Reed Smith Client Alerts

On 7 July 2022, the Cyberspace Administration of China (the CAC) released the long-awaited final version of its Measures for Security Assessment of Cross-border Data Transfers (数据出境安全评估办法, the Measures). These Measures will apply to relevant businesses (as further described below) which are looking to transfer data from China overseas. The Measures take effect on 1 September 2022. A grace period of six months applies for cross-border transfers carried out before the effective date.

When does a business need to submit to a mandatory security assessment by the CAC?

If any of the following criteria are met, a business must submit to a mandatory security assessment by the CAC before it can transfer data out of China:

  1. The business is transferring ‘critical data’ (as defined below) out of China; or
  2. The business is: (a) a critical information infrastructure (CII) operator, or (b) processing the personal information of more than one million individuals; or
  3. The business has transferred out of China: (a) the personal information of more than 100,000 individuals, or (b) the sensitive personal information of more than 10,000 individuals, since 1 January of the previous year.

The CAC may also impose or identify other circumstances in which a security assessment is required.

What constitutes a ‘cross-border transfer’?

It remains to be seen how the CAC will interpret and implement the Measures. However, the following are common scenarios that will likely constitute a cross-border transfer and therefore be subject to the Measures:

  • A multinational company with local operations in China has a shared working system for all of its global offices, where employees outside China have remote access to critical data or personal information collected within China.
  • Employees who are based outside China have access to critical data or personal information which is collected within China, during their business travel in China.
  • A foreign entity collects the personal information of Chinese data subjects for the purpose of selling goods or providing services to them, or assessing their individual behaviour.