China released guidelines for security assessment of cross-border data transfers

September 3, 2022

By Donnie Dong

The Cyberspace Administration of China (CAC), the national cybersecurity authority empowered to review and approve applications for cross-border transfer of large-volume personal data, released a Guidelines on Application for Cross-border Data Transfer Security Assessment (the Guidelines) on August 31, 2022.


Under the PRC Personal Information Protection Law (PIPL) and subordinate regulations, if a data controller/processor were to transfer personal data outside of China and the proposed transfer met the following thresholds, it should apply for the CAC to proceed with a “data security assessment”.

  1. provide “important data” (as defined by the authority) outside Mainland China;
  2. identified (by the government) to be operators of the critical information infrastructure, or have processed over 1 million individuals’ personal information;
  3. have provided overseas recipients with over 100,000 individuals’ personal information or over 10,000 individuals’ sensitive personal information during the last calendar year, or

(We have published a newsletter focusing on the situations where the above thresholds are not met. Click here to read.)

Define the cross-border data transfer

The PIPL does not define the “provision of personal data outside of China”, while the general understanding is it refers to the activities of having one company operating in China copy or transmit the personal data it collected in China to foreign recipients.

The Guidelines do not exceed this understanding but left discretion for CAC to determine whether a data moving/copying process amounts to cross-border data transfer. According to the Guidelines, the following scenarios would amount to the “provision of personal data outside of China”:

  1. where (i) personal data is collected and generated during a data sender’s operation in China and (ii) the data sender sends the data to or stores the data in a location outside of China;
  2. where the personal data is stored in China but can be queried, retrieved, downloaded and/or exported by foreign entities or individuals (unless such data is publicly accessible data); or
  3. other activities that CAC determines to be cross-border data transfers (which gives the CAC wide discretion).


When a threshold is met, the Guidelines require the proposed data sender to produce and submit a bunch of documents along with the application form for the assessment. This includes:

  1. the data sender’s company certificates to identify its identity
  2. the data transfer agreement between the data sender and the data recipients – the CAC released a Draft Standard Contractual Clauses (SCCs) in July (Click here to read our summary and comments on it)
  3. a self-assessment report on the proposed cross-border data transfer – the Guidelines have provided a template outline of such a report, which requires a thorough disclosure of how the data will be protected, transferred, and secured.

Contact us

Cross-border data transfer has become a focused issue for multinational companies that have operations in China. Each company should develop a wise and practical compliance strategy with experienced advisors on the ground. Please contact us for a review of your data-transfer practice, so that we may tailor an appropriate action plan to sustain your business in China.

*   *   *   *   *

This communication is intended for informational purposes only and is not intended to create an attorney-client relationship or to constitute any form of advertisement.

*   *   *   *   *

Author: Dr. Donnie Dong is a partner of FuJae Partners, a Certified Information Privacy Manager (IAPP/CIPM), and an Adjunct Professor at the University of Hong Kong’s Academy of Senior Executives. He regularly advises MNCs, unicorns, and start-ups on cross-border intellectual property, data privacy, and related investment and contentious matters.