← Back to all briefings
Data Strategy 5 min read Published Updated Credibility 40/100

Data Strategy Briefing — August 31, 2022

China’s Cyberspace Administration issued the first edition of outbound data transfer security assessment application guidelines on 31 August 2022, detailing submission materials, self-assessment requirements, and timelines ahead of the 1 September enforcement.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: On 31 August 2022 the Cyberspace Administration of China (CAC) released the first edition of its Guidelines for Security Assessment Declaration of Data Outbound Transfer (数据出境安全评估申报指南(第一版)) to operationalise the Measures for Security Assessment of Data Exports taking effect 1 September 2022.1 The guidelines specify how data processors must prepare applications for government-led security assessments when exporting important data or large volumes of personal information, providing detailed templates, submission channels, and review procedures.1 Companies must assemble self-assessment reports, data transfer contracts, risk mitigation plans, and supporting evidence before submitting via provincial CAC offices within the required timelines.

The measures require security assessments for four scenarios: (1) data processors exporting important data; (2) critical information infrastructure operators or processors handling personal information of over one million individuals; (3) processors exporting personal information of 100,000 individuals or sensitive personal information of 10,000 individuals since 1 January of the previous year; and (4) other circumstances designated by CAC.2 The guidelines clarify thresholds, documentation, and evaluation criteria, emphasising lawful basis, necessity, and security of cross-border transfers. Organisations have a grace period through 30 November 2022 to rectify non-compliant transfers; thereafter, unapproved exports are subject to penalties under the Cybersecurity Law, Data Security Law, and Personal Information Protection Law (PIPL).

Application workflow

Data processors must submit applications through provincial CAC offices where they are located. The guidelines outline a multi-step process: (1) data processor conducts a self-assessment; (2) prepares application materials; (3) submits to provincial CAC; (4) provincial CAC conducts completeness review and, if necessary, requests supplementary materials; (5) CAC’s national office organises expert evaluation; (6) CAC issues a written assessment conclusion valid for two years.1 Applicants should anticipate a baseline review timeline of up to 45 working days from acceptance, extendable for complex cases.

The guidelines provide a checklist of required materials, including: application form; legal representative identification; business licences; data export contracts or legally binding documents; self-assessment report; and other documents evidencing compliance measures.1 Foreign recipients may need to provide certifications of data protection capabilities, adherence to international standards, or commitments to cooperate with CAC inquiries.

Self-assessment requirements

Data processors must conduct comprehensive self-assessments prior to application, evaluating the legality, legitimacy, and necessity of data exports; the volume and sensitivity of data; the obligations of overseas recipients; and the potential impact on national security and public interests.1 Assessments should consider data minimisation, retention periods, processing purposes, and data subject rights. The guidelines recommend documenting organisational structure, data governance frameworks, technical safeguards, and incident response mechanisms.

Risk analysis should address foreign legal environments (e.g., data access by foreign authorities), contractual safeguards, and enforcement feasibility. Applicants must include mitigation plans, such as encryption, anonymisation, data segregation, access controls, and audit regimes. Data processors should also assess previous security incidents, remedial actions, and any outstanding regulatory inquiries. The self-assessment report template requires detailed tables summarising risk ratings, control effectiveness, and improvement measures.

Contractual obligations with overseas recipients

The guidelines require data processors to execute legally binding agreements with overseas recipients covering data protection responsibilities, security measures, third-party sharing restrictions, incident notification timelines, cooperation with CAC assessments, and termination/return/deletion obligations.1 Contracts must ensure recipients provide equivalent protection to Chinese laws, including compliance with PIPL requirements for data subject rights, data localisation (if applicable), and onward transfer constraints.

Data processors should review standard contractual clauses published by CAC (released in parallel draft form) and tailor them to specific transfers. Contracts must include dispute resolution mechanisms, governing law, and stipulations permitting CAC inspections or audits. Organisations should verify recipient capabilities through due diligence (e.g., security certifications, audit reports, privacy policies) and document evaluations in the application file.

Documentation and evidence

Supporting materials include system architecture diagrams, data flow maps, access control matrices, encryption policies, incident response plans, and personal information protection impact assessments (PIAs).1 Applicants should translate key documents into Chinese and ensure consistency across submissions. The guidelines emphasise the need for evidence demonstrating data minimisation, classification, and labelling practices, as well as employee training and third-party management.

Provincial CAC offices may request supplementary materials during completeness checks. Applicants must respond within the specified timeframes (often 10 working days). Failure to provide adequate evidence can result in rejection or the need to refile. Maintaining a central repository of compliance artefacts and version-controlled documentation will streamline responses.

Operational considerations

Organisations should establish cross-functional teams (legal, compliance, IT, data governance, security) to manage the assessment process. Key tasks include mapping cross-border data flows, categorising data as “important” or “personal,” and tracking export volumes to determine eligibility thresholds.2 Companies should implement ongoing monitoring of data transfers to ensure thresholds are not exceeded without triggering reassessment.

For multinational enterprises, aligning CAC requirements with global transfer mechanisms (e.g., EU Standard Contractual Clauses, Binding Corporate Rules) is essential to avoid conflicting obligations. Firms may need to segregate Chinese data within domestic infrastructure or adopt localisation strategies. Incident response plans must incorporate CAC notification timelines (often required within 72 hours for major incidents) and outline coordination with overseas recipients.

Post-approval obligations

Approved security assessments remain valid for two years but require reassessment if circumstances change significantly – such as alterations to transfer purpose, data volume, overseas recipients, legal environment, or security incidents.2 Data processors must submit annual reports to provincial CAC offices summarising export activities, incidents, and control effectiveness. They must also cooperate with CAC supervision, inspections, and audits. Failure to comply can lead to suspension of data exports, fines, or inclusion on social credit blacklists.

Companies should implement compliance monitoring dashboards tracking approval expiry dates, control remediation, and incident metrics. Internal audit functions can perform periodic reviews to ensure adherence to approved measures, while legal teams monitor updates to CAC guidance or additional versions of the application guidelines.

Compliance roadmap

  • Data inventory: Catalogue data assets destined for export, classify importance and sensitivity, and quantify transfer volumes.
  • Self-assessment: Conduct risk assessments aligned with CAC templates, documenting legal basis, necessity, and control effectiveness.
  • Contract alignment: Update cross-border data transfer agreements to include CAC-mandated clauses, breach notification commitments, and audit rights.
  • Submission governance: Create project timelines for compiling materials, obtaining executive approvals, and liaising with provincial CAC offices.
  • Continuous monitoring: Implement dashboards and escalation procedures to track export volumes, control effectiveness, and upcoming reassessments.

Sources

Zeph Tech guides enterprises through China’s data export security assessments, document preparation, and ongoing compliance monitoring.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • China data export
  • CAC security assessment
  • Cross-border transfers
  • Data compliance
  • Risk assessment
Back to curated briefings