According to information from Netcom China, the Cyberspace Administration of China has issued a notice for public comment on "Regulations on regulating and promoting the cross-border flow of data that need to be rewritten: (Draft for Comment)"
In the case of data export generated in activities such as international trade, academic cooperation, transnational manufacturing and marketing, as long as it does not contain personal information or important data, there is no need to conduct a data export security assessment, sign a personal information export standard contract or pass personal information protection Certification. For data that is not recognized as important by relevant departments or regions, data processors do not need to declare a data export security assessment. When personal information collected outside the country is provided overseas, there is no need to conduct a data transfer security assessment, sign a personal information transfer standard contract, or pass personal information protection certification. If the personal information of no more than 10,000 people is provided overseas, there is no need to conduct a data export security assessment, sign a personal information export standard contract, or pass personal information protection certification. However, if personal information is provided overseas based on individual consent, the consent of the personal information subject must be obtained. If the personal information of more than 10,000 but not more than 1 million people is expected to be provided overseas within one year, it is necessary to sign a standard personal information export contract with the overseas recipient and file it with the provincial cybersecurity and informatization department, or pass personal information protection certification. In this way There is no need to declare a data export security assessment. If the personal information of more than 1 million people is provided overseas, you must declare a data export security assessment. However, if personal information is provided overseas based on individual consent, it is still necessary to obtain the consent of the personal information subject.
The provisions of the Cyberspace Administration of China on regulating and promoting the cross-border flow of data need to be rewritten as follows: (Draft for Comments )》Notice for public solicitation of opinions
1. Log in to the Chinese Government Legal Information Network of the Ministry of Justice of the People's Republic of China (
www.moj.gov.cn, www. chinalaw.gov.cn), enter the "Legislative Opinion Collection" column on the main menu of the homepage to submit your opinions. 2. Send comments via email to: shujuju@
cac.gov.cn. 3. Send your opinions by letter to: Network Data Administration Bureau of the Cyberspace Administration of China, No. 15 Fucheng Road, Haidian District, Beijing, Postal Code: 100048, and indicate on the envelope "Regulate and promote cross-border data Mobility Regulations Requested for Comments.”
The deadline for feedback is October 15, 2023.
State Internet Information Office
September 28, 2023
Regulations on regulating and promoting cross-border data flows
In order to ensure national data security, protect personal information rights and interests, and further standardize and promote the orderly and free flow of data in accordance with the law, in accordance with relevant laws, the "Data Transfer Security Assessment Measures" and the "Personal Information Transfer Standard Contract" The following provisions are made for the implementation of data export regulations such as the Measures.
1. If the data generated in activities such as international trade, academic cooperation, transnational manufacturing, and marketing are exported abroad and do not contain personal information or important data, there is no need to declare a data export security assessment or establish standards for personal information export. Contract, and passed personal information protection certification.
If the relevant departments or regions do not notify or publicly release a certain data as important data, then the data processor does not need to declare the data as important data that requires an outbound security assessment
3. If the personal information is not collected within the country, there is no need to declare data export security assessment, enter into a standard contract for personal information export, or pass personal information protection certification
4. If one of the following circumstances is met, there is no need to declare data Exit security assessment, conclusion of personal information export standard contract, and passing personal information protection certification:
(1) Situations necessary to conclude and perform a contract to which the individual is a party, such as cross-border shopping, cross-border remittance, Situations in which personal information must be provided overseas for air ticket, hotel booking, visa application, etc.
(2) Human resources management must be implemented in accordance with the labor regulations and collective contracts signed in accordance with the law, and internal information must be provided overseas Employee personal information
In an emergency, in order to protect the life, health and property safety of natural persons, it is necessary to provide personal information overseas
5. For information expected to be provided overseas within one year, it will not exceed In the case of personal information of 10,000 people, there is no need to conduct a data export security assessment, sign a personal information export standard contract, or undergo personal information protection certification. However, if personal information is provided overseas based on individual consent, the consent of the personal information subject must be obtained
6. Those who expect to provide the personal information of more than 10,000 people but less than 1 million people overseas within one year, enter into a standard contract for the export of personal information with the overseas recipient and file it with the provincial cybersecurity and informatization department or pass the personal information protection certification, may Do not apply for a data export security assessment; if you provide personal information of more than 1 million people overseas, you must apply for a data export security assessment. However, if personal information is provided overseas based on individual consent, the consent of the personal information subject must be obtained.
7. The free trade pilot zone may formulate a data list (hereinafter referred to as the negative list) that the free trade zone needs to include in the data export security assessment, personal information export standard contract, and personal information protection certification management scope (hereinafter referred to as the negative list), and report it to the After approval by the provincial network security and information technology committee, it will be reported to the national network information department for filing.
When data outside the negative list is exported, there is no need to conduct a data export security assessment, sign a personal information export standard contract, or pass personal information protection certification
8. National agencies and key information base Facility operators that provide personal information and important data to overseas parties shall comply with relevant laws, administrative regulations, and departmental rules.
Providing overseas sensitive information or sensitive personal information involving the party, government, military and confidential units shall be carried out in accordance with relevant laws, administrative regulations and departmental rules.
9. When data processors provide important data and personal information overseas, they must comply with the provisions of laws and administrative regulations, perform data security protection responsibilities, and ensure the safety of data exported abroad. If a data export security incident occurs or data export security risks are found to have increased, remedial measures should be taken and reported to the relevant network security departments in a timely manner. Guidance and supervision shall be strengthened before, during and after the event. If it is discovered that there are major risks in data export activities or security incidents occur, data processors shall be required to make rectifications to eliminate hidden dangers; if they refuse to make corrections or cause serious consequences, they shall be ordered to stop data export activities in accordance with the law. , to ensure data security.
11. If relevant provisions such as the "Measures for Security Assessment of Data Export" and the "Measures for Standard Contracts for the Export of Personal Information" are inconsistent with these regulations, these regulations shall prevail.
Advertising Statement: The external links (including but not limited to hyperlinks, QR codes, passwords, etc.) contained in this article are intended to provide more information and save screening time, and are for reference only. Please note that all articles on this site contain this statement
The above is the detailed content of Cyberspace Administration of China: Conduct outbound security assessment of declaration data for providing personal information of more than 1 million people overseas. For more information, please follow other related articles on the PHP Chinese website!