In addition to the two developments we reported on in our last blog post, on July 7, 2022, the long-waited, final version of the Measures for Security Assessment of Cross-border Data Transfer (《数据出境安全评估办法》, “Measures”) were released by the Cyberspace Administration of China (“CAC”).  With a very tight implementation schedule, the Measures will take effect on September 1, 2022.  The full text of the Measures can be found here (currently available only in Mandarin Chinese).

In this blog, we highlight a few key takeaways from the final Measures.

(1) Who must carry out a security assessment?

According to Article 4, an entity that transfers data out of China must apply for a security assessment if any of the following criteria are met:

  • the entity transfers “important data” out of China – the Measures define “important data” as “any data that, once tampered with, sabotaged, leaked or illegally obtained or used, may endanger national security, economic operation, social stability, and public health and safety;”
  • the entity transfers of personal information out of China as (1) a critical information infrastructure (CII) operator, or (2) a data processing entity that processes personal information of over one million individuals;
  • the entity transfers personal information out of China since January 1 of the previous year that consist of (1) the personal information of more than 100,000 individuals, or (2) the sensitive personal information of more than 10,000 individuals; or
  • under other circumstances specified by the CAC.

These thresholds remain unchanged from those provided in the draft version of the Measures issued in October 2021.

(2) How should a security assessment be carried out and what is the timeline?

Under Article 5 of the Measures, data processing entities need to carry out a self-assessment before they can apply through provincial CACs for a security assessment to be carried out and approved by the CAC at the central level.

Upon receipt of the application, a provincial CAC must confirm whether the application materials are complete within 5 working days.  If the application package is complete, the provincial CAC will pass on the application to the central CAC. 

The CAC will inform the applicant in writing whether an application has been accepted within 7 working days of receipt.

After an application is officially accepted, the CAC is required to conclude the assessment and make a decision within 45 working days.  For complex cases or where additional application materials are required, this period can be extended, and the CAC needs to notify the applicant of the estimated time extension.  

If the applicant is not satisfied with the assessment result, it can apply to the central CAC for a re-evaluation within 15 working days from receipt of the result.  The re-evaluation result will be considered the final conclusion.

(3) What materials are required for a security assessment?

Article 6 of the Measures requires data processing entities to submit the following materials when applying for the security assessment:

  • application form;
  • self-assessment report for cross-border data transfers;
  • the agreement or other legally binding documents to be entered into between the data processing entity and the recipient outside of China; and
  • other materials required for the security assessment.

The Measures set forth detailed requirements with respect to the matters to be considered in both the self-assessment and the formal assessment.  The Measures also stipulate the contents that must be included in the agreement to be entered into between the parties.  Although the application form is yet to be released, an applicant would likely need to demonstrate in the application materials its compliance with the substantial criteria for the security assessment in the Measures, such as the lawfulness, legitimacy and necessity of the purpose, scope, method and other aspects required to justify the cross-border data transfer.

(4) How often do companies need to carry out a security assessment?

The assessment result is valid for 2 years.  A data processing entity may also need to re-submit an application in certain circumstances, such as where the cross-border data transfer purpose has changed.

(5) Is there a grace period?

The Measures will take effect on September 1, 2022.  For cross-border data transfers that are carried out before that date, the rectification must be completed within 6 months.  It is not quite clear whether the 6-month rectification period would also apply to cross-border data transfers that commence after September 1, 2022.  Regardless, the grace period is relatively short, especially for companies that may have complicated data flows out of China.  

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a particular emphasis on adapting to regulatory changes and ensuring compliance to support technology sector business strategies.

In recent years, Yan has guided leading multinational companies in sectors such as cloud computing, consumer brands, and financial services through the rapidly evolving cybersecurity and data privacy regulations in major Asian jurisdictions, including China. She has addressed challenges such as compliance with data localization mandates and regulatory audits. Yan’s work includes advising on high-stakes compliance issues like data localization and cross-border data transfers, navigating cybersecurity inspections for multinational companies, and providing data protection insights for strategic transactions. Additionally, Yan has counseled leading Chinese technology companies on global data governance and compliance challenges across major jurisdictions, including the EU and the US, focusing on specific regulations like GDPR and CCPA.

More recently, Yan has supported leading technology companies on geopolitical risk assessments, particularly concerning how geopolitical shifts impact sectors at the cutting edge, such as artificial intelligence and semiconductor technologies.

Yan was named as Global Data Review’s40 under 40” in 2018 and is frequently quoted by leading media outlets including the Wall Street Journal and the Financial Times.

Prior to joining the firm, Yan completed an internship with the Office of International Affairs of the U.S. Federal Trade Commission in Washington, DC. Her experiences in Brussels include representing major Chinese companies in trade, competition and public procurement matters before the European Commission and national authorities in EU Member States.

Photo of Xuezi Dan Xuezi Dan

Xuezi Dan is an associate in the firm’s Beijing office. Her practice focuses on regulatory compliance, with a particular focus on data privacy and cybersecurity. Xuezi helps clients understand and navigate the increasingly complex privacy regulatory issues in China.

She also has experience…

Xuezi Dan is an associate in the firm’s Beijing office. Her practice focuses on regulatory compliance, with a particular focus on data privacy and cybersecurity. Xuezi helps clients understand and navigate the increasingly complex privacy regulatory issues in China.

She also has experience advising clients on general corporate and antitrust matters.