If your organisation must follow the CAC assessment route to continue your cross-border flows of personal information or important data, we now know the full extent of the self-assessment, application and supporting documents to be filed with the CAC for approval. It remains a significant task, so action must be taken as soon as possible to meet the deadlines. And in a major development, non-Mainland China data controllers cannot now simply ignore the CAC assessment route.

Some organisations – namely organisations that transfer/access “important data”, are designated as critical information infrastructure operators, or exceed the personal data volume thresholds specified in the Measures for Security Assessment of Cross-border Data Transfers (“Measures”) – must follow the CAC assessment route. (There are three other routes for organisations that do not fall into those categories – see our alert here.)

We now know what in practice the CAC assessment will involve. Just a few hours before the Measures took effect on 1 September 2022, the Cyberspace Administration of China (“CAC”) issued the Guidelines on Application of Security Assessment of Cross-border Data Transfers (First Version) on 31 August 2022 (“Guidelines”).

The application will require the data controller to prepare the following:

1) a certified copy of its unified social credit code certificate

2) a certified copy of its legal representative’s ID card

3) a Power of Attorney appointing an agent handling the application related matters – a template of this is included in the Guidelines

4) a certified copy of the appointed agent’s ID card

5) a completed Application Form for Security Assessment of Cross-border Data Transfers – a template of this is included in the Guidelines. The application requires a fairly significant amount of information about the data recipient, which we anticipate many overseas vendors will be reluctant to provide (e.g. registered capital amount, ID of security officer, number of employees)

6) a certified copy of the agreements or other legal documents with the overseas data recipients – these must be in Chinese or bilingual. In practice we anticipate most organisations will prefer to submit standalone China data transfer agreements using the China SCCs (once published). If data protection clauses are included in a wider commercial agreement, the relevant clauses must be clearly highlighted

7) a Report of Self-assessment of Risks in Cross-border Data Transfers – a template of this is included in the Guidelines. The report requires detailed explanation, as well as risk and compliance assessment, of each data transfer, as well as mitigation measures

8) other supporting documents and materials

As such, organisations subject to the CAC assessment route must act now to prepare and submit the application in good time before the end of the grace period in March 2023.