The Cyberspace Administration of China has published Draft Administrative Measures on Evaluating the Security of Transmitting Personal Information Overseas.

Key requirements:

  • Contracts between the data exporter and the data importer(s) that must include all the certain specified clauses.
  • Internal review by the data exporter following Article 17 of the 2019 Draft Measures and a declaration to the provincial-level cyberspace department by the data exporter, including the following information:
    1. A declaration form
    2. Contract signed between the network operator and the recipient
    3. An analysis report for security risks of the cross-border transfer of personal information and security guarantee measures
    4. Other materials required by the national cyberspace department
  • A cybersecurity assessment of the data exporter and a review of its declaration by the provincial-level cyberspace department. This approval can be revoked at any time during an examination by the relevant authorities without a right to oppose the decision. Companies will need to undergo the approval every two years or when a substantial change occurs to the transfer.

Details from the International Association of Privacy Professionals.