A second major problem for multi-nationals operating in China lies is the requirement in both the Cybersecurity Law and the Measures that a security assessment be conducted before personal data is transferred out of the country. This assessment can be conducted internally, unless one of a number of conditions exist, such as with data transfers that involve more than 500,000 individuals or more than one terabyte of data; that relate to critical and sensitive facilities or infrastructure; or that impact the country’s national security or public interest. Should one of these conditions apply, the security assessment would need to be carried out by an industry regulator.
The draft measures, issued for public comment until May 11, contain many ambiguous terms and are subject to revision as a result of the public consultation. Hogan Lovells has prepared a detailed analysis of the measures, available here, while an English translation released by Hunton & Williams may be found here. The high-level brevity of the measures, considering their potentially profound impact upon businesses operating in China, is striking.