According to the Cyberspace Administration of China (CAC), starting in September, an official “security assessment” will be required for data to be sent outside of China. This includes operators who have access to information on over 1 million people or have cumulatively provided information on more than 100,000 people.
The CAC, China’s top cyber regulating agency, announced the Measures on the Security Assessment for Data Export on July 7, 2022. “Data export” refers to the overseas transfer from China of data collected and generated within China, as well as the scenario in which a foreign entity or foreign individual is granted the authority to access any data stored within China.
The Measures prescribe several scenarios in which data processors are required to file an application with the authorities for a security assessment before exporting data. 1) The provision of important data outside the country; 2) Operators of Critical Information Infrastructure (CII); 3) Data processors processing the personal information of more than 1 million individuals; 4) operators that have transferred personal information of a total of 100,000 individuals on a cumulative basis since January 1 of the previous year; 5) operators that have transferred sensitive personal information of a total of 10,000 individuals on a cumulative basis since January 1 of the previous year.
The Measures will come into effect on September 1, 2022. The security assessment result is valid for two years. A data processor is also required to re-submit an application for a government security assessment in certain circumstances, such as where the cross-border data transfer purpose has changed.
Source: Central News Agency (Taiwan), July 8, 2022