China Data Governance Update

Over the past few months, China has published a series of regulations in the data sector ranging from detailed certification requirements on the cross-border transfer of personal data to procedures on compliance and enforcement. These include Standard Contract Clauses for Personal Information Cross-Border Transfer and Rules for Cyberspace Administration of China (CAC) Administrative Enforcement Procedures.  A third regulation, Personal Information Cross-Border Transfer Certification Requirements, is accepting comments and is expected to replace an earlier version of the guidance released in 2022.

Along with the previously published laws and regulations in the data security and personal information protection sector, the government has set up a comprehensive system to govern all data activities. With the publication of Rules for Cyberspace Administration of China (CAC)  Administrative Enforcement Procedures, in which the fundamentals on how to carry out enforcement have been laid out, local CACs now have guidance on how to conduct data security related investigations as well as determine punishment and appeal processes. 

Companies that process data in China, transfer data out of China, or need to receive data from China, should conduct their own internal data assessment and continuously monitor compliance.

For further information, please contact office.beijing@trade.gov .