← Back to all briefings

Data Strategy · Credibility 50/100 · · 2 min read

Data Strategy Briefing — July 7, 2022

China's Cyberspace Administration finalised measures for security assessments of cross-border data transfers, setting filing triggers and timelines for localisation programs starting September 2022.

Executive briefing: On 7 July 2022 the Cyberspace Administration of China (CAC) issued the Measures for Security Assessment of Outbound Data Transfers, completing the rulebook that determines when companies must submit data export filings or keep information onshore. The measures apply from 1 September 2022 and introduce detailed criteria for critical data, volume thresholds, and contractual safeguards that multinational teams must evidence during CAC reviews.

Key localisation checkpoints

  • Trigger analysis. Inventory cross-border transfers to determine whether they exceed the thresholds in Article 4 (e.g., personal information of more than 100,000 individuals) or involve important data collected by critical information infrastructure operators.
  • Risk assessments. Establish outbound data transfer impact assessments that cover lawful purpose, data volume, recipient safeguards, and incident response as required under Article 5.
  • Contractual controls. Update processor agreements to include CAC-mandated clauses on data handling, retention, sub-processing, and termination assistance ahead of filing.

Operational priorities

  • Submission readiness. Build application packets with business justifications, data catalogues, security policies, and third-country legal analyses to meet the 45-working-day review window.
  • Governance alignment. Coordinate security, legal, and China business units on decision gates for new products that could surpass outbound transfer thresholds.
  • Monitoring. Implement telemetry that alerts governance teams when data export volumes approach CAC triggers, enabling proactive mitigation or filing preparation.

Enablement moves

  • Integrate CAC assessment checkpoints into product launch and vendor onboarding workflows touching China-origin data.
  • Establish bilingual playbooks for interacting with provincial CAC offices, including document templates and escalation contacts.

Sources

Zeph Tech guides multinational teams through CAC assessment readiness with China data inventories, filing playbooks, and cross-border risk controls.

  • Data localisation
  • Cross-border data transfer
  • China regulation
Back to curated briefings