Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

China: CAC requests comments on draft Measures for Data Export Security Evaluation

The Cyberspace Administration of China ('CAC') requested, on 29 October 2021, public comments on draft Measures for Data Export Security Evaluation. In particular, the draft highlights the need to standardise data export activities, seeking to clarify data export under the Personal Information Protection Law, Data Security Law, and the Cybersecurity Law. More specifically, the draft details that when transferring data outside of China, which meets one of the following, a report must be made to the National Security Assessment outbound data network through the provincial CAC:

  • personal information and important data collected and generated by operators of critical information infrastructure;
  • outbound data contains important data;
  • personal information processors who have processed personal information of one million people provide personal information abroad;
  • cumulatively providing personal information of more than 100,000 people or sensitive personal information of more than 10,000 people abroad; or
  • other situations required by the CAC that require data exit security assessment.

In addition, the draft specifies that outbound data risk assessments carried out in advance should focus on matters including the quantity, scope, type, and sensitivity of outbound data, and whether data export-related contracts with overseas recipients stipulate the responsibility and obligation of data security protection. Furthermore, the draft notes the relevant materials for an outbound data security assessment should include a declaration form, a self-assessment report of risk, contracts or other legally binding documents drawn up between the data processor and overseas recipient, and other materials required for safety assessment.

Public comments may be submitted to [email protected] until 28 November 2021.

You can read the draft, only available in Chinese, here.

Feedback