In September 2022, the Cyberspace Administration of China (the “CAC”) officially enacted the Measures on Security Assessment for the Cross-border Transfer of Data (the “Measures”). Under the Measures, an entity (the “data processor”) shall conduct a security assessment if its cross-border data transfer activities involves any of the following scenarios:

  1. the data it transfers abroad is “critical data”. “Critical data” refers to data in a specific area or group that, if leaked or tampered with, may directly endanger national security, economic operation, social stability, public health and safety, such as geographic information, personnel flow, vehicle flow, and other data in sensitive areas such as military zones, national defense units, and government organs;
  2. it is a critical information infrastructure operator as defined under Regulations on Critical Information Infrastructure Security Protection or it handles personal information of more than 1 million people;
  3. it has provided abroad, in aggregate, the personal information of at least 100,000 people or the sensitive personal information of at least 10,000 people, since January 1 of the previous year; or
  4. other circumstances as prescribed by the CAC.

Beijing Cyberspace Administration Office recently reported that, as of January 9, 2024, 117 companies and institutions in Beijing have submitted application materials relating to the security assessment of cross-border data transfer according to the Measures.[i] The report also stated that CAC has accepted the security assessment applications of 45 companies and has approved the applications of 39 companies. We will continue to report on China’s regulatory updates to data security and privacy rules, and monitor the actions companies are taking to stay compliant.