On 7 July 2022, the Cyberspace Administration of China (CAC) issued the “Measures for Data Export Security Assessment” (数据出境安全评估办法, hereinafter referred to as the “Measures”), which will come into effect on 1 Sept. 2022.
According to the Measures, under certain circumstances, data processors providing data abroad shall apply to the CAC for security assessment via their local provincial-level cyberspace authority.
Specifically, the Measures applies to the security assessment of data processors providing abroad essential data or personal information that is collected or generated through their operations within the territory of China.
A data processor triggers a data export security assessment when:
(1) it provides essential data abroad;
(2) it is an operator of critical information infrastructure, or it processes over 1,000,000 people’s personal information;
(3) it has exported over 100,000 people’s personal information or 10,000 people’s sensitive personal information abroad since 1 Jan. of the previous year; or
(4) it encounters any other situation that requires a data export security assessment as stipulated by the CAC.