On August 31, 2022, one day before the Measures for Security Assessment of Cross-border Data Transfer (“Measures”) were scheduled to take effect, the Cyberspace Administration of China (“CAC”) released a first edition of its guidance on how organizations should complete the security assessment application (“CAC Guidance”). Covington’s previous posts on the Measures can be found here.

According to the Measures, organizations engaging in cross-border data transfers that trigger the following thresholds must go through a mandatory CAC-led security assessment:

  1. transfers of “important data” out of China (i.e., “any data that, once tampered with, sabotaged, leaked or illegally obtained or used, may endanger national security, economic operation, social stability, and public health and safety”);
  2. transfers of personal information out of China by Critical Information Infrastructure (CII) operators or data processing entities that process personal information of over 1 million individuals; and
  3. transfers of personal information out of China since January 1 of the prior year that consist of the personal information of more than 100,000 individuals, or sensitive personal information of more than 10,000 individuals. 

The CAC Guidance addresses in more detail the requirement to undergo the CAC-led security assessment, and offers companies more information on materials needed and the review process.     

The CAC Guidance provides a list of the required application documents, which include an application form, a copy of cross-border data transfer agreements to be signed with the data recipient(s) outside of China, a self-assessment report on cross-border data transfer risks, as well as some basic documentation on the China-based data exporter (e.g., its business license).  The CAC Guidance also includes a template application form and a template self-assessment report.   

In addition to a general description of data transfer flows (such as an overview of transfer scenarios, transfer purposes, data to be transferred and information on data importers outside of China), certain technical details about cross-border data transmission must be described in the application form.  Specifically, according to a Q&A section of the CAC Guidance, the data exporter needs to describe the data transmission service provider, the number of data transmission lines and bandwidth, and the location of data centers in China and outside of China, as well as IP addresses of such infrastructure.

Covington’s in-house translation of the security assessment application form is available upon request.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a particular emphasis on adapting to regulatory changes and ensuring compliance to support technology sector business strategies.

In recent years, Yan has guided leading multinational companies in sectors such as cloud computing, consumer brands, and financial services through the rapidly evolving cybersecurity and data privacy regulations in major Asian jurisdictions, including China. She has addressed challenges such as compliance with data localization mandates and regulatory audits. Yan’s work includes advising on high-stakes compliance issues like data localization and cross-border data transfers, navigating cybersecurity inspections for multinational companies, and providing data protection insights for strategic transactions. Additionally, Yan has counseled leading Chinese technology companies on global data governance and compliance challenges across major jurisdictions, including the EU and the US, focusing on specific regulations like GDPR and CCPA.

More recently, Yan has supported leading technology companies on geopolitical risk assessments, particularly concerning how geopolitical shifts impact sectors at the cutting edge, such as artificial intelligence and semiconductor technologies.

Yan was named as Global Data Review’s40 under 40” in 2018 and is frequently quoted by leading media outlets including the Wall Street Journal and the Financial Times.

Prior to joining the firm, Yan completed an internship with the Office of International Affairs of the U.S. Federal Trade Commission in Washington, DC. Her experiences in Brussels include representing major Chinese companies in trade, competition and public procurement matters before the European Commission and national authorities in EU Member States.

Photo of Xuezi Dan Xuezi Dan

Xuezi Dan is an associate in the firm’s Beijing office. Her practice focuses on regulatory compliance, with a particular focus on data privacy and cybersecurity. Xuezi helps clients understand and navigate the increasingly complex privacy regulatory issues in China.

She also has experience…

Xuezi Dan is an associate in the firm’s Beijing office. Her practice focuses on regulatory compliance, with a particular focus on data privacy and cybersecurity. Xuezi helps clients understand and navigate the increasingly complex privacy regulatory issues in China.

She also has experience advising clients on general corporate and antitrust matters.