On 31 August 2022, the Cyberspace Administration of China ("CAC") issued the first edition of the Guidelines on the Application of Security Assessment on Cross-border Data Transfer ("Guidelines") (数据出境安全评估申报指南(第一版)) to clarify how organisations in China can apply to CAC for a security assessment for cross-border data transfer. The Guidelines, which are intended to be guidance for the Measures for Security Assessment of Cross-border Data Transfer ("Measures") (数据出境安全评估办法), were released one day before the Measures took effect on 1 September 2022.
The Guidelines repeats the circumstances where a mandatory CAC-led security assessment is required under the Measures: (i) transfers of important data out of China; (ii) transfers of personal information out of China by critical information infrastructure operators or data processing entities that process personal information of over one million individuals; (iii) transfers of personal information out of China since 1 January 2021, that consist of personal information of more than 100,000 individuals, or sensitive personal information of more than 10,000 individuals; or (iv) other circumstances as may be specified by CAC.
Schedule 1 of the Guidelines provides a list of the required application documents, including but not limited to (i) an application form (a template of which is set out in Schedule 3 of the Guidelines), (ii) a self-assessment report on cross-border data transfer risks (a template of which is set out in Schedule 4 of the Guidelines), and (iii) a copy of cross-border data transfer agreements to be co-signed by the data recipient(s) outside of China. The self-assessment shall be completed within three months prior to the submission of the application. There should not be any material changes occurring between the completion of the self-assessment and the submission of the application. Otherwise, a fresh new self-assessment may be required to be conducted.
