China legal update: New Regulation on Cross-border Transfer of Personal Information

China legal update: New Regulation on Cross-border Transfer of Personal Information

I. Legal News

New Regulation on Cross-border Transfer of Personal Information

Early on the morning of June 13, 2019, Cyberspace Administration of China (“CAC”) issued the Measures for Security Assessment for Cross-border Transfer of Personal Information (Draft for Comment) (the “2019 Draft”) for soliciting public opinions till July 13, 2019, which for the first time specifically aimed to regulate the export of personal information.

The 2019 Draft makes significant adjustments by setting mandatory security assessment obligations on all network operators1 who intend to transfer personal information2 they collected in China to overseas recipients, which consist of unprecedentedly strict requirements comparing to the previous Measures for Security Assessment for Cross-border Transfer of Personal Information and Important Data (“2017 Draft”) released on April 11, 2017. For example:

(1) Applying for Security Assessment Comparing to 2017 Draft, the 2019 Draft changes the principle of assessment from “self-assessment” to “applying for security assessment”, which inevitably imposes network operators a stricter compliance obligation.

Specifically, in 2017 Draft, the network operators are not obliged to file relevant documents to the qualified Network Security Authorities for a security assessment, but only need to complete a self-assessment before sending personal information overseas. Currently, in the 2019 Draft, it is mandatory for the network operators to apply for a security assessment to respective provincial-level CAC before transferring personal information overseas, and the intended cross-border data transfer shall be prohibited if CAC finds that it might potentially undermine national security, public interests or the safety of the personal information.

In addition, security assessment requests the network operators to submit a series of documents to provincial-level CAC, including but not limited to application form, contract between network operators and overseas recipients, and risk analysis report.

Moreover, network operators shall report annually to respective provincial-level CAC about the status of their cross-border transfer of personal information as well as the performance of contracts between network operators and overseas recipients before the annual deadline, December 31 of each year.

However, details of the application procedure still need to be further clarified.

(2) Specific Requirement for Assessment on different/same overseas recipient(s)

According to the 2019 Draft, if the personal information will be transferred to different recipients, then the security assessment shall be applied by the network operators separately and independently. However, in order to lighten burden of filing, the 2019 Draft also stipulates that it is unnecessary to repeat assessment if the personal information will be transferred to the same overseas recipient, which is undoubtedly a relief for the global companies who need to transfer information to a same overseas recipient continuously/for multiple times.

(3) Prohibited Export of Personal Information

Apart from the power to assess the documents filed by the network operators, the 2019 Draft also empowers CAC another important power to order the network operators to suspend/terminate the data export out of a set of situations. Pursuant to Art.11 of the 2019 Draft, these situations include but not limited to “network operators or overseas recipients have suffered severe data leakage incidents or abuse of information” or “network operators are incapable of protecting personal information”.

Up to now, it is still unclear whether this 2019 Draft will be passed or not, but it indicates the trend that the network operators’ cross-border data transfer will be regulated/monitored by CAC closely and this change will have a very big influence on foreign investors  who need to transfer such data.

For companies concerned, compliance measures should be taken as early as possible to comply with the ever-changing laws and regulations.


II. Hot topic

CSRC Confirming to Expand Opening-up in China’s Capital Market

For years, foreign investors face a series of restrictions to access to China’s capital market. But recently, top mainland financial regulators highlighted a capital reform plan to further open-up the capital market in China.

On June 13, 2019, Yi Huiman, chairman of the China Security Regulatory Commission (“CSRC”), declared at the 11th Lujiazui Forum in Shanghai that CSRC would gradually launch nine measures to widen foreign investors’ access to the financial industry. Among all the nine measures he mentioned, a wild range of financial areas (e.g. securities business, fund management services, futures market, exchange bond market, etc.) are promised to be opened for foreign banks, funds and other institutional investors. He also mentioned that limitation on the foreign ownership will also be largely released.

Meanwhile, according to the words of Yi Gang, governor of the People’s Bank of China, the central bank would support a pilot programme based in Shanghai to remove the foreign ownership limits on firms providing securities and fund management services. All these efforts were parts of measures to help build the city into an international financial centre.

It is said that this announcement brings exciting opportunities to market players amid the recent volatility in the global market environment and the proposed opening-up measures reinforce the Chinese government’s determination to further reform and open-up the Chinese capital market and offer national treatment to foreign investors.


1. According to article 21 of the 2019 Draft, network operators refer to owners, administrators of the network and network service providers. However, same as “Critical Information Infrastructure” which is a notion still under legislative process, currently no official explanation has been released to further clarify the scope of network operators.

2. According to article 21 of the 2019 Draft, personal information refers to the information recorded by electronic or other means that, alone or in combination with other information, can identify a natural person’s personal identity, including but not limited to the individual’s name, date of birth, ID number, personal biometric information, address and phone number.



Feel free to contact for more information.