New Draft Introduces Security Review for Cross-Border Data Exports

On 11 April 2017, China’s Cyberspace Administration (CAC) published the draft of a new regulation called Measures for the Security Review of Cross-Border Transfers of Individual and Important Data (chin. 个人信息和重要数据出境安全评估办法).

The draft is based on the new Cyber Security Law and China’s National Security Law, which were passed in 2016 and 2015 respectively. It forms the legal basis for a security assessment for data transfers out of China by internet operators. These include internet providers, administrators and online service providers (Art. 17).

For which data do I need a security review?

Art. 9 of the draft states that a security review is mandatory for data transfers meeting the following conditions:

  1. Data includes personal information of more than 500 000 persons
  2. Data volume exceeds 1000 GB
  3. Data includes information on sensitive areas, such as nuclear facilities, chemical and biological specimens, population health data, large engineering projects, marine
  4. environment, and sensitive geospatial data.
  5. Data on cyber security leaks and security related data breaches
  6. Other data related to national security, public welfare, or industrial management

What must data not be transferred out of China?

The following data must not leave China (Art. 10):

  • Individual information which can harm personal interests or has not received the approval by the concerned person
  • Information, which can pose a risk to the political, economic, scientific, or military security or to the public interest
  • Other information as defined by security organs

Who carries out the assessment?

According to the current text, the operators are required to conduct their own security review at least once a year (Art. 12)The assessment report should include the following information (Art. 8):

  1. Reason for the cross-border transfer
  2. Nature of individual data, including quantity, scope, type, grade of sensitivity, approval of persons concerned
  3. Nature of important data, including quantity, scope, type, grade of sensitivity
  4. Safety standards of recipient and safety environment of receiver country
  5. Risk evaluation of possible leakage, data corruption, falsification or abuse after transfer
  6. Risk evaluation with regard to national security, public interest, or individual rights
  7. Other information required

If the assessment is mandatory (see Art. 9), the assessment has to be submitted to the relevant industry or control agencies, which have to deliver their feedback within 60 working days (Art. 10).

What now?

The draft is open for public comments until 11 May 2017 . Remarks and opinions can be sent to the following e-mail ( ) or to:


 Richard2017 150x225   Richard Hoffmann

Richard Hoffmann is a partner at ECOVIS Beijing China. Richard obtained an honors degree in law and worked in Germany, the United States, and China for various prestigious law firms prior to joining ECOVIS. In addition to being a member of the board of ECOVIS International, he is Supervisor for the China business of a respected German company and shares his extensive knowledge to students by teaching commercial law in China at SRH Hochschule Heidelberg. He has published more than fifty articles in international magazines, frequently speaks at high profile events in China and abroad and is often invited as a legal expert by international TV stations. Contact:


Ecovis Beijing is the trusted tax and legal advisor to several embassies and official institutions in China. It specializes in mid-sized international companies and is focused on tax & legal advisory, accounting and auditing. If you’re interested in finding out more about tax and legal, don’t hesitate to sign up for our Newsletter, give us a call +86 (10) 6561 6609 or contact us directly via