The third iteration of the guidelines simplifies the materials that data handlers must submit for a cross-border data security assessment and refines the associated procedures.
China’s Internet regulator has again updated guidelines designed to streamline data cross-border security assessments, underscoring the administration’s ongoing drive to simplify outbound data transfers.
The third iteration of the guidelines simplifies the materials that data handlers must submit for a cross-border data security assessment and refines the associated procedures.
The initial version, released in 2022, offered comprehensive details on the declaration requirements, including the methods, steps, and supporting documentation necessary for compliance.
A notable change in the revised declaration template is the integration of the letter of commitment directly into the document. This letter previously served as a separate pledge confirming the authenticity of materials and cooperation with regulatory reviews.
The updated guidelines introduce a separate template for reporting cross-border data links. Data handlers must include network domain names, IP addresses of both parties, and methods used for outbound transfers in their risk assessment reports. These reports must also detail company security capabilities and the overseas recipient’s data protection measures, along with legal references to security obligations.
Applications to extend the validity of previous outbound data security assessments must meet strict criteria. These include maintaining the same transfer purpose, scope, and parties involved, and limiting any increase in transferred data or individuals’ personal information to no more than 20% over the next three years, compared to the previous assessment period.
Legal agreements must align with Article 9 of the cross-border data security assessment measures, effective since September 2022. Authorities will review compliance with past assessment outcomes and check for any major data security incidents before approving an extension.
Applications can be submitted online, though certain entities — like critical infrastructure operators — may apply offline. Provincial regulators have five working days to verify application completeness, while national authorities are expected to issue a decision within 20 working days. In complex cases, the review period may be extended with due notice to applicants.
Source: MLex
