The Cyberspace Administration of China has published Draft Administrative Measures on Evaluating the Security of Transmitting Personal Information Overseas.
- Contracts between the data exporter and the data importer(s) that must include all the certain specified clauses.
- Internal review by the data exporter following Article 17 of the 2019 Draft Measures and a declaration to the provincial-level cyberspace department by the data exporter, including the following information:
- A declaration form
- Contract signed between the network operator and the recipient
- An analysis report for security risks of the cross-border transfer of personal information and security guarantee measures
- Other materials required by the national cyberspace department
- A cybersecurity assessment of the data exporter and a review of its declaration by the provincial-level cyberspace department. This approval can be revoked at any time during an examination by the relevant authorities without a right to oppose the decision. Companies will need to undergo the approval every two years or when a substantial change occurs to the transfer.