On 1 September 2022, the "Measures for Security Assessment of Data Exports" by the Cyberspace Administration of China (CAC) entered into force, with a grace period for 6 months, until 1 March 2023. The Measures aim to enact provisions of the "Network Security Law", "Data Security Law", and "Personal Information Protection Law" to protect personal information, safeguard national security, and promote the free flow of cross-border data. Specifically, the Measures require a data transfer security assessment to be submitted to the CAC by processors which transfer certain amounts or types of data abroad. A security assessment is required for important data, critical information infrastructures, processors of personal information of more than 1 million people wishing to transfer personal information abroad, and organisations which, in the previous year, have transferred abroad either personal information of 100'000 people or sensitive personal information of 10'000 people. Furthermore, the Measures stipulate the conditions and process for the security assessment, starting with a self-assessment. The actual security assessment by the responsible department focuses on potential risks to national security, public interest, and individual rights as a result of the data export activities in question. The Measures also lay out the minimum conditions to be contained in the export agreement with the overseas recipient, including purpose, scope, location, and duration of data storage, as well as cybersecurity and remedial provisions.
Original source