On 13 June 2019 the Cyberspace Administration of China (CAC) released the Measures on Security Assessment of Cross-Border Transfer of Personal Information (Draft for Comment), which is open for public comment until 13 July 2019.(1)

According to the draft, network operators must apply to the provincial-level cyberspace administration for a security assessment before conducting cross-border transfers. If there are multiple recipients of the personal information, multiple security assessments are needed. New assessments should be conducted:

  • every two years; or
  • if there are changes to the:
    • purpose of the cross-border transfer;
    • type of personal information; or
    • timeframe that the personal information is being stored abroad.

When applying to the cyberspace administration for a security assessment, network operators should submit:

  • a declaration application;
  • a contract between the network operator and the recipient of the personal information;
  • an analysis report on the security risks and security protection measures taken for the cross-border transfer; and
  • any other documents required by the CAC.

The provincial-level cyberspace administration should complete the security assessment within 15 days of the receipt of the above documents, and report the result of the security assessment to the central CAC.

The draft requires that network operators record all cross-border transfers and retain the records for at least five years. Network operators should also report annually to their provincial-level cyberspace administration regarding cross-border transfers of personal information and the performance of their contracts.

For further information on this topic please contact Samuel Yang or Hongyu Jiang at AnJie Law Firm by telephone (+86 10 8567 5988) or email ([email protected] or [email protected]). The AnJie Law Firm website can be accessed at www.anjielaw.com.


(1) Further information is available here (in Chinese).