Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

China: CAC issues Data Export Security Assessment Measures

The Cyberspace Administration of China ('CAC') issued, on 7 July 2022, the Measures for Security Assessment of Data Exports. In particular, the CAC highlighted the Measures apply to data processors conducting security assessments of important data and personal information collected within the People's Republic of China which will be provided overseas. Furthermore, the Measures detail that the data export security assessment combines both pre-assessment and continuous supervision to prevent data export security risks. More specifically, the Measures provide where a data processor provides data overseas, it must submit a data exit security assessment to the CAC through the provincial cybersecurity and informatisation department where:

  • the data processor provides important data overseas;
  • the data processor is a critical information infrastructure operator and the data processor processes the personal information of more than 1 million people;
  • the data processor processes the personal information of 100,000 people or the sensitive information of 10,000 people since 1 January of the previous year; or
  • other situations required to declare data export security assessments as provided by the CAC.

In addition, the Measures outline that a data processor's pre-assessment should focus on, among other things, the responsibilities and obligations that overseas recipients are subject to, the risk of data being tampered, destroyed, or leaked, and whether data export related contracts fully stipulate the responsibility and obligation of data security protections. Lastly, the Measures note that a declaration form, a self-assessment of data export risks, legal documents concluded between the data processor and overseas recipients, and other required materials must be submitted to the provincial cybersecurity and informatisation department.

The Measures come into effect on 1 September 2022.

You can read the Measures, only available in Chinese, here.