China Center Paper Details Cross-Border Data Regime in Cybersecurity Law

In late May, China’s government issued an important document associated with the new Cybersecurity Law that went into effect on June 1. The Measures on the Security Assessment of Cross-Border Transfer of Personal Information and Important Data (revised draft) will not go fully into effect until December 31, 2017, and they remain a work in progress. Nonetheless, they have already generated considerable concern and confusion among data-centric foreign and domestic businesses operating in China.

This Working Paper provides rare well-positioned insights into the way China’s regulators understand and plan to operationalize the sometimes murky language of the Cybersecurity Law and the Measures. It was translated from the Chinese by Tsai Center Senior Fellow Graham Webster and Paul Triolo of the Eurasia Group, and it is accompanied by a foreword by the translators and Dr. Rogier Creemers of the University of Leiden. The author, Dr. Yanqing Hong, is the research director at the Internet Development Research Institute at Peking University and an expert in legal issues related to data protection, cross-border data flows, and cybersecurity. He also leads the personal data protection project for the National Information Security Standardization Technical Committee of China (TC260) and is deputy head of the task force for the Guidelines for Data Cross-Border Transfer Security Assessment.

This publication is also an outcome of a new trilateral U.S.–China–EU project co-founded by Hong, Creemers, and Webster to chart the direction of each jurisdiction’s digital policies from the perspective of both differing and common interests, and it follows on the successful Conference on Cyberspace and U.S.–China Relations hosted by the Tsai Center in April 2017.

Read the full paper as a PDF.