On 7 July 2022, the Cyberspace Administration of China (the CAC) released the long-awaited final version of its Measures for Security Assessment of Cross-border Data Transfers. These Measures will apply to relevant businesses which are looking to transfer data from China to overseas. The Measures take effect on 1 September 2022. A grace period of six months applies for cross-border transfers carried out before the effective date.
If any of the following criteria are met, a business must submit to a mandatory security assessment by the CAC before it can transfer data out of China:
The CAC may also impose or identify other circumstances in which a security assessment is required.
In Measures of Security Assessment for Cross-Border Data Transfer, important data refers to data that if it is altered, destroyed, leaked, illegally acquired or illegally used, etc., may harm national security, economic operations, social stability, public health or security, etc. (art. 19)
In Regulations on the Security and Protection of Critical Information Infrastructure, CIIO is defined as companies engaged in "important industries or fields", including:
According to The PRC Personal Information Protection Law (PIPL)
Personal information refers to various kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding the information processed anonymously. (PIPL art. 4)
Sensitive personal information refers to the personal information that can easily lead to the infringement of the personal dignity or natural persons or the harm of personal or property safety once leaked or illegally used, including such information as biometrics, religious belief, specific identities, medical health, financial accounts, whereabouts, or the personal information of minors under the age of 14. (PIPL art. 28)