China data export

The Cyberspace Administration of China’s (CAC) Measures for Security Assessment of Data Exports became effective on 1 September 2022, requiring data processors to complete government-led security assessments before transferring important data or large-scale personal information overseas.¹ The measures implement Article 38 of the Personal Information Protection Law (PIPL), Article 31 of the Data Security Law, and Article 37 of the Cybersecurity Law, forming a unified regime that scrutinises cross-border data flows for national security, public interest, and individual rights risks.¹ Teams have until 30 November 2022 to rectify ongoing transfers that fall within the scope; from 1 December, unapproved exports may trigger fines, suspension orders, or inclusion on social credit blacklists.²

The measures apply to four categories: (1) data processors exporting important data; (2) critical information infrastructure operators (CIIOs) and processors handling personal information of more than one million individuals; (3) processors exporting personal information of more than 100,000 individuals or sensitive personal information of more than 10,000 individuals since 1 January of the previous year; and (4) other situations designated by CAC.¹ “Important data” is interpreted as data that, if tampered with, leaked, or destroyed, could jeopardise national security, economic operations, social stability, or public health. Local regulators may issue sector-specific catalogs to refine definitions, so firms must monitor industry guidance.

Assessment procedure

Data processors must conduct a full self-assessment covering legality, legitimacy, and necessity of the transfer; scale and sensitivity of data; security capabilities of overseas recipients; and the potential impact on national security and data subject rights.¹ Following the self-assessment, processors submit applications through provincial CAC offices, including the self-assessment report, data export contracts, and supporting documentation. Provincial CAC offices perform completeness checks before forwarding to the central CAC for significant review, which may involve expert panels and coordination with sector regulators.

CAC has 45 working days to issue a decision once the application is formally accepted, extendable in complex cases.¹ Approved assessments are valid for two years; processors must reapply if transfer purposes, recipients, data volumes, legal environments, or security controls change materially. Annual reports to provincial CACs summarizing export activities and incident management are also required.

Documentation requirements

Applications must include: (1) application form; (2) legal representative identification; (3) business licenses; (4) contracts or legally binding documents with overseas recipients; (5) self-assessment report; and (6) other evidence demonstrating security measures.² Contracts must require data protection obligations, incident response cooperation, audit rights, data minimization, onward transfer restrictions, and termination procedures (including data deletion or return). Applicants should also provide network architecture diagrams, data flow maps, classification/labelling policies, encryption practices, access control logs, and incident response plans.

The CAC’s first-edition application guidelines (published 31 August 2022) furnish templates for self-assessments and data export contracts, emphasizing documentation of technical safeguards (encryption, anonymization), organizational controls (governance structures, training), and legal analyzes (foreign jurisdiction risks, conflict of laws considerations).² Maintaining translation consistency between Chinese and foreign-language documents is critical to avoid delays.

Risk assessment focus areas

Self-assessments must evaluate legal compliance, contract enforceability, and the ability to safeguard data subjects’ rights. Key focus areas include: data minimization, retention schedules, accuracy, purpose limitation, cross-border access controls, and the capacity to respond to data subject requests (access, correction, deletion) even when data resides overseas.¹ Processors must also assess foreign laws and practices that could compel recipients to disclose data to foreign authorities, documenting mitigation measures such as transparency reports, encryption, or refusing unlawful requests.

Security risk evaluation should cover infrastructure security, vulnerability management, intrusion detection, incident response, and backup/disaster recovery arrangements for data stored overseas. CAC will consider whether recipients hold relevant certifications (ISO/IEC 27001, SOC 2) and whether contractual commitments ensure equivalent protection. Companies should prepare risk matrices scoring likelihood and impact, with remediation actions and timelines.

Integration with other transfer mechanisms

The security assessment regime complements other cross-border transfer mechanisms under the PIPL, including CAC-approved standard contracts and personal information protection certification. Teams should evaluate whether certain transfers qualify for standard contracts (draft released June 2022) or certification (administered by the China Cybersecurity Review Technology and Certification Center) as alternatives for smaller-scale transfers.² However, transfers meeting the thresholds defined in the measures must undergo the security assessment regardless of other mechanisms.

Multinational corporations should align Chinese requirements with global frameworks such as EU Standard Contractual Clauses, GDPR transfer impact assessments, and U.S. export controls. harmonized data governance reduces duplication and ensures consistent risk mitigation. Data processors should maintain a central repository of transfer approvals, contractual commitments, and audit findings to support global oversight.

Enforcement expectations

The measures help CAC to order suspension or termination of data exports, impose administrative penalties, and publicise non-compliance. Violations may also trigger liability under the PIPL (fines up to RMB 50 million or 5 percent of prior-year revenue) and the Data Security Law. Regulators may conduct on-site inspections, technical testing, and interviews with responsible personnel. Companies should be prepared to show real-time monitoring, logging, and access traceability for exported data.

Industries with significant cross-border data flows – such as cloud services, e-commerce, fintech, healthcare, and automotive – should anticipate sector-specific guidance and enforcement sweeps. Early engagement with provincial CAC officials, industry associations, and legal counsel can clarify expectations and identify practical challenges.

Action plan

• Threshold analysis: Quantify personal information and sensitive data exports to determine if assessments are mandatory; monitor changes in data volumes and business models.
• Self-assessment execution: Use CAC templates to conduct legal, technical, and organizational risk evaluations; remediate gaps before submission.
• Contract remediation: Update data transfer agreements to incorporate CAC-required clauses, overseas cooperation commitments, and audit rights.
• Submission management: Establish project governance for compiling materials, coordinating translations, and responding to CAC inquiries during review.
• Post-approval monitoring: Implement dashboards tracking approval validity, annual reporting obligations, incidents, and triggers for reassessment.

Documentation

• ¹ CAC Measures for Security Assessment of Data Exports.
• ² CAC Guidelines for Security Assessment Declaration of Data Outbound Transfer (First Edition).

This brief supports multinational teams with China’s data export security assessments, contract alignment, and regulator engagement.

Data Management Implementation

Data management teams should assess how this development affects data collection, processing, storage, and sharing practices. Policy updates should address any new requirements for data handling, consent management, or purpose limitations. Technical setups should align with documented policies and support audit evidence collection demonstrating compliance with data management requirements.

Ongoing monitoring should verify that data processing activities continue to align with documented purposes and comply with applicable requirements as practices evolve.

You may also find useful

Hand-picked articles on adjacent topics.

Data Strategy · Credibility 40/100 · September 1, 2022

China Cross-Border Data Security Assessments Effective

China's Cyberspace Administration began enforcing mandatory security assessments for certain cross-border data transfers on 1 September 2022, requiring exporters to file assessments or adopt standard contracts before…

Data Strategy · Credibility 73/100 · August 31, 2022

China data export

China’s Cyberspace Administration issued the first edition of outbound data transfer security assessment application guidelines on 31 August 2022, detailing submission materials, self-assessment requirements, and…

Data Strategy · Credibility 73/100 · June 3, 2022

EU data strategy

With the EU Data Governance Act published on 3 June 2022 and applying from September 2023, teams must prepare for new rules on public-sector data re-use, data intermediation notifications, and data altruism governance.

Data Strategy · Credibility 91/100 · January 1, 2023

California Privacy Rights Act Effective Date

California Privacy Rights Act (CPRA) became effective January 1, 2023, amending CCPA with stricter requirements. New rights, a dedicated enforcement agency (CPPA), and expanded business obligations. If you have…

Data Strategy · Credibility 71/100 · January 1, 2023

California Privacy Rights Act takes effect

CPRA went effective January 1, 2023, strengthening California privacy law. New consumer rights, the California Privacy Protection Agency, and stricter business obligations. The gold standard for US state privacy law.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Data Strategy Operating Model Guide

  Design a data strategy operating model that satisfies the EU Data Act, EU Data Governance Act, U.S. Evidence Act, and Singapore Digital Government policies with measurable…

• Data Interoperability Engineering Guide

  Engineer interoperable data exchanges that satisfy the EU Data Act, Data Governance Act, European Interoperability Framework, and ISO/IEC 19941 portability requirements.

• Data Stewardship Operating Model Guide

  Establish accountable data stewardship programmes that meet U.S. Evidence Act mandates, Canada’s Directive on Service and Digital, and OECD data governance principles while…

Coverage intelligence

Published

September 1, 2022

Coverage pillar

Data Strategy

Source credibility

73/100 — medium confidence

Topics

China data export · Security assessment · CAC enforcement · Cross-border compliance · Data governance

Sources cited

3 sources (cac.gov.cn, iso.org)

Reading time

5 min

Documentation

1. Measures for the Security Assessment of Outbound Data Transfers — Cyberspace Administration of China
2. Implementation Q&A on outbound data transfer security assessments — Cyberspace Administration of China
3. ISO 8000-2:2022 — Data Quality Management — International Organization for Standardization