Skip to content

China promulgates measures on security assessment for cross border transfer of data

Author
Eugene Chen

Registered Foreign Lawyer

Hong Kong

View profile →

Ho Victor
Victor Ho

Registered Foreign Lawyer, Cal

Hong Kong

View profile →

Jiang Jane
Jane Jiang

Partner

Shanghai

View profile →

Ng Susana
Susana Ng

Of Counsel

Hong Kong

View profile →

Image of Richard Wagner
Richard Wagner

Registered Foreign Lawyer, WI

Hong Kong

View profile →

Jill Ge
Jill Ge

Partner

Shanghai

View profile →

03 August 2022

Measures on Security Assessment for the Cross-border Transfer of Data (the Measures) have been released by the Cyberspace Administration of China (CAC).  

This is a step in the process of further detailing the mandatory governmental security assessment for transferring data outside Mainland China (Security Assessment), which has been laid out in principle under the PRC Cybersecurity Law, the PRC Data Security Law, and the PRC Personal Information Protection Law (the PIPL), the adoption of the Measures signals a new era for regulating the cross-border transfer of data under PRC law. Most importantly, the Measures articulate the conditions under which the Security Assessment is triggered, the procedure for the Security Assessment, and the factors to be considered by the cyberspace and other administrative authorities in conducting the Security Assessment.

The Measures largely follow a consultation draft published by the CAC in October 2021, with some key revisions refining the scope and procedure of the security assessment mechanism to be implemented. The new Measures require careful consideration for data exports.  Companies operating in China should review them with their chosen advisors to understand how the Measures might impact their specific operations.

Risks specific to investigations.

  • The Measures are likely to further complicate the transfer of data out of Mainland China when a China-based organisation is subject to or involved in an investigation being conducted by foreign regulators.
  • Companies should also be mindful of an increased risk of being investigated by the CAC and other relevant PRC regulators, in relation to violations of the new data and personal information security protection regimes.

For more detail on The Measures, the types of data affected and the implications for investigations, take a look at this briefing prepared by A&O and our joint operation partner, Shanghai Lang Yue law firm.

 

Related blog topics