The current law requires a critical information infrastructure operator to store all personal information and important data collected within China in China. No cross-border transfer is allowed unless the required security assessment is passed.
A few draft regulations propose to extend the coverage of this data localisation requirement to all data controllers. It is not clear whether the proposal will remain unchanged in the final versions.
The Draft Personal Information Protection Law provides alternative conditions for cross-border transmission of personal information other than the required security assessment, including obtaining personal information protection certification by professional agencies or signing a contract with overseas recipient of the personal information to stipulate the rights and obligations of both parties as well as supervise the recipient’s personal information protection. Therefore, requirements for cross-border transmission of personal information and important data may be further updated by the enactment of the PRC Personal Information Protection Law and relevant regulations.