Skip to content

China – Cyberspace Administration of China announces the Measures for Security Assessment of Data Exports

On 7 July 2022, the Cyberspace Administration of China (CAC) announced its measures for the Security Assessment of Data Exports (the Measures).
The announcement, together with the publication of the draft standard form contractual clauses for consultation (see further in this Update), ends years of uncertainty as to the requirements for the assessments envisaged by the Network Security Law, Data Security Law and more recently, the Personal Information Protection Law (PIPL). The Measures will come into force on 1 September 2022. There is a grace period of 6 months for businesses to conduct compliance review and adopt necessary measures. With respect to transfers carried out before that date, self assessment must be completed, standard data transfer contracts signed and CAC assessment applied for before 1 March 2023.


Who must carry out an assessment?

Businesses must carry out a data export security self assessment where they:

  • are transferring 'important data' overseas;
  • are critical information infrastructure operators transferring personal information outside China;
  • are handling personal information of more than 1 million people and transferring personal information outside China;
  • since 1 January the previous year, have transferred outside China either: (1) personal information of more than 100,000 individuals, or (2) the sensitive personal information of more than 10,000 individuals; or
  • fall within the circumstances where security assessment for overseas transfer of data is required by CAC.

The Contract

The assessment must be accompanied by legal documents specifying:

  • the purpose, method and data scope of the data being transferred, and the purpose and method of the data processing by the overseas recipient;
  • the location and period of data storage overseas, and the measures for re-importing the data on completion of the processing purpose, expiry of the storage period, or termination of the agreement;
  • binding requirements for recipients regarding onward transfers;
  • security measures to be taken on the occurrence of certain significant events, including regarding the control of business of the recipient or the legal regime in the destination;
  • remedial measures, liability for breach of contract and dispute resolution methods; and
  • action to be taken in relation to actual or anticipated breaches.

The Assessment

The data exporter must carry out an initial self-assessment before applying to their provincial CAC for a CAC led data export security assessment. The provincial CAC will then review the application before submitting it to the CAC, which will respond within 45 working days from the time it accepts the application for assessment. However, allowing for the pre-acceptance process with the provincial CAC, businesses will need to apply at least 60 working days before the intended transfer date.

The self-assessment must address all issues affecting the security of the data export including:

  • the legitimacy, legitimacy, and necessity of the purpose, scope, and method of data export and data processing by overseas recipients;
  • the scale, scope, type, and sensitivity of the data, the potential risks of its export to national security, public interests and the interests and rights of individuals or organisations;
  • the recipient's responsibilities and obligations and organisational and technical measures and its ability to protect the data;
  • the risks to the security of the data and to the existence of a smooth channel for the protection of personal information rights and interests; and
  • the comprehensiveness of the data export document in providing data security.

The CAC assessment will address the above matters and other matters deemed necessary by the national CAC.

Refreshing the Assessment

The assessment needs to be refreshed after 2 years or earlier if there are any changes in circumstances that affect the security of outbound data; in particular from any changes in:

  • the purpose, method, scope, and type of data, or the purpose and method of data processing by the overseas recipients, or extension of the period for which the data is to be stored; or
  • changes in the data security protection policies, regulations and network security environment of the country or region where the overseas recipient is located, or other significant events impacting security, including force majeure event, change of control of the data exporter or overseas recipients, or amendments to the legal documents entered into between the data exporter or overseas recipients.

The Measures are available here (in Mandarin only).

This publication is prepared by Anita Anand of aosphere and Susana Ng of Allen & Overy Hong Kong office.  Services in relation to the laws of the People’s Republic of China are provided by Allen & Overy LLP’s joint operation firm, Shanghai Lang Yue Law Firm.
The publication is relevant for all businesses (i) having operations in China; (ii) which target Chinese nationals in the provision of goods or services; or (iii) which monitor and analyse the behaviours of PRC nationals.

Related expertise