On July 7, 2022, the Cyberspace Affairs Commission (“CAC”) of China issued the Measures on Security Assessment of Cross-Border Data Transfer (the “Security Assessment Measures”), which sets out the security assessment framework for cross-border data transfers. The Security Assessment Measures will become effective on September 1, 2022. In conjunction with the

2021 was a busy year for data protection law in China. On June 10, 2021, the Standing Committee of the National People’s Congress of the People’s Republic of China adopted the Data Security Law (DSL), which went into effect on September 1, 2021. On August 20, 2021, the Standing Committee of the National People’s Congress enacted the Personal Information Protection Law (PIPL), which went into effect just last month, in November 2021. The DSL applies broadly to processing of all data, not just personal information or electronic data and expands on the provisions from China’s Cybersecurity Law, which was enacted in 2016. In contrast, the PIPL applies only to the processing of personal information and has been compared to Europe’s General Data Protection Regulation (GDPR), although that comparison may obscure the contours of China’s law more than it enlightens.

Consistent with the course of Chinese administrative law, the laws’ key terms, analyses, and processes will continue to be fleshed out and perhaps materially enhanced or diminished in a series of regulations, measures, standards, and guidance documents. The latest draft measures on cross-border transfers, which are being closely watched by organizations contemplating cross border data transfers, were published at the end of October, and comments were accepted through November. We expect China to continue finalizing the laws’ terms and measures in 2022.

Continue Reading What China’s New Data Laws Could Mean for 2022

On August 20, 2021, the Standing Committee of the National People’s Congress promulgated the Personal Information Protection Law (PIPL), which will become effective on November 1, 2021. The PIPL is the first comprehensive national level personal information protection law in China, which systematically regulates the processing of personal information by entities and individuals. The PIPL, together with the Cybersecurity Law, which was promulgated in 2017, and the Data Security Law, which was promulgated earlier this year, form the three pillars of China’s comprehensive data protection legal regime.

This Alert provides a summary of the highlights of the PIPL, discusses the implications on domestic and foreign businesses operating in China, and compares the PIPL with the European Union (EU) General Data Protection Regulation (GDPR), which has greatly influenced many of the concepts included in the PIPL.
Continue Reading China Passes Personal Information Protection Law

On March 6, 2020, the China Standardization Administration and the State Administration for Market Regulation jointly released an updated version of the Personal Information Security Specification (the “Specification”) which will become effective on October 1, 2020.[1] The updated Specification updates the current Specifications[2] that have been in effect since May 1, 2018, and is the result of a revision effort by the Specification’s drafters, that included a series of interim drafts published for public comment on January 30, 2019, June 21, 2019, and most recently, on October 22, 2019, in order to address certain loopholes and practices leading to excessive collection of personal information.
Continue Reading China Updates its Personal Information Security Specification