January 29, 2022

Volume XII, Number 29

Advertisement
Advertisement

January 28, 2022

Subscribe to Latest Legal News and Analysis

January 27, 2022

Subscribe to Latest Legal News and Analysis

January 26, 2022

Subscribe to Latest Legal News and Analysis

China Draft PIPL Measures Outlines Thresholds for CAC Security Assessments

The Chinese agency charged with implementing and enforcing the new Personal Information Protection Law has issued draft measures for cross-border data transfers. Comments are due by November 28. As we detailed previously, the law requires that the Cyberspace Administration of China (CAC) conduct security assessments prior to certain information transfers out of China. Those situations included if the information transferred reached “significant” thresholds. Those thresholds have now been clarified in the draft.

In particular, the draft contemplates security assessments for transfers by entities that handle over one million individuals’ personal information. Security assessments would also occur if the entity is either transferring personal information of more than 100,000 people or “sensitive” information of more than 10,000 people. In most situations security assessments would be valid for two years.

Under PIPL, both entities who do not meet the thresholds for a CAC-led assessment, as well as those who do, must complete an internal self-assessment before transferring data outside of China. The draft outlines the specifics of that self-assessment. This includes looking at the risk of data leaks, the volume and scope of information to be transferred, and the like.

The draft also provides more insight into requirements around having a data transfer agreement when sharing personal information with a third party. Elements to include in the agreement are similar to GDPR, such as outlining security measures that will be used, limiting the scope of use by the data recipient, and having contractual penalties for contract violations. Also included is a requirement to indicate where, physically, data will be stored outside of China.

Putting it into practice: While the law was effective November 1, this draft is still under review. It does, however, provide guidance about expectations about what companies must do under the law, including thresholds for needing a CAC assessment.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 315
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335
 Michael P.A. Cohen Partner DC Antitrust and Competition
Partner

Michael is a partner with the Antitrust and International Competition Practice Group in the firm's Washington, D.C. office.

Areas of Practice

Michael began his career as an Assistant Special Prosecutor, investigating and prosecuting organized crime involvement with the failure of local financial institutions in the early 1990s. After his government service, Michael joined the historic Washington, D.C. antitrust firm Howrey & Simon, where in 1996, he became one of the youngest partners in that unique firm’s history. In 2003, Michael joined Heller Ehrman as...

202-747-1958
Associate

Sam Cohen is an associate in the Entertainment, Technology, and Advertising Practice in the firm's New York office.

Areas of Practice

Sam provides strategic transactional support to clients across the entertainment, technology, and advertising industries in connection with a variety of complex commercial transactions, partnerships, and joint ventures. He advises clients on, and drafts and negotiates documentation related to the production, exploitation, and protection of music, audiovisual content,...

212.896.0663
Advertisement
Advertisement
Advertisement