China Issues Draft Guidance on Security Assessments for Cross-Border Data Transfers

The Cyberspace Administration of China has issued draft guidance on applying for and conducting security assessments for cross-border data transfers for public comment.

On October 29, 2021, the Cyberspace Administration of China ("CAC") issued draft Measures for the Assessment of Security of the Cross-Border Transfer of Data (the "Measures"). China's triumvirate of cybersecurity and privacy laws—the Cybersecurity Law, Data Security Law, and Personal Information Protection Law—requires a government security assessment before certain data can leave China.  

The Measures provide that a data handler (similar to a GDPR "data controller") must apply for government security assessment:

  • If the data transferred contains personal information or important data collected or generated by operators of critical information infrastructure or is otherwise deemed to be important data—generally defined as data related to national security, economic development, or public interest; 
  • If the data handler processes the personal information of more than 1,000,000 data subjects regardless of the number of data subjects whose personal information will be transferred;
  • If the personal information of more than 100,000 data subjects, or the sensitive personal information of more than 10,000 data subjects will be transferred; and 
  • In other situations determined by the CAC.

The numerical thresholds are intended to implement the Personal Information Protection Law and may change before the Measures are finalized depending on comments received.

To determine if a government security assessment is necessary, data handlers must first conduct a self-assessment that will cover similar items to those in a data protection impact assessment under the GDPR. If required, the data handler must then apply to the CAC and submit the specified paperwork, including the self-assessment report. Upon acceptance, CAC must conduct the security assessment in collaboration with other specialized government departments within 45 days or up to a maximum of 60 days for complex cases. The result will be provided to the data handler in writing.

In anticipation of these Measures being adopted, companies must be mindful of the type of data they are exporting, how much data they are exporting, and whether they have any special obligations under the various Chinese cybersecurity and privacy laws.

The Measures are open for public comment until November 21, 2021.

Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.