On 7 July 2022, the Cyberspace Administration of China released the Measures for the Security Assessment of Cross-border Data Transfer (hereinafter referred to as the Measures). The Measures, which represent another approach to the management of cross-border transfer of data, will come into force from 1 September 2022; a six-month transition period will be given to data processors and operators for adjustment.

Building on the overarching legal framework of the Cybersecurity Law (2016), the Data Security Law (2021) and the Personal Information Protection Law (2021), the Measures represent a supporting role for managing cross-border data transfer. Apart from the Measures, governmental authorities also released the Certification Requirements for Cross-border Transmission of Personal Information and the Provisions on Standard Contracts for Cross-border Transfers of Personal Information (draft for comments) to improve the efficiency and ensure protection of cross-border transfer of data. The main difference among the three documents lies in their objectives and applicability. Specifically, the objectives of the Measures mainly relate to national security and public interest; in terms of applicability, all data processors and operators that fall under the scope of the regulation must necessarily apply for security assessment before transferring data overseas – whereas it is not mandatory for data processors or operators for transfer activities outside the scope of the Measures, as they can choose either the certification process or the adoption of standard contract clauses, based on their needs and requirements.

The following is a summary of key points that foreign enterprises shall pay attention to: