Data Strategy Briefing — September 1, 2022

Executive briefing: China’s Measures for the Security Assessment of Outbound Data Transfers entered into force on 1 September 2022. The rules obligate data handlers—especially critical information infrastructure operators and organisations transferring large volumes of personal or important data—to submit applications to the Cyberspace Administration of China (CAC) for security assessments before exporting data.

Key governance checkpoints

Applicability scoping. Determine whether outbound transfers exceed thresholds (e.g., personal information of over 100,000 individuals since 1 January 2019 or sensitive data for more than 10,000 people) that trigger mandatory CAC assessment.
Self-assessment documentation. Compile the required self-assessment report covering transfer necessity, recipient obligations, data protection capabilities, and risk mitigation plans.
Contractual safeguards. Align cross-border data transfer agreements with CAC-prescribed clauses on data protection, incident response, and termination.

Operational priorities

Submission workflows. Establish governance teams to prepare CAC filings, including Chinese translations, data inventories, and risk evidence.
Data minimisation. Review data flows to reduce export volumes and avoid exceeding thresholds where feasible.
Monitoring obligations. Implement annual reassessment schedules and triggers for material changes that require resubmission within 10 working days.

Enablement moves

Coordinate with sector regulators on overlapping security review requirements for finance, automotive, and health data.
Integrate CAC security assessment controls with China Standard Contract implementation and personal information protection impact assessments.

Sources

Zeph Tech helps multinationals build CAC security assessment dossiers, harmonise transfer contracts, and monitor reassessment triggers in mainland China.