China

Measures for the security assessment of outbound data transfers released by Cyberspace Administration of China

11 October 2022 2 min read

At a glance

  • The Cyberspace Administration of China has published various measures in relation to the security assessment of outbound data transfers.

The Measures prescribe the circumstances under which outbound data transfer security assessment should be reported, including:

  • Outbound transfer of important data by a data processor;
  • Outbound transfer of personal information by a critical information infrastructure operator or a personal information processor who has processed the personal information of more than 100,000 individuals;
  • Outbound transfer of personal information by a personal information processor who has made outbound transfers of the personal information of 100,000 people cumulatively or the sensitive personal information of 10,000 people cumulatively since 1 January of the previous year; and
  • Other circumstances where an application for the security assessment of an outbound data transfer is required as prescribed by the national cyberspace administration authority

The Measures set specific requirements for outbound data transfer security assessments, stipulating that data processor must, before applying for the security assessment of an outbound data transfer, conduct a self-assessment of the risks of the outbound data transfer.

In addition, the data processor must clearly agree responsibility for and obligations in relation to  data security protection in the legal documents signed with the overseas receiving party. If a situation arises which affects the outbound data security within the validity period of the outbound data security assessment, the data processor must re-apply for further assessment. In addition, the Measures also specifies an  outbound data safety assessment procedure and supervision and management systems.

The security assessment requirements in the Measures have retroactive effect for cross-border data transfers conducted prior to the effective date, and there is a grace period of six months to rectify any noncompliant activities pertaining to data transfers out of China.

Given the rapidly changing prospect of PRC data privacy laws and regulations, businesses are advised to be alive to the publication of new regulations that may impact their compliance obligations, especially when they are data processor under the Measures. Also note that the security assessment requirements in the Measures have retroactive effect for cross-border data transfers conducted prior to the effective date, and there is a grace period of six months to rectify any noncompliant activities pertaining to data transfers out of China.

More to explore

Status of legislative proposals following the federal election

Germany

Status of legislative proposals following the federal election

Proposals put forward by the previous federal Parliament are now on hold due to recent elections.

25 March 2025 3 min read
Changes to the retention period for employment documents

Hungary

Changes to the retention period for employment documents

From 1 January 2025, changes to the retention period for employment documents in Hungary will come into force.

20 December 2024 1 min read
Draft of a new Employee Data Act (update)

Germany

Draft of a new Employee Data Act (update)

The draft Employee Data Act introduces a separate employee data law outside the scope of the Federal Data Protection Act.

19 November 2024 2 min read
Changes to privacy laws in Quebec with regards to anonymising personal information

Canada

Changes to privacy laws in Quebec with regards to anonymising personal information

New privacy laws impact on anonymising of personal information.

30 September 2024 1 min read
Supreme Court ruling on remuneration transparency

Spain

Supreme Court ruling on remuneration transparency

The Court ruled that Spanish law does not require salary registers to include data that identifies individual employee remuneration.

13 December 2024 1 min read
Breach of data protection regulations by publishing the employees’ personal phone numbers on the employer’s intranet

Finland

Breach of data protection regulations by publishing the employees’ personal phone numbers on the employer’s intranet

The Deputy Data Protection Ombudsman considered that a company had violated data protection regulations by publishing on its intranet the personal phone numbers of 300 employees.

7 August 2024 1 min read