China issues detailed guidelines on application for government approval for outbound transfer of data

October 2022

According to the China Cybersecurity Law, Data Security Law and Personal Information Protection Law, the transfer of certain data outside of Mainland China (“China”) requires prior Chinese government approval (which is called “security assessment”). Many of the data in the TMT industry would fall within the scope. In such cases, the consent of the data subject is not sufficient.

On 7 July 2022, the Cyberspace Administration of China (“CAC”) issued the Measures on Security Assessment of Cross-border Data Transfer (“Measures”) governing the security assessment process. The Measures took effect on 1 September 2022. The Measures require that any transfer of data outside of China which is not compliant with the Measures shall be rectified by 1 March 2023.

On 31 August 2022, China issued guidelines for applying for security assessment for cross-border transfer of personal information. The guidelines include detailed steps in the application process, template documents and checklists of information and documents for use when applying for security assessment. The guidelines also include a checklist of issues to address in cross-border personal data transfer impact assessment.