← Back to all briefings
Data Strategy 5 min read Published Updated Credibility 40/100

China Cross-Border Data Security Assessments Effective

China's Cyberspace Administration began enforcing mandatory security assessments for certain cross-border data transfers on 1 September 2022, requiring exporters to file assessments or adopt standard contracts before transmitting regulated data overseas.

Kodi C.

Editor & Research Lead

Editorially reviewed for factual accuracy

Data strategy pillar illustration for Zeph Tech briefings
Data strategy, stewardship, and privacy briefings

On China Measures for the Security Assessment of Outbound Data Transfer became effective, establishing mandatory security review requirements for certain categories of cross-border data transfers. Organizations exporting personal information or important data from China must complete government-led security assessments before transfer, with applications processed by the Cyberspace Administration of China.

Trigger Conditions for Security Assessment

The Measures establish specific conditions that require organizations to complete security assessments before transferring data outside China. Organizations must evaluate their data transfer activities against these criteria to determine compliance obligations.

  • Critical information infrastructure operators. Any outbound transfer of personal information or important data by CIIO operators requires security assessment regardless of volume or sensitivity.
  • Important data transfers. Transfers of data classified as important data under China data classification framework require security assessment regardless of the transferring entity classification.
  • Large-scale personal information transfers. Organizations that have processed personal information of more than one million individuals must complete security assessment for outbound transfers.
  • Cumulative transfer thresholds. Organizations that have transferred personal information of more than 100000 individuals or sensitive personal information of more than 10000 individuals since January 1 of the previous year require security assessment.

Security Assessment Process

The assessment process involves self-assessment by the transferring organization followed by government review. If you are affected, build sufficient lead time into data transfer planning given assessment timelines and potential requests for additional information.

  • Self-assessment. Organizations must complete preliminary self-assessment evaluating transfer necessity, data sensitivity, recipient security capabilities, and risk mitigation measures before submitting government applications.
  • Application submission. Formal applications to CAC include detailed documentation of data categories, transfer purposes, recipient information, and security measures implemented to protect transferred data.
  • Government review. CAC reviews applications within 45 working days, though complex cases may require extended review periods. Assessments remain valid for two years unless circumstances change materially.

Recipient Requirements and Contractual Obligations

Security assessments evaluate not only the data and transferring organization but also the security capabilities and commitments of overseas data recipients. Organizations must ensure recipients can meet Chinese regulatory expectations.

  • Security capability assessment. Recipients must show adequate technical and organizational measures to protect transferred data consistent with Chinese data protection requirements.
  • Contractual protections. Transfer agreements must include specific provisions addressing data protection obligations, audit rights, and remediation procedures for security incidents.
  • Ongoing compliance. Recipients must maintain security measures throughout the data retention period and cooperate with Chinese regulatory inquiries regarding transferred data.

Compliance Implementation Steps

  • Data flow mapping. Inventory all outbound data transfers from China operations, identifying data categories, volumes, recipients, and current legal bases for transfer.
  • Threshold assessment. Evaluate transfer activities against security assessment trigger conditions to determine which transfers require government review.
  • Self-assessment completion. Prepare self-assessment documentation for transfers requiring security assessment, evaluating risks and mitigation measures.
  • Application preparation. Compile application materials including data inventories, recipient information, and contractual agreements for CAC submission.

Coordination with Other Transfer Mechanisms

The security assessment requirements operate alongside other cross-border transfer mechanisms under Chinese law including standard contract clauses and personal information protection certification. If you are affected, evaluate which mechanisms apply to their specific transfer scenarios and ensure full compliance across all applicable requirements.

You may also find useful

Hand-picked articles on adjacent topics.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Data Strategy Operating Model Guide

    Design a data strategy operating model that satisfies the EU Data Act, EU Data Governance Act, U.S. Evidence Act, and Singapore Digital Government policies with measurable…

  • Data Interoperability Engineering Guide

    Engineer interoperable data exchanges that satisfy the EU Data Act, Data Governance Act, European Interoperability Framework, and ISO/IEC 19941 portability requirements.

  • Data Stewardship Operating Model Guide

    Establish accountable data stewardship programmes that meet U.S. Evidence Act mandates, Canada’s Directive on Service and Digital, and OECD data governance principles while…

Coverage intelligence

Published
Coverage pillar
Data Strategy
Source credibility
40/100 — low confidence
Topics
China · Cross-border data · Localization · Security Assessment · Compliance
Sources cited
3 sources (cac.gov.cn, iso.org)
Reading time
5 min

Documentation

  1. CAC Measures on Security Assessment of Cross-Border Data Transfers
  2. CAC FAQs on outbound data transfer assessments
  3. ISO 8000-2:2022 — Data Quality Management — International Organization for Standardization
  • China
  • Cross-border data
  • Localization
  • Security Assessment
  • Compliance
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.