The Security Assessment Measures for Data Export (《数据出境安全评估办法》, hereinafter as “Measures”) were recently released by the Cyberspace Administration of China (“CAC”), and will become effective September 1, 2022. The Measures further define the requirement of security assessment by the government for outbound data transfers, as further defined below (“Data Export”) under the regime of China’s Data Laws (“Data Protection Laws”) and provide a preliminary reference for multinational companies (“MNCs”) to prepare and carry out internal controls for data related operations. Here is a brief overview of the Measures. The data and personal information discussed in this article refer to such information collected and generated in China.
1. Application Scope
- The situations where a declaration to the CAC for security assessment for data export through the local provincial cyberspace administration authority is required include:
- Where a “Data Processor” exports “Critical Data” abroad;
- Where a “Critical Information Infrastructure Operator” (“CIIO”) or a “Data Processor” which processes “personal information” (“PI”) of more than 1 million individuals, exports personal information abroad.