Enhanced Scrutiny of Cross-Border Data Transfer Rules in China

More ESG Research and Insights are Available from GC Insights Contact: info@gc-insights.com for more information.


China’s cybersecurity regulatory agency, the Cyberspace Administration of China (“CAC”), issued the Cross-Border Data Transfer Security Assessment Measures on July 7, 2022, which will be effective September 1, 2022.




CAC formulates the Measures based on the Personal Information Protection Law ("PIPL") effective on November 1, 2021, the Data Security Law ("DSL") effective on June 1, 2021, and the Cybersecurity Law ("CSL") effective on June 1, 2017.


The Measures require data processors to correct any incompliance in their cross-border data transfer prior to the Measures within 6 months after the effectiveness of the Measures (September 1, 2022).


Once implemented, reassessment is required given circumstances remain unchanged, for new assessments to CAC 60 working days prior to the expiration of the 2-year validity term.