China Releases New Guidelines on Cross-Border Data Transfer Security Assessment

New Cross-Border Data Transfer Guidelines

China's Cyberspace Administration (CAC) has published comprehensive new guidelines detailing the security assessment procedures required for cross-border data transfers. These guidelines provide much-needed clarity for multinational companies operating in China.

Key Requirements

The guidelines specify that companies must conduct a self-assessment before applying for the mandatory government security review. Key factors include the volume of personal information being transferred, the data recipient's security capabilities, and the legal environment of the destination country.

Impact on Multinational Companies

For foreign companies operating in China, these guidelines provide a clearer roadmap for compliance. However, the requirements remain stringent, particularly regarding data localization and the need for explicit consent from data subjects. Companies in sectors like finance, healthcare, and telecommunications face additional scrutiny.

Timeline for Compliance

Organizations currently engaged in cross-border data transfers have been given a six-month transition period to complete the necessary assessments and obtain approval from the CAC.