--- title_en: "Measures for the Security Assessment of Data Export" title_zh: "数据出境安全评估办法" hierarchy: "rule" issuing_body: "Cyberspace Administration of China (CAC)" adopted_date: 2022-05-19 effective_date: 2022-09-01 status: "effective" related_laws: ["pipl", "dsl", "cross-border-data-flows-provisions"] domains: ["cross-border", "personal-information", "data-security"] url: https://datacompliancechina.com/laws/data-export-security-assessment-measures/ summary: "The first of CAC's three cross-border transfer pathways. Required for CIIOs transferring any personal information or important data abroad, and for non-CIIO handlers above certain thresholds. Establishes the application procedure, evaluation factors, validity period, and self-assessment requirements. Read together with the 2024 Cross-border Data Flow Provisions, which relaxed thresholds." --- **Promulgated by:** Cyberspace Administration of China (CAC). **Document No.:** Decree No. 11 of the Cyberspace Administration of China. **Adopted at the 10th executive meeting of the CAC in 2022 on May 19, 2022. Effective September 1, 2022.** --- **Article 1.** These Measures are enacted in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China and other laws and regulations to regulate data provision abroad, protect personal information rights and interests, safeguard national security and social and public interests, and promote the security and free flow of data across borders. **Article 2.** These Measures apply to the security assessment of critical data and personal information collected and generated by a data handler in its operation in the People's Republic of China, which are to be provided abroad. Where it is otherwise provided for in laws and administrative regulations, such provisions shall prevail. **Article 3.** Security assessment for data provision abroad shall follow principles of the combination of ex-ante assessment and continuous supervision and the combination of risk self-assessment and security assessment, so as to prevent the security risks arising from data provision abroad, and ensure the orderly and free flow of data according to the law. 100 **Article 4.** To provide data abroad under any of the following circumstances, a data handler shall declare security assessment for its provision of data abroad to the Cyberspace Administration of China ("CAC") through the local cyberspace administration at the provincial level: (I) where a data handler provides critical data abroad; (II) where a key information infrastructure operator or a data handler processing the personal information of more than one million people provides personal information abroad; (III) where a data handler has provided personal information of 100,000 people or sensitive personal information of 10,000 people in total abroad since January 1 of the previous year; and (IV) other circumstances prescribed by the CAC for which declaration for security assessment for data provision abroad is required. **Article 5.** Prior to declaring security assessment for data provision abroad, a data handler shall conduct self-assessment on the risks of data provision abroad, with focus on the assessment of the following matters: (I) the legality, legitimacy and necessity of the purpose, scope and method of data provision abroad and data processing by the overseas recipient; (II) the scale, scope, type and sensitivity of the data to be provided abroad, and the risks to national security, public interests or the legitimate rights and interests of individuals or organizations caused by data provision abroad; (III) the responsibilities and obligations that the overseas recipient promises to undertake, and whether the overseas recipient's management and technical measures and capabilities for performing its responsibilities and obligations can guarantee the security of data provision abroad; (IV) risks of the data to be tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used during and after data provision abroad; whether the channel for the maintenance of personal information rights and interests is smooth; (V) whether the relevant contracts on the data to be concluded with the overseas recipient or other legally binding documents (hereinafter referred to collectively as the "legal documents") have fully agreed on the responsibilities and obligations to protect the data security; and (VI) other matters that may affect the security of data provision abroad. **Article 6.** To declare security assessment for data provision abroad, the following materials shall be submitted: (I) a declaration form; (II) self- assessment report on the risks of data provision abroad; (III) the legal documents to be concluded by the data handler and the overseas recipient; and (IV) other materials necessary for security assessment. 5 7 Article 7 The cyberspace department at the provincial level shall complete the examination of the completeness of declaration materials within five working days after receiving them. Where the declaration materials are complete, they shall be submitted to the CAC; where the application materials are incomplete, they shall be returned to the data handler and the data handler shall be informed on a one-time basis of materials to be supplemented. The CAC shall, within seven working days after receipt of declaration materials, determine whether or not to accept the same, and notify the data handler of the same in writing. **Article 8.** The security assessment for data provision abroad shall focus on the assessment of the risks to national security, public interests, or the legitimate rights and interests of individuals or organizations that may be caused by the activity of data provision abroad, mainly including the following matters: (I) the legality, legitimacy and necessity of the purpose, scope, and method of data provision abroad; (II) the impact of the data security protection policies and regulations and the cybersecurity environment of the country or region where the overseas recipient is located on the security of data to be provided abroad, and whether the data protection level of the overseas recipient meets the requirements of the laws and administrative regulations of the People's Republic of China and mandatory national standards; (III) the size, scope, types and sensitivity of data to be provided abroad, and the risks that the data may be tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used during and after the data is provided abroad; (IV) whether data security and personal information rights and interests can be fully and effectively guaranteed; (V) whether the legal documents to be concluded by the data handler and the overseas recipient have fully agreed on the responsibilities and obligations of data security protection; (VI) compliance with Chinese laws, administrative regulations and departmental rules; and (VII) other matters that the CAC considers necessary to be assessed. **Article 9.** A data handler shall expressly agree on the responsibilities and obligations of data security protection in the legal documents concluded with the overseas recipient, which shall at least include the following contents: (I) the purpose and method of data provision abroad and the scope of the data, and the purpose and method, etc. for processing the data by the overseas recipient; (II) the location and duration of storage of the data abroad, as well as the handling measures for data provision abroad after the storage period expires, the agreed purpose is completed, or the legal documents are terminated; (III) restrictive requirements on the overseas recipient's re-provision of the data provided abroad to other organizations and individuals; (IV) the security measures to be taken by an overseas recipient when actual control or business scope has changed substantially, data security protection policies and regulations and cybersecurity environment of the country or region where the overseas recipient is located have changed, or the occurrence of any other force majeure event, under which data security cannot be ensured; (V) remedial measures, liability for breach of contract and dispute resolution in the event of violation of data security protection obligations agreed in legal documents; and (VI) the requirements to properly carry out emergency response when the data provided abroad is at risk of being tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used, as well as the ways and methods to protect people's personal information rights and interests. **Article 10.** After accepting a declaration, the CAC shall organize the relevant departments of the State Council, the cyberspace administration concerned at the provincial level and specialized agencies to conduct security assessment in light of the declaration. **Article 11.** During the security assessment, if it is found that the declaration materials submitted by a data handler fail to meet requirements, the CAC may require the data handler to supplement or correct the materials. In case that the data handler fails to supplement or correct the materials without justified reasons, the CAC may terminate the security assessment. A data handler shall be responsible for the authenticity of the materials submitted. If a data handler submits false materials on purpose, it shall be deemed as failing in the assessment, and the data handler shall be held legal liable correspondingly according to the law. 45 **Article 12.** The CAC shall, within 45 working days of issuing a written notice of acceptance to the data handler , complete the security assessment for data provision abroad; if the situation is complicated or supplementary or corrected materials are needed, the assessment may be extended appropriately, and the data handler shall be notified of the expected extension period. The data handler shall be informed of the assessment results in writing. 15 Article 13 Where a data handler has any objection to the assessment results, it may, within 15 working days of receiving the results, apply to the CAC for a re-assessment, and the re-assessment results are final. 2 60 Article 14 The results of security assessment for data provision abroad are valid for two years, commencing from the date when the results are issued. The data handler shall re-apply for assessment if any of the following circumstances occurs within the valid period of time: (I) the purpose, method, scope and type of data provision abroad, or the purpose and method of data processing by the overseas recipient have changed, affecting the security of the data provided abroad, or extending the period of storage of personal information and critical data abroad; (II) the security of the data provided abroad is affected due to changes in the data security protection policies or regulations or the cybersecurity environment of the country or region where the overseas recipient is located, any other force majeure event, or any change in the actual control of the data handler or the overseas recipient, or any change in the legal documents between the data handler and the overseas recipient; and (III) any other circumstance affecting the security of the data provided abroad. If it is necessary to continue data provision abroad after the expiration of the period of validity, the data handler shall declare anew assessment 60 working days before the expiration of the period of validity. **Article 15.** The relevant institutions and personnel participating in security assessment shall keep confidential state secrets, personal privacy, personal information, trade secrets, confidential business information and other data they have accessed to in fulfilling their duties, in accordance with the law, and shall not divulge or illegally provide the same to others or illegally use such data. **Article 16.** Any organization or individual who discovers the provision of data abroad in violation of these Measures by any data handler may report the case to a cyberspace administration at the provincial level or above. **Article 17.** Where the CAC finds that data provision abroad that has passed assessment no longer meets the requirements for security management of data provision abroad in the process of actual processing, it shall notify in writing the data handler to terminate data provision abroad. If the data handler needs to continue carrying out data provision abroad, it shall make rectification as required and, upon completion of the rectification, apply for assessment anew. **Article 18.** Any violation of these Measures shall be dealt with in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China and other laws and regulations; if a crime is constituted, criminal liability shall be investigated in accordance with the law. **Article 19.** For the purpose of these Measures, the term "critical data" refers to the data that, once tampered with, destroyed, leaked, illegally obtained or illegally used, may endanger national security, economic operation, social stability, public health and security, etc. 2022 9 1 6 Article 20 These Measures shall come into force on September 1, 2022. For data provision abroad that have been carried out before effectiveness of these Measures, if not in compliance with these Measures, rectification shall be completed within six months from the effectiveness of these Measures. PAGE/NUMPAGES PAGE/NUMPAGES