On March 22, 2024, the Cyberspace Administration of China (CAC) published two updated guidelines, namely the Guidelines for the Declaration of Data Transfers Security Assessment (second edition) (the Assessment Guidelines) and the Guidelines for the Filing of Standard Contracts for the Transfer of Personal Information (second edition) (the Standard Contract Guidelines).

The Assessment Guidelines

The Assessment Guidelines outline their aim to clarify obligations under the Measures for Security Assessment of Data Exports and the Regulations on Promoting and Standardizing Cross-border Data Flows (the Regulations on Cross-border Data Flows). The Assessment Guidelines apply to data processors providing data overseas, which must apply for a data export security assessment where:

• critical information infrastructure operators (CIIOs) provide personal information or important information overseas; and
• data processors other than CIIOs provide important data overseas, or provide personal information of more than one million people, or the sensitive personal information of more than 10,000 people overseas, since January 1 of that year.

The following are considered data exports under the Assessment Guidelines:

• data processors transferring data collected and generated during domestic operations overseas;
• the data collected and generated is stored within China, and overseas institutions, organizations, or individuals can query, retrieve, download, and export it; and
• other processing activities such as processing domestic personal information overseas in compliance with Article 3(2) of the Personal Information Protection Law (PIPL).

The Assessment Guidelines also detail how to apply for a data export security assessment.

The Standard Contract Guidelines

The Standard Contract Guidelines outline that they apply to the Standard Contract Measures for Exporting Personal Information and the Regulations on Cross-border Data Flows. The Standard Contract Guidelines note that they apply to personal information processors providing information overseas entering into a standard contract, and that processors must register with the local regulatory authority if:

• they are data processors other than CIIOs;
• since January 1 of that year, more than 10,000 but less than one million people's personal information (excluding sensitive personal information) has been provided overseas; or
• since January 1, 2024, a cumulative total of less than 10,000 people's personal information has been provided overseas.

You can read the press release here, the Assessment Guidelines here, and the Standard Contract Guidelines here, all only available in Chinese.