On April 11, 2017, the Cyberspace Administration of China (“CAC”) released a draft of the Measures on Security Assessment of Cross-border Data Transfer of Personal Information and Important Data (“the Draft Measures”) for public comment (official Chinese version available here).  The comment period ends on May 11, 2017.

The issuance of the long-anticipated Draft Measures is another critical step toward implementing China’s Cybersecurity Law (“the Law”), which is set to take effect on June 1, 2017 (see our alert on the Law here).  Importantly, the Draft Measures, if enacted in its current form, would mandate all “network operators” to self-assess the security of their cross-border data transfers and significantly broaden the scope of entities that potentially need to undergo security assessments for such transfers by the Chinese government.  Companies that fall into the scope of “network operators,” but may not qualify for “operators of Critical Information Infrastructure” (“CII”), could see their cross-border data transfers regulated under the Draft Measures.  

Given the potentially sweeping coverage of the Draft Measures, companies seeking to transfer Chinese citizens’ personal information and “important data” outside of China should consider taking steps to proactively self-assess their cross-border data flows and be prepared for the government’s security assessment, if the Draft Measures are enacted as they are drafted now.  Please let us know if you are interested in an unofficial translation of the Draft Measures, our analysis of them, or filing comments.