← Back to all briefings
Data Strategy 5 min read Published Updated Credibility 40/100

Data Strategy Briefing — China Cross-Border Data Security Assessments Effective

China's Cyberspace Administration began enforcing mandatory security assessments for certain cross-border data transfers on 1 September 2022, requiring exporters to file assessments or adopt standard contracts before transmitting regulated data overseas.

Zeph Tech Research Lead

Research lead, Zeph Tech

Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

On 1 September 2022 China's Cyberspace Administration (CAC) began enforcing the Measures for Security Assessment of Outbound Data Transfers. Certain data exporters—critical information infrastructure operators, large-scale processors, and handlers of important or sensitive personal information—must submit a CAC security assessment or adopt approved standard contracts before transferring regulated data overseas.

What changed

  • Security assessment filings became mandatory for qualifying data handlers ahead of cross-border transfers, with review timelines up to 45 working days and two-year validity.
  • Thresholds include exporting important data, personal data of more than 1 million individuals, or sensitive personal information of 100,000 individuals.
  • The regime complements PIPL and Data Security Law requirements and will be harmonized with Standard Contract implementation.

Why it matters

  • Global firms operating in China must inventory outbound data flows, classify data per CAC definitions, and decide whether to file assessments or restructure processing to avoid thresholds.
  • Vendors relying on centralized analytics or support must evaluate whether mirrored processing in China is required to reduce export volumes.
  • Compliance artifacts (risk reports, contracts, third-party audits) are now prerequisites for sustained cross-border transfers.

Action checklist

  • Create and maintain an outbound data transfer register mapping systems, recipients, volumes, and data types against CAC thresholds.
  • Prepare documentation for security assessments, including data flow diagrams, encryption controls, retention policies, and supplier due diligence.
  • Align Standard Contract adoption and privacy notices with CAC filing requirements to ensure continuity of cross-border services.
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • China
  • Cross-border data
  • Localization
  • Security Assessment
  • Compliance
Back to curated briefings