the Security Assessment Measures on Cross-border Transfers of Data (the Measures) promulgated by the Cyberspace Administration of China (CAC) come into operation today (1 September 2022). 

The PCPD reminds local enterprises, such as banks, insurance companies and securities companies, which conduct businesses on the Mainland that if the conditions prescribed in the Measures are met, they may need to report their security assessments on cross-border transfers of data to the CAC in accordance with the relevant regulations. 

The Privacy Commissioner for Personal Data, Ms Ada CHUNG Lai-ling, said, “Where cross-border data transfers carried out before the effective date of the Measures do not conform with the provisions of the Measures, the relevant enterprises or organisations must take steps to rectify the situation within 6 months since the Measures take effect, namely, before 28 February 2023. Given that the CAC may take some time to process the reports, it is advisable that early steps be taken by data transferors to understand the provisions of the Measures and assess the impacts of the Measures on cross-border data transfers. They should also take timely follow-up actions and seek professional advice if necessary, so as to comply with the relevant requirements of the Measures.”

According to the Measures, data processors (including enterprises or organisations) which effect cross-border transfers of data shall, in any of the following situations, carry out their own security assessments and report such security assessments to the CAC through local cyberspace administration authorities at the provincial level:

• where the data processor transfers important data across the border;
• where the data processor which transfers personal information across the border is an operator of Critical Information Infrastructure;
• where the data processor which transfers personal information across the border processes personal information of over 1 million persons;
• where the data processor which transfers personal information across the border has cumulatively made outbound transfers of personal information of over 100,000 persons, or sensitive personal information of over 10,000 persons since 1 January of the preceding year; and
• in other situations as prescribed by the CAC where a report on security assessment is required.

The term “important data” in this context refers to any data which, if tampered, damaged, leaked, or illegally acquired or used, may endanger national security, the operation of the economy, social stability, public health and security, etc.

The self-assessment shall address, among others, the following key factors:

• the legality, propriety and necessity of (a) the cross-border transfer and (b) the purpose, scope and manner of processing of the data by the recipient outside the jurisdiction;
• the quantity, scope, category and sensitivity of the outbound data, and the risks that cross-border transfer of data might pose to national security, public interests, and the lawful rights and interests of individuals or organisations;
• whether the responsibilities and obligations undertaken by the recipient outside the jurisdiction and the management and technical measures and capabilities of such recipient to perform the aforesaid responsibilities and obligations can ensure the security of the outbound data;
• the risks of the outbound data suffering from alteration, destruction, leakage, loss, transfer, illegal acquisition or illegal use, etc., during and after the cross-border transfer, and whether or not channels are available to uphold personal information rights and interests, etc.;
• whether data security protection responsibilities and obligations are sufficiently stipulated in the contract, or other documents with legal effect, intended to be concluded with the recipient outside the jurisdiction regarding the cross-border data transfer; and
• other matters that may affect the security of the cross-border data transfer.

To help relevant enterprises or organisations understand the latest developments of the legal requirements on the Mainland with regard to cross-border transfers of personal information, the PCPD will organise a webinar on the subject. It has also updated its thematic webpage on the Personal Information Protection Law of the Mainland. The webpage includes a brief on the Measures (updates in English would be available soon):
https://www.pcpd.org.hk/english/data_privacy_law/mainland_law/mainland_law.html

Please click here for the full text of the Measures (Chinese only). The CAC has also uploaded its responses to media enquiries on the Measures, please click here (Chinese only).

Background Information

The Personal Information Protection Law of the Mainland provides that processors of personal information which need to transfer personal information across the border shall carry out their own personal information protection impact assessments, obtain separate consent from the individuals concerned, and meet the specified requirements, one of which is passing the security assessments made by the state cyberspace authorities. The Measures set out the more specific and stringent requirements regarding how to carry out the security assessments (including the matters to consider, the procedure and timeframe, etc.)

The Measures were drafted with reference to relevant laws including the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law of the Mainland, for the purposes of regulating cross-border data transfers, protecting the rights and interests regarding personal information, upholding national security and society’s public interest, and facilitating the safe and free flow of data across the border.

 
－End－