← Back to all briefings
Data Strategy 5 min read Published Updated Credibility 40/100

Data Strategy Briefing — September 1, 2022

China’s Measures for Security Assessment of Data Exports took effect on 1 September 2022, making CAC-led reviews mandatory for important data and large personal data transfers and triggering a 30 November rectification deadline.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: The Cyberspace Administration of China’s (CAC) Measures for Security Assessment of Data Exports became effective on 1 September 2022, requiring data processors to complete government-led security assessments before transferring important data or large-scale personal information overseas.1 The measures implement Article 38 of the Personal Information Protection Law (PIPL), Article 31 of the Data Security Law, and Article 37 of the Cybersecurity Law, forming a unified regime that scrutinises cross-border data flows for national security, public interest, and individual rights risks.1 Organisations have until 30 November 2022 to rectify ongoing transfers that fall within the scope; from 1 December, unapproved exports may trigger fines, suspension orders, or inclusion on social credit blacklists.2

The measures apply to four categories: (1) data processors exporting important data; (2) critical information infrastructure operators (CIIOs) and processors handling personal information of more than one million individuals; (3) processors exporting personal information of more than 100,000 individuals or sensitive personal information of more than 10,000 individuals since 1 January of the previous year; and (4) other situations designated by CAC.1 “Important data” is interpreted as data that, if tampered with, leaked, or destroyed, could jeopardise national security, economic operations, social stability, or public health. Local regulators may issue sector-specific catalogues to refine definitions, so firms must monitor industry guidance.

Assessment procedure

Data processors must conduct a comprehensive self-assessment covering legality, legitimacy, and necessity of the transfer; scale and sensitivity of data; security capabilities of overseas recipients; and the potential impact on national security and data subject rights.1 Following the self-assessment, processors submit applications through provincial CAC offices, including the self-assessment report, data export contracts, and supporting documentation. Provincial CAC offices perform completeness checks before forwarding to the central CAC for substantive review, which may involve expert panels and coordination with sector regulators.

CAC has 45 working days to issue a decision once the application is formally accepted, extendable in complex cases.1 Approved assessments are valid for two years; processors must reapply if transfer purposes, recipients, data volumes, legal environments, or security controls change materially. Annual reports to provincial CACs summarising export activities and incident management are also required.

Documentation requirements

Applications must include: (1) application form; (2) legal representative identification; (3) business licences; (4) contracts or legally binding documents with overseas recipients; (5) self-assessment report; and (6) other evidence demonstrating security measures.2 Contracts must stipulate data protection obligations, incident response cooperation, audit rights, data minimisation, onward transfer restrictions, and termination procedures (including data deletion or return). Applicants should also provide network architecture diagrams, data flow maps, classification/labelling policies, encryption practices, access control logs, and incident response plans.

The CAC’s first-edition application guidelines (published 31 August 2022) furnish templates for self-assessments and data export contracts, emphasising documentation of technical safeguards (encryption, anonymisation), organisational controls (governance structures, training), and legal analyses (foreign jurisdiction risks, conflict of laws considerations).2 Maintaining translation consistency between Chinese and foreign-language documents is critical to avoid delays.

Risk assessment focus areas

Self-assessments must evaluate legal compliance, contract enforceability, and the ability to safeguard data subjects’ rights. Key focus areas include: data minimisation, retention schedules, accuracy, purpose limitation, cross-border access controls, and the capacity to respond to data subject requests (access, correction, deletion) even when data resides overseas.1 Processors must also assess foreign laws and practices that could compel recipients to disclose data to foreign authorities, documenting mitigation measures such as transparency reports, encryption, or refusing unlawful requests.

Security risk evaluation should cover infrastructure security, vulnerability management, intrusion detection, incident response, and backup/disaster recovery arrangements for data stored overseas. CAC will consider whether recipients hold relevant certifications (ISO/IEC 27001, SOC 2) and whether contractual commitments ensure equivalent protection. Companies should prepare risk matrices scoring likelihood and impact, with remediation actions and timelines.

Operational readiness

Organisations should establish data transfer governance frameworks that integrate legal, compliance, cybersecurity, IT, procurement, and business stakeholders. Tasks include mapping cross-border data flows, classifying data categories, tracking transfer volumes, and identifying transfers that trigger assessments. Data localisation strategies (e.g., domestic data centres, segregated environments) may be necessary for high-risk datasets.

Incident response plans must align with CAC expectations, mandating rapid notification (typically within 72 hours) of data breaches or security incidents. Firms should run tabletop exercises covering cross-border incidents involving foreign partners, ensuring clear escalation paths and bilingual communications. Audit programmes should verify that overseas recipients adhere to contractual obligations, with site visits or third-party assessments where feasible.

Integration with other transfer mechanisms

The security assessment regime complements other cross-border transfer mechanisms under the PIPL, including CAC-approved standard contracts and personal information protection certification. Enterprises should evaluate whether certain transfers qualify for standard contracts (draft released June 2022) or certification (administered by the China Cybersecurity Review Technology and Certification Center) as alternatives for smaller-scale transfers.2 However, transfers meeting the thresholds defined in the measures must undergo the security assessment regardless of other mechanisms.

Multinational corporations should align Chinese requirements with global frameworks such as EU Standard Contractual Clauses, GDPR transfer impact assessments, and U.S. export controls. Harmonised data governance reduces duplication and ensures consistent risk mitigation. Data processors should maintain a central repository of transfer approvals, contractual commitments, and audit findings to support global oversight.

Enforcement expectations

The measures empower CAC to order suspension or termination of data exports, impose administrative penalties, and publicise non-compliance. Violations may also trigger liability under the PIPL (fines up to RMB 50 million or 5 percent of prior-year revenue) and the Data Security Law. Regulators may conduct on-site inspections, technical testing, and interviews with responsible personnel. Companies should be prepared to demonstrate real-time monitoring, logging, and access traceability for exported data.

Industries with significant cross-border data flows – such as cloud services, e-commerce, fintech, healthcare, and automotive – should anticipate sector-specific guidance and enforcement sweeps. Early engagement with provincial CAC officials, industry associations, and legal counsel can clarify expectations and identify practical challenges.

Action plan

  • Threshold analysis: Quantify personal information and sensitive data exports to determine if assessments are mandatory; monitor changes in data volumes and business models.
  • Self-assessment execution: Use CAC templates to conduct legal, technical, and organisational risk evaluations; remediate gaps before submission.
  • Contract remediation: Update data transfer agreements to incorporate CAC-required clauses, overseas cooperation commitments, and audit rights.
  • Submission management: Establish project governance for compiling materials, coordinating translations, and responding to CAC inquiries during review.
  • Post-approval monitoring: Implement dashboards tracking approval validity, annual reporting obligations, incidents, and triggers for reassessment.

Sources

Zeph Tech supports multinational teams with China’s data export security assessments, contract alignment, and regulator engagement.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • China data export
  • Security assessment
  • CAC enforcement
  • Cross-border compliance
  • Data governance
Back to curated briefings