Cybersecurity: New Draft on Security Assessment of Cross-Border Data Transfer

I. Legal News:

The Cyberspace Administration of China (“CAC”) recently issued Measures on Security Assessment of Cross-Border Data Transfer (Draft for Comments), which is seeking public comments till November 28, 2021 (the “Draft”).

According to the Draft, not all cross-border data transfers in China are requested to make an application at CAC for a mandatory security assessment, only under the following five circumstances shall the data processor file an application at CAC:

Upon application for security assessment at CAC, the result of security assessment shall be notified to the data processor in writing, and the result shall be valid for two years. A new application shall be submitted again 60 working days prior to the expiry of the valid term.

Any violation of this Measures shall be subject to the sanctions regulated in the Cyber Security law, Data Security Law and Personal Information Protection Law².

(http://www.cac.gov.cn/2021-10/29/c_1637102874600858.htm)

Recently, draft amendment to the Anti-Monopoly Law was issued for soliciting public comments till November 11, 2021 (the “Draft”).

Hereunder are two takeaways of the Draft:

(1) Vertical agreements for resale price

According to PRC Anti-Monopoly Law, the following vertical agreements are prohibited:

① Agreement restricting the minimum price for resale to a third part

② Agreement fixing the price for resale to a third party

Currently, the Draft newly adds that:

For the above two vertical agreements for resale price, they will not be prohibited if the business operators can prove that they do not have the effect of excluding/limiting competition³.

(2) Control on digital platforms

Digital platform industry grows fast in China and many corresponding monopolistic misconducts occurred these years⁴. To ensure the healthy development of the platform operators, the Draft clarifies that “platform operators shall not eliminate or restrict competition by abusing data, algorithm, technology, capital advantages or platform rules”.

(http://www.npc.gov.cn/flcaw/userIndex.html?lid=ff8081817ca258e9017ca5fa67290806)

As always, Asiallians remains at your service and our teams are currently mobilized in all our offices in Mainland China, Hong Kong and Taipei.

1. The definition of important data is not fixed yet. According to the article 3.2 of the Draft Guidelines for the Identification of Important Data (Draft for Comments): “Important Data” is “Data that exists electronically, and once tampered with, destroyed, leaked, or illegally obtained or used, may endanger national security and public interests.”

2. Article 66 of Cyber Security Law: a fine up to RMB 500,000 for the enterprise; suspending relevant business operations; revoking the business license, responsible personnel to be fined up to RMB 100,000, etc.
Article 46 of Data Security Law: a fine up to RMB 10 million for the enterprise; suspending relevant business operations; revoking the business license; responsible personnel to be fined up to RMB 1 million, etc.
Article 66 of Personal Information Protection Law: a fine up to RMB 50 million or 5% of its annual turnover of the previous year for the enterprise; suspending relevant business operations; revoking the business license, responsible personnel to be fined up to RMB 1 million, and such persons may also be prohibited from serving as directors, supervisors, senior managers, and persons in charge of personal information protection of relevant enterprises for a certain period of time, etc.

3. However, there is no further details released yet to know how to prove that there is no effect of excluding/limiting competition. Asiallians will monitor further explanations/legislations to be released.

4. Many internet companies like Alibaba, Tencent, Meituan and Jingdong have been filed for alleged monopolistic misconducts.