[Source] http://www.cac.gov.cn/2019-06/13/c_1124613618.htm 【Period for Submitting Comments】Through July 13, 2019 [The original Chinese makes clear that Hong Kong, Macao, and Taiwan are considered 'abroad' or 'outside the country' for purposes of classifying data transfers.]
Article 1: These Regulations are drafted in accordance with the "Cybersecurity Law of the People's Republic of China" and other relevant laws and regulations, so as to ensure the data security of personal information in cross-border data flows.
Article 2: Network operators providing those outside the mainland territory with personal information collected by operators inside the mainland territory of the People's Republic of China (hereinafter 'personal information leaving the country') shall conduct security assessments in accordance with these Measures. Where through security assessments it is determined that personal information leaving the country might impact national security or harm the public interest, or that it would be difficult to ensure personal information security, it must not leave the country.
Where the state has other provisions on personal information leaving the country, follow those provisions.
Article 3: Before personal information leaves the country, network operators shall report security assessments of personal information leaving the country to the provincial internet information departments for the province where they are located.
Separate security assessments shall be reported for provision of personal information to different Recipients, but multiple assessments are not required for sending personal information to the same Recipient multiple times or continuously.
A new security assessment shall be made every 2 years or where there is a change in the purpose for personal information leaving the country, its type, or the period of retention abroad.
Article 4: Network operators reporting on security assessments for personal information leaving the country shall provide the following materials and bear responsibility for their veracity and accuracy:
(1) A written declaration.
(2) A contract signed by the network operators and Recipients.
(3) A report analyzing security risks and security safeguard measures for the personal information leaving the country.
(4) Other materials that the State Internet information departments requests be provided.
Article 5: After provincial level internet information departments receive reports and materials on security assessments of personal information leaving the country and inspect their completeness, they shall organize experts or technical forces to conduct a security assessment. The security assessment shall be completed within 15 working days, but where circumstances are complex, this may be appropriately extended.
Article 6: Security assessments for personal information leaving the country are to focus on assessment of the following content:
(1) Whether relevant state laws, regulations, and policies are complied with;
(2) Whether the contract terms are sufficient to safeguard the lawful rights and interests of personal information subjects.
(3) Whether the contract can be effectively implemented.
(4) Whether the network operators or Recipients have a history of harming the lawful rights and interests of personal information subjects.
(5) Whether the network operators' acquisition of the personal information was lawful and proper.
(6) Other matters which should be assessed.
Article 7: Provincial internet information departments are to report circumstances relevant to security assessments of personal information leaving the country to the state internet information departments at the same time that they notify network operators of the results of security assessments for personal information leaving the country.
Where network operators have objections to the conclusions of provincial network information departments security assessments for personal information leaving the country, they may submit a complaint appeal to the national internet information departments.
Article 8: Network operators shall establish records of personal information leaving the country and retain them for at least 5 years, with the records including:
(1) The date and time that personal information is provided abroad.
(2) The Recipients' identities, including but not limited to their names, addresses, contact information and so forth;
(3) The types, volume, and degree of sensitivity of personal information provided abroad;
(4) Other content provided for by the state internet information departments.
Article 9: Before December 31 each year, network operators shall report on personal information leaving the country and contract performance that year to the internet information departments for the province where they are located.
Where a larger data security incident has occurred, it should be promptly reported to the provincial internet information departments for the area where they are located.
Article 10: Provincial internet information departments shall periodically organize inspections of operators' records of personal information leaving the country, and other circumstances of personal information leaving the country, emphasizing inspection of the performance of obligations provided for in the contracts, whether there is conduct violating state provisions or harming the lawful rights and interests of personal information subjects.
Where circumstances harming the lawful rights and interests of personal information subjects, data leaks, or other security incidents are discovered, they shall promptly request that the network operators make corrections, and spur the Recipients' corrections through the network operators.
Article 11: When the following circumstances occur, internet information departments may request that network operators suspend providing personal information abroad:
(1) network operators or Recipients have larger data leaks, data abuses, or other such incidents.
(2) personal information subjects are unable, or have difficulty in, protecting personal lawful rights and interests.
(3) network operators or Recipients are unable to ensure personal information security.
Article 12: All individuals and organizations have the right to report provision of personal information abroad in violation of these Measure to internet information departments at the provincial level or above, or other relevant departments.
Article 13: Contracts or other legally effective documents (collectively "contracts") between network operators and the recipients of personal information shall make clear:
(1) The purpose, types, and retention period for personal information leaving the country.
(2) That personal information subject are beneficiaries of contract terms involving the rights and interests of personal information subjects.
(3) When personal information subjects' lawful rights and interests are harmed, they may seek compensation from network operators, Recipients, or both, either on their own or by retaining an agent, and the network operators or Recipients shall give compensation, unless they prove they have no responsibility.
(4) When a change occurs in the legal environment where the Recipient is located, making it difficult to perform on the contract, the contract shall be terminated or a new security assessment conducted.
(5) Termination of the contract cannot absolve network operators' and recipients' responsibilities and obligations provided for in terms of the contract involving the lawful rights and interests of personal information subjects, except where the recipients have already destroyed personal information they received or anonymized it.
(6) other content that both sides agree upon.
Article 14: Contracts shall make clear that network operators bear the following responsibilities and obligations:
(1) To notify personal information subjects by email, instant messenger, letter, fax, or other such means, of network operators and Recipients' basic information, as well as the purposes, types, and storage period for providing personal information abroad.
(2) To provide copies of the contract upon request of personal information subjects.
(3) To transfer personal information subjects' demands to Recipients upon request, including request for compensation from Recipients; and to make compensation in advance when personal information subjects cannot obtain compensation from Recipients.
Article 15: Contracts shall make clear that Recipients bear the following responsibilities and obligations:
(1) To provide personal information subjects with paths for accessing their personal information, and when personal information subjects request corrections or deletions in their personal information, give a response or make corrections or deletions at a reasonable cost and within a reasonable time.
(2) To use personal information in accordance with the purpose agreed to in the contract, and that the period for retention of personal information abroad must not exceed the time agreed upon in the contract.
(3) To confirm that signing the contract and performing contractual obligation will not contradict legal requirements of the country where the Recipient is located, and that when changes occur to the legal environment for the country and region where the Recipient is located that might impact the contract's performance, they shall notify the network operators and have the network operators report to the provincial internet information departments for their locations.
Article 16: Contract shall make clear that Recipients must not transfer the personal information they receive to third-parties except where the following requirements are met:
(1) Where network operators have already transferred personal information to third parties through means such as email, instant messenger, letter, or fax, and the personal information subjects have been informed of the third-parties' identities and nations, the type of personal information transferred, and the period of time for retention by the third-party.
(2) Recipients pledge that when requested to stop transfers to third-parties by the personal information subjects, they will stop transfers and request that the third-parties destroy personal information they have already received.
(3) When sensitive personal information is involved, the personal information subjects' consent shall be obtained.
(4) When transfer of personal information to third-parties bring harm to the lawful rights and interests of personal information subjects, network operators agree to initially bear responsibility for compensation.
Article 17: Network operators' analytic reports on security risks and security safeguard measures for personal information leaving the country, shall include at a minimum:
(1) Network operators and Recipients' backgrounds, scale, operations, finances, reputation, network security capacity, etc.
(2) Plans for personal information leaving the country, including the time for which it will continue, the number of personal information subjects involved, the scale of personal information being provided abroad, whether the information can be transferred to third-parties after leaving the country, etc.
(3) Analysis of security risks and measures for safeguarding personal information security and for protecting the lawful rights and interests of personal information subjects.
Article 18: Violations of these Provisions are handled in accordance with relevant laws and regulations.
Article 19: Where treaties, agreements, and so forth that our nation participates in or has concluded with other nations, regions, and international organizations have clear provisions, apply those provisions except for terms to which our nation has a declared reservation.
Article 20: Foreign establishments collecting domestic users' personal information through the internet during business activities shall perform the responsibilities and obligations of network operators in these Measures through a legal representative or establishment in the mainland territory.
Article 21: The meanings of the following terms used in these Measures:
(1) "Network operators" refers to network owners, managers and network service providers.
(2) “personal information“ refers to all kinds of information, recorded electronically or through other means, that taken alone or together with other information, is sufficient to identify a natural person's identity, including, but not limited to, natural persons' full names, birth dates, identification numbers, personal biometric information, addresses, telephone numbers, and so forth.
(3) "Sensitive personal information" refers to personal information that once leaked, stolen, altered, or illegally used, might harm personal information subjects' security in their person and property, or lead to personal information subjects' reputations or physical and psychological health being harmed.
Article 22: These Measures take effect on XX/XX/XX.