Measures for the Security Assessment of Outbound Cross-Border Data Transfer
Measures for the Security Assessment of Outbound Cross-Border Data Transfer
Measures for the Security Assessment of Outbound Cross-Border Data Transfer
Order of the Cyberspace Administration of China No.11
July 7, 2022
The Measures for the Security Assessment of Outbound Cross-Border Data Transfer, adopted at the 10th office meeting of 2022 of the Cyberspace Administration of China on May 19, 2022, are hereby issued and shall come into force on September 1, 2022.
Zhuang Rongwen, Director of the Cyberspace Administration of China
Measures for the Security Assessment of Outbound Cross-Border Data Transfer
Article 1 The Measures are enacted in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China and other laws and regulations, to regulate outbound cross-border data transfer activities, protect personal information rights and interests, protect national security and social and public interests, and promote a safe and free flow of data across borders.
Article 2 These Measures shall apply to the security assessment of the provision of important data and personal information collected and generated by data processors in the course of their operations within the territory of the People's Republic of China by such data processors to overseas recipients (the “outbound data transfer”). Where there are other provisions in laws and administrative regulations, such other provisions shall prevail.
Article 3 The security assessment of outbound data transfers shall maintain a combination of ex-ante assessment and ongoing supervision, and a combination of risk self-assessment and security assessment, to prevent security risks in outbound data transfers and ensure an orderly and free flow of data in accordance with the law.
Article 4 For an outbound data transfer by a data processor that falls under any of the following circumstances, the data processor shall apply to the national cyberspace administration authority for the security assessment via the local provincial-level cyberspace administration authority:
(1) outbound transfer of important data by a data processor;
(2) outbound transfer of personal information by a critical information infrastructure operator or a personal information processor who has processed the personal information of more than 1,000,000 people;
(3) outbound transfer of personal information by a personal information processor who has made outbound transfers of the personal information of 100,000 people cumulatively or the sensitive personal information of 10,000 people cumulatively since 1 January of the previous year; or
(4) other circumstances where an application for the security assessment of an outbound data transfer is required as prescribed by the national cyberspace administration authority.
Article 5 A data processor shall, before applying for the security assessment of an outbound data transfer, conduct a self-assessment of the risks in the outbound data transfer focused on the following matters:
(1) the legality, legitimacy, and necessity of the outbound data transfer and the data processing by the overseas recipient in terms of the purpose, scope, method, etc.;
(2) the quantity, scope, type, and sensitivity of the outbound data, and the risks that may be brought about by the outbound data transfer to national security, public interests, or the lawful rights and interests of individuals or organizations;
(3) whether the responsibilities and obligations undertaken by the overseas recipient and the management and technical measures and capabilities of the overseas recipient to perform such responsibilities and obligations can ensure the security of the outbound data;
(4) the risk of the outbound data being tampered with, damaged, leaked, lost, relocated or illegally acquired or used during and after the outbound data transfer, whether the channels for individuals to safeguard their personal information rights and interests are unobstructed, etc.;
(5) whether data security protection responsibilities and obligations are sufficiently stipulated in the contract or other documents with legal force to be executed (collectively as the “Legal Document”) with the oversea recipient in relation to the outbound data transfer; and
(6) other matters that may affect the security of the outbound data transfer.
......
Order of the Cyberspace Administration of China No.11
July 7, 2022
The Measures for the Security Assessment of Outbound Cross-Border Data Transfer, adopted at the 10th office meeting of 2022 of the Cyberspace Administration of China on May 19, 2022, are hereby issued and shall come into force on September 1, 2022.
Zhuang Rongwen, Director of the Cyberspace Administration of China
Measures for the Security Assessment of Outbound Cross-Border Data Transfer
Article 1 The Measures are enacted in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China and other laws and regulations, to regulate outbound cross-border data transfer activities, protect personal information rights and interests, protect national security and social and public interests, and promote a safe and free flow of data across borders.
Article 2 These Measures shall apply to the security assessment of the provision of important data and personal information collected and generated by data processors in the course of their operations within the territory of the People's Republic of China by such data processors to overseas recipients (the “outbound data transfer”). Where there are other provisions in laws and administrative regulations, such other provisions shall prevail.
Article 3 The security assessment of outbound data transfers shall maintain a combination of ex-ante assessment and ongoing supervision, and a combination of risk self-assessment and security assessment, to prevent security risks in outbound data transfers and ensure an orderly and free flow of data in accordance with the law.
Article 4 For an outbound data transfer by a data processor that falls under any of the following circumstances, the data processor shall apply to the national cyberspace administration authority for the security assessment via the local provincial-level cyberspace administration authority:
(1) outbound transfer of important data by a data processor;
(2) outbound transfer of personal information by a critical information infrastructure operator or a personal information processor who has processed the personal information of more than 1,000,000 people;
(3) outbound transfer of personal information by a personal information processor who has made outbound transfers of the personal information of 100,000 people cumulatively or the sensitive personal information of 10,000 people cumulatively since 1 January of the previous year; or
(4) other circumstances where an application for the security assessment of an outbound data transfer is required as prescribed by the national cyberspace administration authority.
Article 5 A data processor shall, before applying for the security assessment of an outbound data transfer, conduct a self-assessment of the risks in the outbound data transfer focused on the following matters:
(1) the legality, legitimacy, and necessity of the outbound data transfer and the data processing by the overseas recipient in terms of the purpose, scope, method, etc.;
(2) the quantity, scope, type, and sensitivity of the outbound data, and the risks that may be brought about by the outbound data transfer to national security, public interests, or the lawful rights and interests of individuals or organizations;
(3) whether the responsibilities and obligations undertaken by the overseas recipient and the management and technical measures and capabilities of the overseas recipient to perform such responsibilities and obligations can ensure the security of the outbound data;
(4) the risk of the outbound data being tampered with, damaged, leaked, lost, relocated or illegally acquired or used during and after the outbound data transfer, whether the channels for individuals to safeguard their personal information rights and interests are unobstructed, etc.;
(5) whether data security protection responsibilities and obligations are sufficiently stipulated in the contract or other documents with legal force to be executed (collectively as the “Legal Document”) with the oversea recipient in relation to the outbound data transfer; and
(6) other matters that may affect the security of the outbound data transfer.
......