Your privacy is very important to us.When you visit our website,please agree to the use of all cookies.For more information about personal data processing,please go to Privacy Policy.

Make an Enquiry
Home
About us
News
Services
Our Clients
Insights
Careers
Contact Us

China issues Measures for the Security Assessment of Outbound Data Transfer

2022-07-07
Measures for the Security Assessment of Outbound Data Transfers(Order of the Cyberspace Administration of China No.11)
The Measures for the Security Assessment of Outbound Data Transfers, adopted at the 10th office meeting of 2022 of the Cyberspace Administration of China on May 19, 2022, are hereby issued and shall come into force on September 1, 2022.
Zhuang Rongwen, Director of the Cyberspace Administration of China

July 7, 2022

Measures for the Security Assessment of Outbound Data Transfers

  Article 1 The Measures are enacted in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China and other laws and regulations, to regulate outbound data transfer activities, protect personal information rights and interests, protect national security and social and public interests, and promote a safe and free flow of data across borders.
  Article 2 These Measures shall apply to the security assessment of the provision of important data and personal information collected and generated by data processors in the course of their operations within the territory of the People's Republic of China by such data processors to overseas recipients (the “outbound data transfer”). Where there are other provisions in laws and administrative regulations, such other provisions shall prevail.
    Article 3  The security assessment of outbound data transfers shall maintain a combination of ex-ante assessment and ongoing supervision, and a combination of risk self-assessment and security assessment, to prevent security risks in outbound data transfers and ensure an orderly and free flow of data in accordance with the law.
  Article 4 For an outbound data transfer by a data processor that falls under any of the following circumstances, the data processor shall apply to the national cyberspace administration authority for the security assessment via the local provincial-level cyberspace administration authority:
     (1) outbound transfer of important data by a data processor;
  (2) outbound transfer of personal information by a critical information infrastructure operator or a personal information processor who has processed the personal information of more than 1,000,000 people;
  (3) outbound transfer of personal information by a personal information processor who has made outbound transfers of the personal information of 100,000 people cumulatively or the sensitive personal information of 10,000 people cumulatively since 1 January of the previous year;
  (4) other circumstances where an application for the security assessment of an outbound data transfer is required as prescribed by the national cyberspace administration authority.
  Article 5   A data processor shall, before applying for the security assessment of an outbound data transfer, conduct a self-assessment of the risks in the outbound data transfer focused on the following matters:
  (1) the legality, legitimacy, and necessity of the outbound data transfer and the data processing by the overseas recipient in terms of the purpose, scope, method, etc.;
  (2) the quantity, scope, type, and sensitivity of the outbound data, and the risks that may be brought about by the outbound data transfer to national security, public interests, or the lawful rights and interests of individuals or organizations;
  (3) whether the responsibilities and obligations undertaken by the overseas recipient and the management and technical measures and capabilities of the overseas recipient to perform such responsibilities and obligations can ensure the security of the outbound data;
  (4) the risk of the outbound data being tampered with, damaged, leaked, lost, relocated or illegally acquired or used during and after the outbound data transfer, whether the channels for individuals to safeguard their personal information rights and interests are unobstructed, etc.;
  (5) whether data security protection responsibilities and obligations are sufficiently stipulated in the contract or other documents with legal force to be executed (collectively as the “Legal Document”) with the oversea recipient in relation to the outbound data transfer;
  (6) other matters that may affect the security of the outbound data transfer.
  Article 6 When applying for the security assessment of a cross-border data transfer, the following materials shall be submitted:
  (1) an application form;
  (2) a report on self-assessment of the risks in the cross-border data transfer;
  (3) the Legal Document to be executed between the data processor and the overseas recipient;
  (4) other materials as required for the security assessment.
  Article 7 A provincial-level cyberspace administration authority shall complete a completeness check within five working days of the date of receipt of the application materials. If the application materials are complete, they shall be submitted to the national cyberspace administration authority; if the application materials are incomplete, they shall be returned to the data processor who shall then be informed all at once of any materials to be supplemented.
 The national cyberspace administration authority shall, within 7 working days of the date of receipt of the application materials, determine whether to accept the application and notify the data processor of the decision in writing.
  Article 8 The security assessment of a cross-border data transfer shall focus on assessing risks that may be brought about by the cross-border data transfer to national security, public interests, or the lawful rights and interests of individuals or organizations, which shall mainly cover the following matters:
  (1) the legality, legitimacy, and necessity of the cross-border data transfer in terms of the purpose, scope, method, etc.;
  (2) the impact of the data security protection policies and legislation and cybersecurity environment of the country or region where the overseas recipient is located on the security of the outbound data; whether the data protection level of the overseas recipient meets the requirements of laws and administrative regulations and the mandatory national standards of the People's Republic of China;
  (3) the quantity, scope, type, and sensitivity of the outbound data, and the risks of the data being tampered with, damaged, leaked, lost, relocated or illegally acquired or used during and after the cross-border data transfer;
  (4) whether data security and personal information rights and interests can be sufficiently and effectively ensured;
  (5) whether data security protection responsibilities and obligations are sufficiently stipulated in the Legal Document executed between the data processor and the overseas recipient;
  (6) the compliance with China's laws, administrative regulations and departmental rules; 
  (7) other matters to be assessed as deemed by the national cyberspace administration authority.
  Article 9  The data processor shall have the data security protection responsibilities and obligations clearly stipulated in the Legal Document executed with the overseas recipient, covering but not limited to the following:
  (1) the purpose and method of the outbound data transfer and the scope of data, and the purpose and method of the data processing by the overseas recipient;
  (2) the place and period for retention of the data overseas, and the measures to handle the data transferred overseas upon the expiration of the retention period, completion of the agreed purpose, or termination of the Legal Document;
  (3) a requirement restricting the overseas recipient from retransferring the outbound data to any other organization or individual;
  (4) the security measures to be adopted when there is any material change in the actual control or business scope of the overseas recipient, or when the data security protection policies and legislation and cybersecurity environment have changed or any other force majeure event has occurred in the country or region where the overseas recipient is located, which makes it difficult to ensure data security;
  (5) the remedial measures, liability for breach of contract and dispute resolution in the event of breach of any data security protection obligation stipulated in the Legal Document;
  (6) the requirements for proper emergency disposal and for ensuring the channels and ways for individuals to safeguard their personal information rights and interest when the outbound data is exposed to risks such as being tampered with, damaged, leaked, lost, relocated, or illegally acquired or used.
  Article 10 After accepting an application, the national cyberspace administration authority shall, depending on the case, organize the relevant authorities of the State Council, provincial-level cyberspace administration authority, specialized institutions, etc. to perform the security assessment.
  Article 11 Where it is found during the security assessment that the application materials submitted by the data processor do not meet the requirements, the national cyberspace administration authority shall require the materials to be supplemented or corrected by the data processor in a timely manner. If the data processor refuses to do so without good reason, the national cyberspace administration authority may terminate the security assessment.
  Data processors shall be responsible for the authenticity of the materials they submit, and if they deliberately submit false materials, they shall be deemed to have failed to pass the security assessment and be held legally liable under the law.
  Article 12 he national cyberspace administration authority shall complete the security assessment within 45 working days of the date of written notification of acceptance to a data processor; if the case is complicated or there are materials to be supplemented or corrected, this period may be extended as appropriate and the extension shall be notified to the data processor.
  The result of the security assessment shall be notified to the data processor in writing.
  Article 13  If the data processor has any objection to the assessment result, the data processor may apply for a reassessment within 15 working days of the date of receipt of the assessment result to the national cyberspace administration authority,and the result of the reassessment shall be final.
  Article 14 The result of the security assessment of an outbound data transfer shall be valid for two years commencing on the date of the issuance of the assessment result. Where any of the following circumstances occur during the validity term, the data processor shall reapply for the security assessment:
  (1) there is any change to the purpose, method, or scope of the outbound data transfer or the type of data, or change to the purpose or method of the data processing by the overseas recipient, which will affect the security of the outbound data, or the period for retaining personal information or important data overseas is to be extended;
  (2) there is any change in the data security protection policies and legislation and cybersecurity environment or any other force majeure event that has occurred in the country or region where the overseas recipient is located, or any change in the actual control of the data processor or overseas recipient, or any change to the Legal Document executed between the data processor and the data recipient, which will affect the security of the outbound data;
  (3) other circumstances that may affect the security of the outbound data.
 If the data processor needs to continue the outbound data transfer activity after the expiration of the validity period, the data processor shall reapply for the assessment within 60 working days of the date of expiration of the validity period.
  Article 15 Any relevant institution and staff participating in the security assessment shall keep confidential as required by law, any state secret, personal privacy, personal information, trade secret, confidential business information, and other data that they have come to know in the course of performing their duties and must not leak such data or illegally use or provide such data to any other person.
  Article 16 Where any organization or individual discovers that a data processor has conducted any outbound data transfer in violation of these Measures, they may report it to the cyberspace administration authority at the provincial level or above.
  Article 17 Where the national cyberspace administration authority discovers that any outbound data transfer activity which has passed the security assessment no longer meets the security requirements for outbound data transfers in the course of the actual implementation, it shall notify the data processor concerned in writing to terminate the outbound data transfer activity. If the data processor needs to continue the outbound data transfer activity, the data processor shall make rectification as required and when the rectification is completed, reapply for the security assessment.
  Article 18 Any violation of these Measures shall be dealt with in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China and other laws and regulations; if the violation constitutes a criminal offense, criminal liability shall be investigated in accordance with the law.
  Article 19 For the purposes of these Measures, the term "important data" means any data, the tampering, damage, leakage, or illegal acquisition or use of which, if it happens, may endanger national security, the operation of the economy, social stability, public health and security, etc.

  Article 20 These Measures shall come into force on September 1, 2022. For any outbound data activity carried out before the entry into force of these Measures which is not in compliance with the provisions of these Measures, rectification shall be completed within 6 months of the date of entry into force of these Measures.

Officials the Cyberspace Administration of China answered journalists' questions related to the Measures as follows.
Q: What are outbound data transfer activities according to in the Measures?

A: According to the Measures, outbound data transfer activities mainly include: 1) Outbound transfer or store of data collected and generated within the territory of China by a data processor. 2) Institutions, organizations or individuals overseas can access or use data collected or generated with the territory of China.

Q: What circumstances shall a data processor apply for a security assessment?

A:For an outbound data transfer by a data processor that falls under any of the following circumstances, the data processor shall apply to the national cyberspace administration authority for the security assessment via the local provincial-level cyberspace administration authority: (1) outbound transfer of important data by a data processor; (2) outbound transfer of personal information by a critical information infrastructure operator or a personal information processor who has processed the personal information of more than 1,000,000 people; (3) outbound transfer of personal information by a personal information processor who has made outbound transfers of the personal information of 100,000 people cumulatively or the sensitive personal information of 10,000 people cumulatively since 1 January of the previous year; or (4) other circumstances where an application for the security assessment of an outbound data transfer is required as prescribed by the national cyberspace administration authority.

Q: What risks shall the assessment mainly focus?

A: The security assessment of a cross-border data transfer shall focus on assessing risks that may be brought about by the cross-border data transfer to national security, public interests, or the lawful rights and interests of individuals or organizations, which shall mainly cover the following matters: 

(1) the legality, legitimacy, and necessity of the cross-border data transfer in terms of the purpose, scope, method, etc.; 

(2) the impact of the data security protection policies and legislation and cybersecurity environment of the country or region where the overseas recipient is located on the security of the outbound data; whether the data protection level of the overseas recipient meets the requirements of laws and administrative regulations and the mandatory national standards of the People's Republic of China; 

(3) the quantity, scope, type, and sensitivity of the outbound data, and the risks of the data being tampered with, damaged, leaked, lost, relocated or illegally acquired or used during and after the cross-border data transfer; 

(4) whether data security and personal information rights and interests can be sufficiently and effectively ensured; 

(5) whether data security protection responsibilities and obligations are sufficiently stipulated in the Legal Document executed between the data processor and the overseas recipient; 

(6) the compliance with China's laws, administrative regulations and departmental rules.

Q: What is the process for a cross-border data transfer security assessment?

A: First, a data processor shall, before applying for the security assessment of an outbound data transfer, conduct a self-assessment of the risks in the outbound data transfer. Second, data processor shall apply to the national cyberspace administration authority for the security assessment via the local provincial-level cyberspace administration authority if their activities fit the requirement of the Measures. Third, the national cyberspace administration authority shall, within 7 working days of the date of receipt of the application materials, determine whether to accept the application and notify the data processor of the decision in writing, and complete the security assessment within 45 working days of the date of written notification of acceptance to a data processor. Forth, the data processor shall reapply for the security assessment after the expiry of the valid period.

Q: How are the legitimate interests of data processors, such as trade secrets, protected during the assessment process?

A: The Measures stipulates that any relevant institution and staff participating in the security assessment shall keep confidential as required by law, any state secret, personal privacy, personal information, trade secret, confidential business information, and other data that they have come to know in the course of performing their duties and must not leak such data or illegally use or provide such data to any other person.

Q: When shall data processors declare a security assessment?

A: Data processors should declare and pass a security assessment before the outbound data transfer activity takes place. In practice, it is better for data processors to declare an assessment before signing a legal document with an offshore recipient.

Q: What are the possible results if a company apply for the security assessment of an outbound data transfer activity?

A: The first case is that the application is not accepted if a company’s data transfer scenarios do not fall into the regulatory scope of the Measures. The second case is that a company can pass the security assessment. The third case is that a company cannot pass the security assessment and will not be allowed to carry out the outbound data transfer activity as it applied.

Q: What if the data processor objected to the assessment result?

A: If the data processor has any objection to the assessment result, the data processor may apply for a reassessment within 15 working days of the date of receipt of the assessment result to the national cyberspace administration authority, and the result of the reassessment shall be final.

Q: How long is the result of an assessment valid for?

A: The result of the security assessment of an outbound data transfer shall be valid for two years commencing on the date of the issuance of the assessment result. If the data processor needs to continue the outbound data transfer activity after the expiration of the validity period, the data processor shall reapply for the assessment within 60 working days of the date of expiration of the validity period.

Q: What is the legal liability for breaching the Measures?

A: Any violation of these Measures shall be dealt with in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China and other laws and regulations; if the violation constitutes a criminal offense, criminal liability shall be investigated in accordance with the law. 

Q: What are the differences between security assessment, standard contract and certification of personal information protection?
A: Personal data processors shall apply to the security assessment if their data transfer scenarios are within the regulations of the Measures. If their data transfer scenarios are beyond the regulations of the Measures, personal data processors can go through certification of personal information protection or sign standard contract with data recipient to meet relative legal requirements.

Make an Enquiry
Please fill out the form below and we will respond as soon as we can.
  • Ms.
    Mr.
  • PRC
    Other jurisdictions
  • ODI services
    FDI services
    Fund services
    Tax services
    Foreign exchange services
    Bank services
    Offshore services
    Public Policy services
  • Search engine
    Sinobravo website
    Brochure
    Event
    Recommendation
    Social media
  • Yes,Please
    No,Thanks
  • I have read, acknowledged and understood the《Privacy Statement》,  and agree with the contents thereof.