Skip to content

China promulgates measures on security assessment for cross border transfer of data

On 7 July 2022, the Cyberspace Administration of China (CAC) released the Measures on Security Assessment for the Cross-border Transfer of Data (the Measures). As a step in the process of further detailing the mandatory governmental security assessment for transferring data outside Mainland China (Security Assessment), which has been laid out in principle under the PRC Cybersecurity Law, the PRC Data Security Law, and the PRC Personal Information Protection Law (the PIPL), the adoption of the Measures signals a new era for regulating the cross-border transfer of data under PRC law.

Most importantly, the Measures articulate the conditions under which the Security Assessment is triggered, the procedure for the Security Assessment, and the factors to be considered by the cyberspace and other administrative authorities in conducting the Security Assessment.

The Measures largely follow a consultation draft published by the CAC in October 2021, with some key revisions refining the scope and procedure of the security assessment mechanism to be implemented. Further to our last alert on the 2021 Draft, we will highlight these key changes in this updated overview.

Why does this matter to you?

New Measures requiring careful consideration for data exports, suggesting that all companies operating in China should review them to understand how they might impact their specific operations.

  • M&A – A change in control arising out of a share sale will trigger a refreshment of the CAC assessment under these new measures. Legal compliance of the onshore target companies will be an area subject to enhanced due diligence and remedial actions.
  • Employment – Under the  Measure, organizations and individuals are “encouraged” to report any compliance violations.  This may provide an additional avenue for disgruntled employees or lodge complaints with the employer or to make regulatory reports as leverage in employment separation discussion.  
  • Litigation - These Measures may also raise additional complexities when a China-based organisation is faced with an overseas litigation or investigation conducted by foreign regulations. 

The Measures signal that companies should also be mindful of an increased risk of investigations conducted by the CAC and other relevant PRC regulators, concerned with violations of the new data and personal information security protection regimes. Companies with a need to transfer their data across the border of Mainland China, particularly multinationals, need to pay close attention to the Measures and any further practical guidance or rules that may be released by the authorities from time to time. 

The A&O team, along with partner Melody Wang, counsels Ran Chen, Paul Jing and Tiantian Wang from our joint operation partner, Shanghai Lang Yue law firm, are key contributors to this alert. 

Recommended content