On 29 October 2021, the Cyberspace Administration of China (CAC) released a call for public comments through the Measures on Security Assessment of Cross-border Data Transfer.

With the releasing and implementation of several important laws to establish a better cybersecurity scheme (Cybersecurity Law, Data Security Law, and Personal Information Protection Law), CAC finally issued the Measures three days before the effective date of the Personal Information Protection Law (PIPL). This is not the first time that China set up regulations to administrate cross-border data transfer. The previous two attempts include the Assessment Measure for Cross-Border Transfer of Personal Information and Important Data (released for comments on 13 October 2017), and the Assessment Measure for Cross-Border Transfer of Personal Information (released for comments on 13 June 13 2019). However, neither Measure has been finalized nor implemented.

After two years, China has finally published detailed rules on the data transfer across its borders, completing the operational basis for cross-border data security assessment mentioned in three laws, which has long been a concern for foreign companies. The latest Measures depict security processes and approval materials, along with data scope and industry regulatory bodies for data transfer assessment outside mainland China.

In general, according to the Measures, all data processors, as long as they conduct cross-border data transfer, should carry out data exit risk self-assessment. If the data processor meets any of the following circumstances, it shall also (through the local provincial cyberspace administration) apply for the cross-border data transfer security assessment to CAC:

  • Personal information and important data collected and generated by Critical Information Infrastructure Operator (CIIO).
  • Important data involved in the to-be transferred batch.
  • Data transfer applicant is a handler who deals with or possesses more than one million people’s information.
  • The applied data involves more than 100 thousand people’s information or over 10 thousand people’s sensitive information.

China’s efforts on protecting data security have accelerated in the past two years, and cross-border data transfer seems to be one of the critical control points. Policies on cross-border data management would initiate impact on existing business models, system architecture, and potential scope of financial costs, efforts, and technical adjustments for foreign stakeholders. First, extensive capital and ongoing expenses would be spent on building up the IT environment and data management for mainland China. Secondly, foreign stakeholders should engage or build a local cybersecurity team (including security governance and security operations) to ensure proper cybersecurity protection and market compliance.