China’s cyberspace regulator, the Cyberspace Administration of China (CAC), announced on Thursday that it passed the “Data Export Security Review Rules” (our translation) in late May. The new rules will be effective from Sept. 1 and support China’s Cybersecurity Law, Data Security Law, and Personal Information Protection Law. The final version broadly aligns with the draft rules released to the public in October 2021, with one critical new detail: the approved version provides a start date when defining which Chinese companies providing personal data to overseas entities need to file for a review. In article 4, the rules say that data processors that “have provided personal information of 100,000 people to overseas entities or hold 10,000 items of sensitive personal information and share these with overseas entities since January 1 of the previous year” need to apply for a cyber security review. Chen Jihong, a Zhong Lun Law Firm partner, told Caixin that the newly added rule means a two-year calculation limit, which exempts smaller businesses from filing such reviews. [Caixin, in Chinese]