The Cyberspace Administration of China (hereinafter referred to as “CAC”) promulgated Guidelines for the Application for Data Export Security Assessment (First Edition) (hereinafter referred to as “Guidelines (First Edition)”) on 31 August 2022. The Guidelines (First Edition) set forth the applicable circumstances, methods and process of data export security assessment (hereinafter referred to as “Security Assessment”) mentioned in the Measures for the Data Export Security Assessment (hereinafter referred to as “Assessment Measures”). In this article, the authors summarize the key points of the Guidelines (First Edition), for the ease of readers reference. (If you want a copy of a bilingual version of the Guidelines (First Edition) prepared by the authors, please follow Llinks Official WeChat account (通力律师) and reply “Application Guidelines”.)
1、Refine process of self-assessment and CAC assessment for data export
According to the Assessment Measures, data export security assessment mainly includes the following steps:
a) Where personal information is involved, a personal information protection impact assessment (hereinafter referred to as “PIA”) is required.
b) Prepare contracts/legal documents for data export.
c) Self-assessment for data export.
d) Apply to the cyberspace administration for Security Assessment.
e) Reassessment.
The Guidelines (First Edition) refines the specific process regarding the self-assessment and application of Security Assessment. Based on the Guidelines (First Edition), we have prepared an illustrative chart of the applicable procedures for data export. (Please click “Read More” to get the HD Illustrative Chart)
2、Definition of “data export” given, though with ambiguity
Article 4 of the Assessment Measures sets forth the specific applicable circumstances. On that basis, Guidelines (First Edition) further clarifies such circumstances of data export. (Please refer to the following table and diagram)

Despite the clarifications, ambiguity remains. Does data processor include the entrusted party of personal data processing, in case of data export? Whether provision of personal information and important data to an entity located but not officially registered in the PRC (such as embassies, consulates, foreign permanent press agencies and foreign journalists) will be deemed as data export? Hopefully, the regulatory authorities will answer these questions in the law enforcement practice.
3、57 working days at maximum for Security Assessment, with a possible extension
The Security Assessment includes three steps:
I. Completeness check of filing documents by the cyberspace administration office at provincial level (5 working days);
II. CAC review the materials and decide on acceptance (7 working days); and
III. Substantial assessment by CAC (45 working days).
The period can be further extended by CAC in case of complex situations or supplementation/correction of filing documents required.
4、Cyberspace administration offices at provincial level offer definition of important data
Assessment Measures only defines the concept of “important data”, without shedding light on identification criteria of important data. Furthermore, because the national standard Information Security Technology - Guideline for Identification of Critical Data is still evolving, data processors were at a loss to find out important data possessed or processed by it. After the release of the Guidelines (First Edition), some cyberspace administration offices at provincial level subsequently issued supplementary documents. For example, Work Guidelines for the Application for Data Export Security Assessment of Jiangsu(First Edition) provides the identification criteria for important data, which divides important data into seven categories, covering government data, genetic data, national defense research data, national economic operation data, safe production and operation data of key industries and fields, etc.
5、Contact information for consultation
With the release of the Guidelines (First Edition) and the Assessment Measures taking effect, some cyberspace administration offices at provincial level published hotlines for the application inquiries of Security Assessment.
An Illustration of Data Export Security Assessment Procedures
作者:DavidPan NigelZhu SusanDeng SamuelSong来源:通力律师事务所

The Cyberspace Administration of China (hereinafter referred to as “CAC”) promulgated Guidelines for