Wan Li

Subscribe to Wan Li's Posts
Contact:Read more about Wan Li

Under China’s data protection regulatory framework, data processors are required to pass a security assessment conducted by the cybersecurity regulator before transferring certain categories or volumes of data out of China. This January, six months after the Cyberspace Administration of China (“CAC”) released the Measures on Security Assessment of Outbound Data Transfers (“Measures”), the Beijing counterpart of CAC reported the first two cases where the data processors passed the security assessments led by CAC, which sheds some light on the uncertainty and complexity of the security assessment.

Uncertainty of Reviewing Process and End of Grace Period

As disclosed by Beijing CAC, as of February 22, 2023, Beijing CAC has assisted more than 310 entities with their potential applications for the security assessment of outbound data transfers, and has received 48 formal applications from organizations in industries such as technology, e-commerce, healthcare, finance, automotive, and civil aviation, including multinational companies. Among many applications, CAC granted two organizations with the approval for transferring data out of China, namely the Beijing Friendship Hospital of the Capital Medical University and Air China.Continue Reading China Unveils Two Approved Outbound Data Transfer Cases

The regulatory landscape in China around data protection and flows continues to develop. Since the 2017 Cybersecurity Law, China has been refining the legal and regulatory framework for data protection—it has implemented new laws and regulations that set comprehensive rules for data processing activities across all industries in China and cover the rules regarding cross-border

On October 29, 2021, the Cyberspace Administration of China (“CAC“) published the “Draft Measures on Security Assessment of Cross-Border Data Transfer” (“Draft Measures“) for public comment, which outlines the requirements for security assessments on cross-border data transfers. The CAC had released previous draft measures specifying the “Security Assessment” requirements and procedures

On April 29, 2021, the national legislator in China released the second draft of the Personal Information Protection Law (“PIPL”) to collect public comments until May 28, 2021. The updated draft substantially follows the framework of the first draft, which marks China’s comprehensive system for the protection of personal information, sets forth general rules for the processing and transferring of personal information across China’s borders, and echoes certain mechanisms under the EU’s General Data Protection Regulation (“GDPR”), including application of extraterritorial jurisdiction, with which China would use long-arm jurisdiction to regulate the concerned entities across borders. This approach reflects China’s position that privacy law is an important component of China’s long term strategy on the international stage. In fact, the PIPL expressly contemplates China’s engagement with other jurisdictions (at both the country and regional levels) to try to create “interoperability” with these other privacy systems. Below we summarize key terms of the updated draft PIPL.
Continue Reading China Released Second Draft of Personal Information Protection Law

The U.S. Financial Crimes Enforcement Network (FinCEN) and the China Anti-Money Laundering Monitoring and Analysis Center (CAMLMAC) recently signed a Memorandum of Understanding (MOU) to create a “framework to facilitate expanded U.S.-China collaboration, communication, and cooperation” between each agency’s financial intelligence units (FIUs). News Release (December 11, 2015).

In announcing the MOU, FinCEN Director Jennifer