← Back to all briefings
Data Strategy 6 min read Published Updated Credibility 40/100

Data Strategy Briefing — July 7, 2022

China’s July 2022 cross-border data transfer measures force enterprises to secure CAC approvals, run rigorous self-assessments, and prove technical and contractual safeguards for outbound personal and important data.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: On 7 July 2022 China’s Cyberspace Administration (CAC) finalised the Measures on Security Assessment of Cross-border Data Transfer, effective 1 September 2022. The measures operationalise the Personal Information Protection Law (PIPL) and Data Security Law, imposing mandatory government-led security assessments for certain outbound data transfers, including large-scale personal information, critical information infrastructure (CII) data, and important data. Enterprises must build rigorous governance, risk assessment, and contractual controls to demonstrate lawful transfer necessity, risk mitigation, and outcome assurance.

Trigger thresholds and applicability

The measures apply when:

  • CII operators export personal information or important data collected during operations in China.
  • Personal information processors handle personal information of more than one million individuals and export any personal information.
  • Since 1 January of the previous year, personal information processors have cumulatively transferred personal information of 100,000 individuals or sensitive personal information of 10,000 individuals abroad.
  • Other circumstances determined by CAC require assessment.

Organisations must conduct internal risk assessments prior to application, covering transfer necessity, scope, recipient security capability, legal environment in the recipient country, and potential harm to individuals. The CAC review evaluates application completeness, data classification, contractual safeguards, and residual risk. Approvals are valid for two years, after which re-assessment is required if transfer purpose, scope, data categories, or overseas recipients change.

Governance and control expectations

Compliance programmes should integrate:

  • Data classification and inventory. Maintain detailed registers of personal information and important data, identifying data elements, sensitivities, storage locations, and transfer paths. Align classification with sectoral standards (e.g., GB/T 35273) and industry-specific rules (finance, automotive, healthcare).
  • Cross-border data transfer governance. Establish a cross-functional committee—including data protection officers, legal counsel, security leaders, and business owners—to review transfer justifications, assess necessity, and approve mitigation plans.
  • Security risk assessments. Document pre-transfer assessments covering data volume, sensitivity, recipient technical and organisational measures, legal obligations in destination countries, and potential impact on national security or public interest.
  • Contractual safeguards. Execute CAC-compliant standard contracts or bespoke agreements that cover data localisation, retention limits, onward transfer restrictions, breach notification obligations, and cooperation with Chinese authorities.
  • Ongoing monitoring. Implement controls to continuously monitor data transfer volumes, anomalies, recipient compliance, and legal changes in destination countries. Maintain audit trails for regulatory inspection.

Outcome-focused testing should verify that technical controls—such as encryption, access controls, and data minimisation—achieve expected risk reductions. Enterprises must evidence that only necessary data is exported, access is limited to authorised personnel, and personal information subjects’ rights are preserved post-transfer.

Operational requirements and documentation

The application package to CAC must include:

  • An application form detailing data categories, volumes, transfer purposes, transfer frequency, and retention periods.
  • A self-assessment report covering compliance with Chinese laws, effectiveness of safeguards, and analysis of overseas legal environments.
  • The data transfer contract or other legally binding documents between the data processor and overseas recipient.
  • Personal information protection policies, cybersecurity incident response plans, and evidence of technical safeguards (e.g., encryption architecture diagrams, access control matrices).

Enterprises must retain logs of cross-border transfers for at least three years and provide them upon request. They should also be prepared to undergo on-site inspections, interviews, and technical testing by CAC or provincial cyberspace authorities.

Outcome testing and assurance

Regulators expect companies to go beyond documentation and demonstrate actual control effectiveness. Outcome testing may include:

  • Simulated data exfiltration attempts to test encryption, network security monitoring, and automated blocking capabilities.
  • Periodic review of data minimisation by comparing exported datasets against business requirements and identifying redundant fields.
  • Audit trails showing fulfilment of personal information subjects’ rights (access, correction, deletion) even after data resides overseas.
  • Assessments of overseas recipients’ compliance posture, such as SOC 2 reports, ISO/IEC 27001 certifications, or independent audits verifying adherence to Chinese contractual clauses.
  • Verification of incident response drills coordinating Chinese and overseas teams, ensuring timely notification to CAC within required timeframes.

Organisations should maintain dashboards tracking key risk indicators: volume of personal information transferred, frequency of access by overseas teams, number of subject rights requests fulfilled, and time to remediate identified control gaps.

Sector-specific considerations

Different sectors face additional obligations:

  • Financial services. Banks and payment institutions must also comply with People’s Bank of China (PBOC) and China Banking and Insurance Regulatory Commission (CBIRC) guidelines on outsourcing, data localisation, and anti-money laundering reporting. They should align cross-border transfers with cross-border renminbi settlement rules and maintain transaction monitoring capabilities within China.
  • Automotive. Connected vehicle manufacturers are subject to the Provisions on the Administration of Automotive Data Security, requiring localisation of sensitive vehicle data and strict assessment for exports involving face recognition, precise geolocation, or vehicle diagnostics.
  • Healthcare. Medical institutions must follow National Health Commission rules on personal health information, ensuring anonymisation or de-identification for research collaborations, and aligning with international data sharing agreements where permitted.
  • Cloud and ICT providers. Cloud service providers must ensure that data stored in overseas regions remains segregated, that lawful interception requests are handled according to Chinese law, and that subcontractors (e.g., managed security service providers) adhere to contractual obligations.

These sectoral nuances require cross-functional coordination and may necessitate additional filings with lead regulators.

International interoperability and strategic planning

Multinational organisations should map CAC requirements against other regimes, including the EU General Data Protection Regulation (GDPR), APEC Cross-Border Privacy Rules, and U.S. sectoral privacy laws. While overlapping principles exist (risk assessments, contractual safeguards), China’s framework emphasises national security and government oversight. Companies should consider establishing China-specific data centres, localising analytics, and employing privacy-enhancing technologies to minimise cross-border transfers.

Strategic plans should include investment in data governance tooling, such as data discovery, classification, and lineage platforms; implementation of secure API gateways; and adoption of privacy-enhancing technologies (PETs) like homomorphic encryption or federated learning to reduce raw data transfer needs. Additionally, companies should develop contingency plans for CAC rejections, including localisation of processing or alternative data strategies.

Next steps and timeline

  1. 0–60 days: Conduct data mapping, classify data, and identify transfers meeting CAC thresholds. Assemble a cross-border data governance committee and initiate self-assessments.
  2. 60–120 days: Draft or update data transfer contracts, implement technical safeguards (encryption, access controls), and prepare application documentation. Engage with provincial CAC offices to clarify expectations.
  3. 120–180 days: Submit applications, respond to regulator questions, and execute remediation plans arising from self-assessments. Develop ongoing monitoring dashboards and audit plans.
  4. Ongoing: Refresh risk assessments annually or upon material change, track overseas legal developments, and maintain readiness for inspections. Reapply for assessments before the two-year validity expires.

Sources

Zeph Tech assists multinational enterprises in China by aligning CAC cross-border data transfer assessments with global privacy programs, deploying data governance tooling, and documenting control outcomes for regulator scrutiny.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • China cross-border data governance
  • CAC security assessments
  • Data localisation strategy
  • Outcome-based privacy controls
Back to curated briefings