Recently, China has published the “Security Assessment Measures for Outbound Data Transfers,” a crucial regulation on outbound data flows. This regulation contains strong national security considerations and produces independent and direct legal effects compared with other assessment systems in China’s laws. However, there is a possibility that conflict arises between these measures and the international commitments made by China due to the ambiguity in how "critical data" is defined, the excessive emphasis placed on self-risk assessment, and the arbitrary extension of procedures. Particularly, with China's current application to join the CPTPP, the restrictive measures of its cross-border data flow may appear to violate the obligation of CPTPP, but may be justified through CPTPP’s exception clauses. In light of this, it is necessary for China to adopt a more modest approach to balancing data security with the effort made to promote the flow of cross-border data.

I. Introduction
II. Main Restrictive Measures in SAMODT
    A. Vaguely defined “Critical Data” as an Unexpectable Trigger Point
    B. Risk Self-Assessment Imposing Excessive Burden on Data Exporters
    C. Lengthy Procedures Only Yielding a Superficial AssessmentReport
III. Prima Facie Violation and Justification under CPTPP
    A. Prima Facie Violation of Article 14.11(2)
    B. Justification under Article 14.11(3)
    C. Justification under Article 29.2 of CPTPP
IV. Lessons
    A. Clarifying the Concept and Coverage of Critical Data
    B. Improving the Rationality of Risk Self-Assessment
V. Conclusion

• Junchao Liu(Research Assistant at the Center for International Law of Cyberspace at Xiamen University’s Law School.)