Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · MEASURES FOR THE SECURITY ASSESSMENT OF DATA EXPORT

Measures for the Security Assessment of Data Export.

数据出境安全评估办法

Promulgated by: Cyberspace Administration of China (CAC).
Document No.: Decree No. 11 of the Cyberspace Administration of China.
Adopted at the 10th executive meeting of the CAC in 2022 on May 19, 2022. Effective September 1, 2022.


Article 1. These Measures are enacted in accordance with the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China and other laws and regulations to regulate data provision abroad, protect personal information rights and interests, safeguard national security and social and public interests, and promote the security and free flow of data across borders.

Article 2. These Measures apply to the security assessment of critical data and personal information collected and generated by a data handler in its operation in the People’s Republic of China, which are to be provided abroad. Where it is otherwise provided for in laws and administrative regulations, such provisions shall prevail.

Article 3. Security assessment for data provision abroad shall follow principles of the combination of ex-ante assessment and continuous supervision and the combination of risk self-assessment and security assessment, so as to prevent the security risks arising from data provision abroad, and ensure the orderly and free flow of data according to the law. 100

Article 4. To provide data abroad under any of the following circumstances, a data handler shall declare security assessment for its provision of data abroad to the Cyberspace Administration of China (“CAC”) through the local cyberspace administration at the provincial level: (I) where a data handler provides critical data abroad;

(II) where a key information infrastructure operator or a data handler processing the personal information of more than one million people provides personal information abroad;

(III) where a data handler has provided personal information of 100,000 people or sensitive personal information of 10,000 people in total abroad since January 1 of the previous year; and

(IV) other circumstances prescribed by the CAC for which declaration for security assessment for data provision abroad is required.

Article 5. Prior to declaring security assessment for data provision abroad, a data handler shall conduct self-assessment on the risks of data provision abroad, with focus on the assessment of the following matters: (I) the legality, legitimacy and necessity of the purpose, scope and method of data provision abroad and data processing by the overseas recipient;

(II) the scale, scope, type and sensitivity of the data to be provided abroad, and the risks to national security, public interests or the legitimate rights and interests of individuals or organizations caused by data provision abroad;

(III) the responsibilities and obligations that the overseas recipient promises to undertake, and whether the overseas recipient’s management and technical measures and capabilities for performing its responsibilities and obligations can guarantee the security of data provision abroad;

(IV) risks of the data to be tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used during and after data provision abroad; whether the channel for the maintenance of personal information rights and interests is smooth;

(V) whether the relevant contracts on the data to be concluded with the overseas recipient or other legally binding documents (hereinafter referred to collectively as the “legal documents”) have fully agreed on the responsibilities and obligations to protect the data security; and

(VI) other matters that may affect the security of data provision abroad.

Article 6. To declare security assessment for data provision abroad, the following materials shall be submitted: (I) a declaration form;

(II) self- assessment report on the risks of data provision abroad;

(III) the legal documents to be concluded by the data handler and the overseas recipient; and

(IV) other materials necessary for security assessment.

Article 7. The cyberspace department at the provincial level shall complete the examination of the completeness of declaration materials within five working days after receiving them. Where the declaration materials are complete, they shall be submitted to the CAC; where the application materials are incomplete, they shall be returned to the data handler and the data handler shall be informed on a one-time basis of materials to be supplemented. The CAC shall, within seven working days after receipt of declaration materials, determine whether or not to accept the same, and notify the data handler of the same in writing.

Article 8. The security assessment for data provision abroad shall focus on the assessment of the risks to national security, public interests, or the legitimate rights and interests of individuals or organizations that may be caused by the activity of data provision abroad, mainly including the following matters: (I) the legality, legitimacy and necessity of the purpose, scope, and method of data provision abroad;

(II) the impact of the data security protection policies and regulations and the cybersecurity environment of the country or region where the overseas recipient is located on the security of data to be provided abroad, and whether the data protection level of the overseas recipient meets the requirements of the laws and administrative regulations of the People’s Republic of China and mandatory national standards;

(III) the size, scope, types and sensitivity of data to be provided abroad, and the risks that the data may be tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used during and after the data is provided abroad;

(IV) whether data security and personal information rights and interests can be fully and effectively guaranteed;

(V) whether the legal documents to be concluded by the data handler and the overseas recipient have fully agreed on the responsibilities and obligations of data security protection;

(VI) compliance with Chinese laws, administrative regulations and departmental rules; and

(VII) other matters that the CAC considers necessary to be assessed.

Article 9. A data handler shall expressly agree on the responsibilities and obligations of data security protection in the legal documents concluded with the overseas recipient, which shall at least include the following contents: (I) the purpose and method of data provision abroad and the scope of the data, and the purpose and method, etc. for processing the data by the overseas recipient;

(II) the location and duration of storage of the data abroad, as well as the handling measures for data provision abroad after the storage period expires, the agreed purpose is completed, or the legal documents are terminated;

(III) restrictive requirements on the overseas recipient’s re-provision of the data provided abroad to other organizations and individuals;

(IV) the security measures to be taken by an overseas recipient when actual control or business scope has changed substantially, data security protection policies and regulations and cybersecurity environment of the country or region where the overseas recipient is located have changed, or the occurrence of any other force majeure event, under which data security cannot be ensured;

(V) remedial measures, liability for breach of contract and dispute resolution in the event of violation of data security protection obligations agreed in legal documents; and

(VI) the requirements to properly carry out emergency response when the data provided abroad is at risk of being tampered with, destroyed, divulged, lost, transferred, illegally obtained or illegally used, as well as the ways and methods to protect people’s personal information rights and interests.

Article 10. After accepting a declaration, the CAC shall organize the relevant departments of the State Council, the cyberspace administration concerned at the provincial level and specialized agencies to conduct security assessment in light of the declaration.

Article 11. During the security assessment, if it is found that the declaration materials submitted by a data handler fail to meet requirements, the CAC may require the data handler to supplement or correct the materials. In case that the data handler fails to supplement or correct the materials without justified reasons, the CAC may terminate the security assessment. A data handler shall be responsible for the authenticity of the materials submitted. If a data handler submits false materials on purpose, it shall be deemed as failing in the assessment, and the data handler shall be held legal liable correspondingly according to the law. 45

Article 12. The CAC shall, within 45 working days of issuing a written notice of acceptance to the data handler , complete the security assessment for data provision abroad; if the situation is complicated or supplementary or corrected materials are needed, the assessment may be extended appropriately, and the data handler shall be notified of the expected extension period. The data handler shall be informed of the assessment results in writing.

Article 13. Where a data handler has any objection to the assessment results, it may, within 15 working days of receiving the results, apply to the CAC for a re-assessment, and the re-assessment results are final.

Article 14. The results of security assessment for data provision abroad are valid for two years, commencing from the date when the results are issued. The data handler shall re-apply for assessment if any of the following circumstances occurs within the valid period of time: (I) the purpose, method, scope and type of data provision abroad, or the purpose and method of data processing by the overseas recipient have changed, affecting the security of the data provided abroad, or extending the period of storage of personal information and critical data abroad;

(II) the security of the data provided abroad is affected due to changes in the data security protection policies or regulations or the cybersecurity environment of the country or region where the overseas recipient is located, any other force majeure event, or any change in the actual control of the data handler or the overseas recipient, or any change in the legal documents between the data handler and the overseas recipient; and

(III) any other circumstance affecting the security of the data provided abroad. If it is necessary to continue data provision abroad after the expiration of the period of validity, the data handler shall declare anew assessment 60 working days before the expiration of the period of validity.

Article 15. The relevant institutions and personnel participating in security assessment shall keep confidential state secrets, personal privacy, personal information, trade secrets, confidential business information and other data they have accessed to in fulfilling their duties, in accordance with the law, and shall not divulge or illegally provide the same to others or illegally use such data.

Article 16. Any organization or individual who discovers the provision of data abroad in violation of these Measures by any data handler may report the case to a cyberspace administration at the provincial level or above.

Article 17. Where the CAC finds that data provision abroad that has passed assessment no longer meets the requirements for security management of data provision abroad in the process of actual processing, it shall notify in writing the data handler to terminate data provision abroad. If the data handler needs to continue carrying out data provision abroad, it shall make rectification as required and, upon completion of the rectification, apply for assessment anew.

Article 18. Any violation of these Measures shall be dealt with in accordance with the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China and other laws and regulations; if a crime is constituted, criminal liability shall be investigated in accordance with the law.

Article 19. For the purpose of these Measures, the term “critical data” refers to the data that, once tampered with, destroyed, leaked, illegally obtained or illegally used, may endanger national security, economic operation, social stability, public health and security, etc.

Article 20. These Measures shall come into force on September 1, 2022. For data provision abroad that have been carried out before effectiveness of these Measures, if not in compliance with these Measures, rectification shall be completed within six months from the effectiveness of these Measures.

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

8 briefs reference this law.

  • § 01 · SECURITY-REVIEW

    One Company, Four Reviews: JunHe Maps China's Security-Review 'Matrix' in the Security-First Era

    With the Measures for Network Data Security Risk Assessment (Order No. 24) in place, China's security-review architecture has four operating pillars: foreign investment security review (NDRC + MOFCOM), cybersecurity review (CAC + 12 departments), data export security assessment (CAC), and the new normalized network data security risk assessment (CAC coordination + sectoral authorities). JunHe lawyer Chen Sijia walks each regime through the same five questions — who reviews, what is reviewed, when review is triggered, and with what legal consequences — and lands on two points overseas counsel should not miss. First, the four regimes differ in kind: the first three are ex-ante, admission-style reviews with veto power, while the risk assessment is an annual, improvement-oriented 'physical exam.' Second, review decisions are effectively final — the mainstream view treats them as final administrative acts with no administrative reconsideration or litigation available — so cooperation during the review is the only real strategy. A closing lifecycle walkthrough shows how a single AI-model company can trip all four lines in sequence: FDI review at fundraising, cybersecurity review at GPU procurement, export assessment at model training, cybersecurity review again at foreign listing, and the annual risk assessment as a standing duty.

    security-review · national-security · cybersecurity-review
  • § 02 · CROSS-BORDER

    The Negative-List Map, Region by Region: Ten Zones, Two Models, and the Year Data Export Went Province-Wide

    As of July 2026, ten Chinese regions — nine free-trade zones plus the Hainan Free Trade Port — have published data-export negative lists under Article 6 of the 2024 Cross-border Data Flows Provisions, and this year Beijing and Shanghai took the mechanism province- and city-wide, off the FTZ footprint entirely. DCC's roundup maps the full set: which sectors each zone lists (from Tianjin's 13 commodity categories to Guangdong's smart-manufacturing and personal-credit fields, Chongqing's intelligent-connected-vehicle chain, and Jiangsu's biopharma-only list), the two management models that have crystallized — pre-export filing versus Shanghai and Guangdong's 'transfer-first, report-after' — and how an overseas team should read the map. Compiled from the CAC's national negative-list index and each region's official notice, and paired with DCC's new downloadable negative-list registry.

    cross-border · negative-list · ftz-negative-list
  • § 03 · CROSS-BORDER

    First Filing Under Shanghai's Citywide Data-Export Negative List: Inditex's China Arm Drops from Security Assessment to Standard-Contract Filing

    On June 26, 2026, ITX Asia Pacific Enterprise Management Co., Ltd. (爱特思亚太企业管理有限公司) — the Inditex group entity behind ZARA and Pull&Bear in China — received Shanghai's first data-export negative-list filing result notice (数据出境负面清单备案结果通知书) issued under the Shanghai Data-Export Negative List Administrative Measures, cleared jointly by the Shanghai CAC and the Shanghai Data Bureau after same-day district-level initial review at the Jing'an District Cross-Border Data Service Center. The practical effect: member-information exports that previously sat in Data Export Security Assessment territory now clear on a Personal Information Standard Contract filing. DCC reads the case as the first operational proof of Shanghai's two policy moves — negative-list eligibility extended citywide beyond Pudong-registered enterprises, and volume thresholds inside listed scenarios (retail member management) raised so that non-sensitive member data between 1 and 10 million individuals falls to the standard-contract/certification tier. For overseas retail groups running membership programs out of China, this is the template case.

    cross-border · negative-list · shanghai
  • § 04 · ENFORCEMENT

    Ctrip's ¥10 Million Fine: China's First Publicly Disclosed Cross-Border Data Penalty — and the 'Necessity' Doctrine Behind Four Cases

    In June 2026 Shanghai's cyberspace authority fined Shanghai Ctrip Commerce ¥10 million for unlawfully exporting personal information without implementing data-export security-assessment requirements — the first time a Chinese cross-border data penalty amount has been made public. DCC reads the fine against the three earlier Shanghai / MPS cross-border cases compiled by HexCode in 数据何规 (a hotel company that exported fields the CAC assessment had rejected, a property company that exported accommodation and financial-account data with no approval at all, and the Dior breach case) to surface the doctrine all four share: building a CRM or central-reservation system offshore does not make the bulk transfer of customer PI to headquarters 'necessary,' so it cannot escape the security-assessment / standard-contract / certification gate or PIPL's separate-consent and individual-notification requirements. The enforcement gradient — the assessment-rejected exporter was fined while the no-approval exporter was only warned — signals that subjective culpability is weighing on penalty severity.

    enforcement · cross-border-data · pipl
  • § 05 · DATA-ECONOMY

    China Halts Data-Asset ABS: Exchanges Pull the Handbrake on a ¥200 Billion Pipeline

    According to reporting by Caixin (财新) and 财联社 circulated on 3–5 June 2026, the Shanghai and Shenzhen stock exchanges issued window guidance bringing the entire data-asset ABS (数据资产ABS) business chain to a stop — new filings turned away, approved-but-unissued deals told to pause, even issuance-approved deals told to delay. This halts a category that exploded from roughly 11 issuances raising ~¥4.6bn in 2025 to 21 issuances and ¥15.4bn in the first five months of 2026, with a declared pipeline approaching ¥200bn. The stated trigger is mission drift: pure-data-asset deals are under 2% of the market, while local-government financing vehicles (城投/LGFV) used the loose, fast 'data-asset' label to repackage existing non-standard debt as standardised bonds — data as window-dressing, with no real data cash flow behind it. DCC reads the event, the structural reasons, the three審查 gates the exchanges are expected to harden, and what it means for anyone underwriting, rating, or investing in China data-asset financing.

    data-economy · data-asset-abs · securitisation
  • § 06 · FOREIGN-INVESTMENT-SECURITY-REVIEW

    Why China Used Foreign Investment Security Review on Manus — Not Tech or Data Export

    Hong Yanqing on Beijing's banning of Meta's Manus acquisition. The regulator's choice of pathway — Foreign Investment Security Review, not Technology or Data Export — signals a shift from 'transaction-level' to 'capability-level' oversight of frontier AI projects, with implications for any overseas tech investment touching China.

    foreign-investment-security-review · manus · ai-agent
  • § 07 · IMPORTANT-DATA

    How to Identify 'Important Data' — A Plain-Language Method from Wang Qinglan

    Wang Qinglan, head of compliance at a Chinese data exchange, walks through China's unique 'important data' concept in plain language: where it came from, why no other major jurisdiction has anything quite like it, how the U.S., EU, Japan and Korea solve the same problem differently, and — most useful for compliance teams — three methods to identify whether a dataset is 'important' in practice. Her own 'unorthodox' shortcut: ask whether a hostile foreign actor could use this data to cause trouble. If yes, treat it as important data.

    important-data · data-classification · cross-border
  • § 08 · CROSS-BORDER

    FTZ Data Export Negative Lists — How 17 Sectors Across Seven Provinces Now Identify Important Data

    Article 6 of the 2024 CBDF Provisions authorized Free Trade Zones to publish data-export negative lists. Since then, Tianjin, Beijing, Hainan, Shanghai, Zhejiang and others have published negative lists covering 17 sectors — automotive, pharmaceuticals, retail, civil aviation, reinsurance, deep-sea industry, seed industry, and more. Compliance Talker's analysis walks through the structural convergence of the negative lists, the important-data identification refinements each FTZ has produced, and the operational impact on enterprises both inside and outside the FTZs.

    cross-border · important-data · ftz-negative-list
§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.

SUPPORT DCC

Keep the publication free to read. Suggested support is $19.99, or choose your own amount.

Support →