Privacy & Cybersecurity Law Blog

On June 27, 2025, the Cyberspace Administration of China (“CAC”) released the third version of the Guidance on the Application for Security Assessment of Cross-border Data Transfers (“Guidance”). The Guidance sought to optimize and simplify the relevant materials required for security assessment, providing more detailed operational guidance for data handlers.

A key area covered in the Guidance is the rules on the application for extension of the validity period of a security assessment. The validity period of a security assessment is three years. If the data handler meets the following conditions, they may apply for an extension 60 business days before the expiration of the validity period which, if approved, would extend the validity period by 3 years:

• the purpose and scope of the cross-border transfer, and the relevant data handlers and overseas recipients, remain unchanged;
• with regards a cross-border transfer of personal information, the increase in the number of individuals involved in the transfer over the next three years shall not exceed 20% of the number of individuals involved in the transfer for the past three years as approved by the original assessment;
• with regards a cross-border transfer of important data, the increase in the scale of exported data (MB/GB/TB) over the next three years shall not exceed 20% of the scale of exported data in the past three years as approved by the original assessment;
• the legal documents concluded with the overseas recipient comply with the provisions of Article 9 of the Measures for Security Assessment of Cross-border Data Transfers; and
• the transfer activities have been carried out in strict compliance with the original security assessment and there has been no major incident in the past three years.