China data export

On 31 August 2022 the Cyberspace Administration of China (CAC) released the first edition of its Guidelines for Security Assessment Declaration of Data Outbound Transfer (数据出境安全评估申报指南（第一版）) to operationalize the Measures for Security Assessment of Data Exports taking effect 1 September 2022.¹ The guidelines specify how data processors must prepare applications for government-led security assessments when exporting important data or large volumes of personal information, providing detailed templates, submission channels, and review procedures.¹ Companies must assemble self-assessment reports, data transfer contracts, risk mitigation plans, and supporting evidence before submitting via provincial CAC offices within the required timelines.

The measures require security assessments for four scenarios: (1) data processors exporting important data; (2) critical information infrastructure operators or processors handling personal information of over one million individuals; (3) processors exporting personal information of 100,000 individuals or sensitive personal information of 10,000 individuals since 1 January of the previous year; and (4) other circumstances designated by CAC.² The guidelines clarify thresholds, documentation, and evaluation criteria, emphasizing lawful basis, necessity, and security of cross-border transfers. Teams have a grace period through 30 November 2022 to rectify non-compliant transfers; thereafter, unapproved exports are subject to penalties under the Cybersecurity Law, Data Security Law, and Personal Information Protection Law (PIPL).

Application workflow

Data processors must submit applications through provincial CAC offices where they are located. The guidelines outline a multi-step process: (1) data processor conducts a self-assessment; (2) prepares application materials; (3) submits to provincial CAC; (4) provincial CAC conducts completeness review and, if necessary, requests supplementary materials; (5) CAC’s national office organizes expert evaluation; (6) CAC issues a written assessment conclusion valid for two years.¹ Applicants should anticipate a baseline review timeline of up to 45 working days from acceptance, extendable for complex cases.

The guidelines provide a checklist of required materials, including: application form; legal representative identification; business licenses; data export contracts or legally binding documents; self-assessment report; and other documents evidencing compliance measures.¹ Foreign recipients may need to provide certifications of data protection capabilities, adherence to international standards, or commitments to cooperate with CAC inquiries.

Self-assessment requirements

Data processors must conduct full self-assessments before application, evaluating the legality, legitimacy, and necessity of data exports; the volume and sensitivity of data; the obligations of overseas recipients; and the potential impact on national security and public interests.¹ Assessments should consider data minimization, retention periods, processing purposes, and data subject rights. The guidelines recommend documenting organizational structure, data governance frameworks, technical safeguards, and incident response mechanisms.

Risk analysis should address foreign legal environments (for example, data access by foreign authorities), contractual safeguards, and enforcement feasibility. Applicants must include mitigation plans, such as encryption, anonymization, data segregation, access controls, and audit regimes. Data processors should also assess previous security incidents, remedial actions, and any outstanding regulatory inquiries. The self-assessment report template requires detailed tables summarizing risk ratings, control effectiveness, and improvement measures.

Contractual obligations with overseas recipients

The guidelines require data processors to execute legally binding agreements with overseas recipients covering data protection responsibilities, security measures, third-party sharing restrictions, incident notification timelines, cooperation with CAC assessments, and termination/return/deletion obligations.¹ Contracts must ensure recipients provide equivalent protection to Chinese laws, including compliance with PIPL requirements for data subject rights, data localization (if applicable), and onward transfer constraints.

Data processors should review standard contractual clauses published by CAC (released in parallel draft form) and tailor them to specific transfers. Contracts must include dispute resolution mechanisms, governing law, and stipulations permitting CAC inspections or audits. Teams should verify recipient capabilities through due diligence (for example, security certifications, audit reports, privacy policies) and document evaluations in the application file.

Documentation and evidence

Supporting materials include system architecture diagrams, data flow maps, access control matrices, encryption policies, incident response plans, and personal information protection impact assessments (PIAs).¹ Applicants should translate key documents into Chinese and ensure consistency across submissions. The guidelines emphasize the need for evidence demonstrating data minimization, classification, and labelling practices, as well as employee training and third-party management.

Provincial CAC offices may request supplementary materials during completeness checks. Applicants must respond within the specified timeframes (often 10 working days). Failure to provide adequate evidence can result in rejection or the need to refile. Maintaining a central repository of compliance artifacts and version-controlled documentation will simplify responses.

Operational considerations

Teams should establish cross-functional teams (legal, compliance, IT, data governance, security) to manage the assessment process. Key tasks include mapping cross-border data flows, categorising data as “important” or “personal,” and tracking export volumes to determine eligibility thresholds.² Companies should implement ongoing monitoring of data transfers to ensure thresholds are not exceeded without triggering reassessment.

For multinational enterprises, aligning CAC requirements with global transfer mechanisms (for example, EU Standard Contractual Clauses, Binding Corporate Rules) is essential to avoid conflicting obligations. Firms may need to segregate Chinese data within domestic infrastructure or adopt localization strategies. Incident response plans must incorporate CAC notification timelines (often required within 72 hours for major incidents) and outline coordination with overseas recipients.

Post-approval obligations

Approved security assessments remain valid for two years but require reassessment if circumstances change significantly – such as alterations to transfer purpose, data volume, overseas recipients, legal environment, or security incidents.² Data processors must submit annual reports to provincial CAC offices summarizing export activities, incidents, and control effectiveness. They must also cooperate with CAC supervision, inspections, and audits. Failure to comply can lead to suspension of data exports, fines, or inclusion on social credit blacklists.

Companies should implement compliance monitoring dashboards tracking approval expiry dates, control remediation, and incident metrics. Internal audit functions can perform periodic reviews to ensure adherence to approved measures, while legal teams monitor updates to CAC guidance or additional versions of the application guidelines.

Source material

• ¹ CAC: Notice on publishing the Guidelines for Security Assessment Declaration of Data Outbound Transfer (First Edition).
• ² CAC Measures for Security Assessment of Data Exports.

This brief guides enterprises through China’s data export security assessments, document preparation, and ongoing compliance monitoring.

More on this topic

Further reading from our research library.

Data Strategy · Credibility 73/100 · September 1, 2022

China data export

China’s Measures for Security Assessment of Data Exports took effect on 1 September 2022, making CAC-led reviews mandatory for important data and large personal data transfers and triggering a 30 November rectification…

Data Strategy · Credibility 73/100 · June 12, 2023

Data Strategy — Nigeria regulation

Nigeria's Data Protection Act became law in June 2023. Africa's largest economy now has a comprehensive privacy framework. If you are processing Nigerian user data, you have new compliance obligations.

Data Strategy · Credibility 73/100 · July 10, 2023

Data Strategy — Cross-border transfers

The EU adopted the EU-US Data Privacy Framework adequacy decision—Schrems III, anyone? Trans-Atlantic data transfers are legal again without SCCs, but privacy advocates are already preparing challenges.

Data Strategy · Credibility 90/100 · September 1, 2021

China Data Security Law Effective

China's Data Security Law took effect on September 1, 2021. If you process data in China or transfer it out, you now need data classification, security assessments, and potentially government approval.

Data Strategy · Credibility 87/100 · January 19, 2021

Data Strategy — ASEAN

ASEAN’s 2021 Data Management Framework and Model Contractual Clauses give regional operators a structured roadmap for governance maturity, transfer risk assessments, and legally strong cross-border data agreements.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Data Strategy Operating Model Guide

  Design a data strategy operating model that satisfies the EU Data Act, EU Data Governance Act, U.S. Evidence Act, and Singapore Digital Government policies with measurable…

• Data Interoperability Engineering Guide

  Engineer interoperable data exchanges that satisfy the EU Data Act, Data Governance Act, European Interoperability Framework, and ISO/IEC 19941 portability requirements.

• Data Stewardship Operating Model Guide

  Establish accountable data stewardship programmes that meet U.S. Evidence Act mandates, Canada’s Directive on Service and Digital, and OECD data governance principles while…

Coverage intelligence

Published

August 31, 2022

Coverage pillar

Data Strategy

Source credibility

73/100 — medium confidence

Topics

China data export · CAC security assessment · Cross-border transfers · Data compliance · Risk assessment

Sources cited

3 sources (cac.gov.cn, iso.org)

Reading time

6 min

Source material

1. Guidelines for Application for Security Assessment for Outbound Data Transfers (First Edition) — Cyberspace Administration of China
2. Standard Application Forms for Outbound Data Transfer Security Assessments — Cyberspace Administration of China
3. ISO 8000-2:2022 — Data Quality Management — International Organization for Standardization