By: Samuel Yang (Anjie Broad/China Law Vision)
On 28th September 2023, the Cyberspace Administration of China (CAC) released the Draft Regulations titled “Regulations for Standardizing and Promoting Cross-Border Data Flows (Draft for Comments)” for public feedback. These draft regulations signal a potential shift from some of the CAC’s prior stipulations regarding cross-border data transfers.
Context: Framework within the PIPL In 2021, the Personal Information Protection Law (PIPL) was enacted, incorporating Article 38. According to this article, companies looking to export personal information to recipients outside of China must adhere to specific legal mechanisms, termed “Legal Mechanisms”:
- Completion of a security assessment organized by the CAC (“Security Assessment”).
- Execution of the Standard Contract issued by the CAC with the overseas recipient (“Standard Contract”).
- Pursuing personal information protection certification from a professional institute recognized by the CAC (“Certification”).
- Fulfillment of any other prerequisites stipulated by laws, administrative regulations, or the national cyberspace authority…