On April 11, 2017, the Cyberspace Administration of China, also known as the State Internet Information Office (国家互联网信息办公室) (the “CAC”)[1], released for public comment a draft of the Measures for Security Assessment of Transferring Personal Information and Critical Data Overseas (个人信息和重要数据出境安全评估办法) (the “Overseas Data Transfer Draft”).
The main purpose of the Overseas Data Transfer Draft is to require companies, organizations and individuals in China to apply for permission, under certain circumstances, to transmit personal information and critical data (“Digital Data”) out of the country. The draft rules would require two different types of security assessments in connection with overseas transfers of Digital Data: (i) self-assessments conducted by the companies, individuals and organizations planning to transfer the Digital Data overseas, and (ii) assessments conducted by the respective primary industry regulators charged with supervising the operation of those companies, individuals and organizations (the “Primary Regulators”).