Other BriefingsChina Clarifies Cross-Border Data Transfer Rules: Key Takeaways from Official Q&A
China has released new clarifications on cross-border data transfer rules in an official Q&A, offering foreign businesses practical guidance on security assessments, personal information exports, important data identification, and easing compliance through certification and free trade zone (FTZ) policies.
On April 9, 2025, China’s Cyberspace Administration (CAC) released a Q&A on Data Cross-Border Security Management Policies (hereinafter, “cross-border data transfer Q&A”), offering practical interpretations of how companies can comply with China’s evolving framework for cross-border data transfer. The cross-border data transfer Q&A clarifies implementation details for key systems, including data export security assessments, standard contracts for personal information exports, and certification mechanisms.
While the document does not introduce any new laws or signal a broad regulatory easing, it provides important clarifications on several areas that have posed challenges for businesses, especially multinational companies. It sheds light on how “general data” can flow freely across borders, how companies should assess the necessity of personal information exports, and what qualifies as “important data.”
Notably, the cross-border data transfer Q&A introduces measures to help companies avoid unnecessary repetition of compliance procedures. These include allowing group companies to submit consolidated applications for data export compliance, outlining conditions under which security assessment validity can be extended, and confirming that certified multinationals do not need to repeatedly sign new contracts for each cross-border data flow.
Free flow of “general data” across borders
The cross-border data transfer Q&A states that “general data that does not involve personal information or important data can flow freely across borders”.
Regulations on the handling of general data have not been explicitly stipulated in any of China’s main data laws – including the Cybersecurity Law, the Data Security Law, or the Personal Information Protection Law – nor is it mentioned in regulations specifically on cross-border data transfer.
It is mentioned in some industry-specific regulations on data security and export, such as the Measures for Data Security Management in the Field of Industry and Information Technology (Trial Implementation). These measures require industrial and telecom companies to organize data into three categories – important, core, and general data – for data security purposes. Core and important data are subject to stricter regulations, including mandatory domestic storage within China and a required security assessment prior to export.
These regulations have been interpreted to mean that general data is not subject to the same stringent requirements, although the texts do not explicitly confirm this. The CAC’s clarification—that general data can be transferred freely across borders—is therefore significant, as it eliminates any uncertainty surrounding the validity of this interpretation.
Nonetheless, defining what constitutes general data may not be straightforward, as the government has not released a definitive list of data types that qualify. The closest thing to a specific definition is found in the Data Classification Standards [GB/T 43697-2024] released in 2024, in which general data is defined as “any data excluding important and core data”.
The definitions of “core”, “important”, and other data types outlined in these standards are summarized in the table below.
|
Definitions of Key Data Terms in China’s Data Classification Standards |
|
| Data | Any record of information in electronic or other forms. |
| Important data | Data specific to certain fields, groups, and regions, or reaching a certain level of precision and scale that, once leaked, tampered with, or destroyed, may directly jeopardize national security, economic operation, social stability, public health, and safety.
Note: Data that only affects the organization itself or individual citizens is generally not considered important data. |
| Core data | Data with a high degree of coverage, that reaches a high level of precision, is large in scale, and reaches a certain depth in a domain, group, or region that, once illegally used or shared, may directly affect political security.
Note: Core data mainly includes data related to national security key areas, national economic lifelines, people’s livelihoods, and major public interests, as evaluated and determined by relevant state departments. |
| General data | Other data, excluding important and core data. |
| Personal information | Various types of information related to identified or identifiable natural persons recorded in electronic or other forms.
Personal information is also defined in the Personal Information Protection Law and other regulations. |
An important development in defining general data came with the release of the Regulations to Promote and Standardize Cross-Border Data Flows, a set of regulations aimed at easing cross-border data transfer, which came into force on March 22, 2024. These regulations stipulated that China’s free trade zones (FTZs) could formulate catalogs of general data that companies can freely export from the zone.
In May 2024, the Shanghai FTZ was the first zone to release general data lists, with the first batch applying to companies in the automotive, biopharmaceuticals, and mutual fund sectors. Under this system, companies based in the Shanghai FTZ that need to export data out of China for any of the purposes stated in the general data lists can do so without undergoing any of the additional compliance procedures.
For the most part, however, the FTZs that have implemented measures to ease cross-border data transfer have adopted a slightly different approach. Thus far, the Tianjin, Beijing, Shanghai, and Zhejiang FTZs, as well as the Hainan Free Trade Port (FTP), have issued data negative lists covering a total of 17 industries, including automobiles, pharmaceuticals, retail, civil aviation, reinsurance, the deep-sea industry, and the seed industry. Under this system, the types of data and volumes of personal information that cannot be freely exported are listed in industry-specific data lists, and any data not included in the lists can be freely exported out of the zone.
The cross-border data transfer Q&A also reiterates that any data not included in the negative lists can be freely exported out of the country from the relevant FTZ. Going forward, it is possible that more FTZs will choose to implement data negative lists for different industries, rather than defining general data.
Ensuring consistency between the FTZ negative lists and expanding industry-specific lists
The cross-border data transfer Q&A reiterates that the FTZs are permitted to formulate their own data negative lists for data export, but that these lists must be formulated under the national data classification and grading protection system framework. Moreover, the lists undergo a robust approval process to ensure consistency and compliance with China’s data laws, standards, and regulations. This includes approval by the provincial cybersecurity and informatization committee, filing with the national cybersecurity and information technology department and the national data management department, and a final review by the CAC and the National Data Administration. In addition, the opinions of relevant competent departments are solicited during the process of formulating the negative lists.
To facilitate the implementation of negative lists across different FTZs, the cross-border data transfer Q&A states that if one FTZ has already issued a negative list for a certain industry or field, other FTZs can refer to this list instead of formulating a new one. This will help with continuity across different FTZs and compliance with the national data classification and grading protection system.
This also suggests that more FTZs will release data negative lists modeled after those introduced in Beijing, Shanghai, Tianjin, Hainan, and Zhejiang. The cross-border data transfer Q&A further highlights that the CAC is actively guiding FTZs to develop such lists in alignment with their specific industrial development needs.
Determining the necessity of personal information export
One of the steps in exporting certain volumes of personal information out of China is to assess whether the export is necessary for the company’s business operations. For instance, companies seeking to export a large volume of personal information, thus requiring a security assessment by the CAC, will be required to carry out a self-assessment which involves, among other things, evaluating “the legality, legitimacy, and necessity of the purpose, scope, and method of the cross-border data transfer, and the processing of the data by the overseas recipient.” The CAC’s security assessment itself also involves assessing “the legality, legitimacy, and necessity of the methods, scope, and purpose of the data export”.
More broadly, companies are required to showcase the necessity of personal information processing for any processing activity, not just data export. Specifically, Article 6 of the PIPL stipulates that “the processing of personal information shall have a clear and reasonable purpose, be directly related to the purpose of the data processing, and be conducted in a way that has the least impact on individual rights and interests. The collection of personal information shall be limited to the minimum scope necessary to achieve the purpose of the data processing, and excessive collection of personal information is not permitted.”
Moreover, Article 19 stipulates that “unless otherwise provided by laws and administrative regulations, the retention period of personal information shall be the shortest time necessary to achieve the purpose of the data processing.”
The cross-border data transfer Q&A explains that, based on the legal provisions, four key factors determine whether a personal information export is “necessary”:
- Whether it is directly related to the purpose of the data processing.
- Whether it minimizes the impact on individual rights and interests.
- Whether it is limited to the minimum scope needed for that purpose.
- Whether the data retention period is as short as necessary to fulfill that purpose.
The cross-border data transfer Q&A further notes that, during data export security assessments, the CAC will evaluate the necessity of the export based on the company’s specific business context and processing needs. This includes assessing the necessity of the export itself, the number of individuals involved, and the volume of personal data being transferred.
Finally, it states that the CAC, together with industry regulators, will continue refining and clarifying export scenarios and data scope requirements for specific industries to offer more targeted policy guidance on cross-border data transfers.
Clarification on identifying important data and regulations on important data export
One of the trickiest areas for foreign companies to navigate when it comes to cross-border data transfer is assessing which data they have is considered “important” data.
Under China’s data security laws, any data classified as “important” must undergo a security assessment by the CAC before it can be exported.
However, as the government has not released a definitive list of what is considered important data, it is difficult to determine exactly which data will qualify.
The Network Data Security Management Regulations, which came into effect on January 1, 2025, provides a general definition of important data as “data in a specific field, specific group, specific region, or reaching a certain accuracy and scale, which may directly endanger national security, economic operation, social stability, public health and safety once it is tampered with, destroyed, leaked, illegally obtained, or illegally used.”
Meanwhile, the Data Classification Standards mentioned above also outline extensive methods for companies to identify important data.
While important data is generally restricted from being exported, the cross-border data transfer Q&A clarifies that there are certain scenarios in which important data can be exported. Specifically, if a data export security assessment determines that the transfer of the data does not endanger national security or public interests, it can be exported.
According to the cross-border data transfer Q&A, as of March 2025, the CAC had reviewed 298 data export security assessments. Among them, 44 involved important data, and 7 were rejected – a rejection rate of 15.9 percent. These 44 applications included 509 important data items, of which 325 were approved for export, or 63.9 percent of the total.
Moreover, the cross-border data transfer Q&A emphasizes that the Regulations on Promoting and Standardizing Cross-Border Data Flows clearly state that if a company declares its important data in advance, in line with relevant regulations, and the data has not been identified or publicly designated as important by the relevant authorities or regions, the company is not required to undergo a data export security assessment.
Participation of foreign companies in formulating technical standards
The cross-border data transfer Q&A highlights two main avenues through which foreign companies can participate in the development of industry and technical standards.
First, foreign companies can become members of working groups under the National Information Security Standardization Technical Committee. As members, they have equal rights and responsibilities as domestic enterprises, allowing them to take part in the full standard-setting process—from initial drafting to final review—and to actively contribute ideas and feedback at every stage.
Second, foreign companies can engage by reviewing and submitting comments on draft standards published for public consultation, ensuring their perspectives are considered during the refinement of proposed standards.
Methods for streamlining personal information export
The cross-border data transfer Q&A introduces several measures aimed at easing the process of personal information exports for companies.
First, if a company has multiple subsidiaries with similar business purposes and data export scenarios, the parent company can submit a consolidated application for a data export security assessment or complete other applicable compliance procedures, such as signing a standard contract, on behalf of all subsidiaries. This significantly reduces the compliance burden and administrative workload for each individual subsidiary.
However, this approach is only beneficial when the subsidiaries are already subject to compliance requirements. If a single subsidiary processes personal information below the regulatory threshold, it can export data without triggering a security assessment or other procedures. In such cases, consolidating data from multiple subsidiaries could unintentionally raise the total volume above the threshold, creating additional compliance obligations.
In addition, the CAC is working to implement a certification system for personal information exports, empowering third-party professional institutions to certify cross-border data transfer activities. Once certified, either the domestic company or the overseas recipient may conduct data exports within the scope of the certification.
Finally, certified multinational groups will be allowed to transfer personal information internally across borders without the need to sign separate standard contracts with each foreign subsidiary.
These methods could significantly facilitate cross-border data flows for large multinationals. In particular, the ability for multinationals to rely on group-wide certification, rather than signing a new standard contract for every new export scenario or data type, will greatly streamline operations. This reduces legal complexity, accelerates business processes, and enables more efficient collaboration between companies based in China and their overseas affiliates.
Extending the validity period of a data export security assessment result
The cross-border data transfer Q&A clarifies that under the Regulations on Promoting and Standardizing Cross-Border Data Flows, the validity period of a data export security assessment result has been extended from 2 years to 3 years. This means that once a company passes the security assessment, it may continue exporting personal information for up to three years without needing to reapply.
If, at the end of the three years, the company wishes to continue exporting data and no material changes have occurred that would require a new application (such as significant changes in data type, processing purposes, or recipients), the company may apply to extend the validity of the original assessment result. This extension application must be submitted through the company’s local (provincial level) CAC office at least 60 working days before the original expiration date. Upon approval by the CAC, the validity period may be extended for another three years.
Currently, the CAC is in the process of refining the extension procedures and is gathering feedback from stakeholders. It plans to clarify and formalize the process through updated policy documents, making it easier for companies to manage long-term data export activities.
Security assessments are the most stringent compliance mechanism for cross-border personal information transfers. Reducing the frequency with which companies must reapply, by allowing for multi-year extensions, significantly eases the compliance burden. This helps companies save time, reduce administrative costs, and maintain continuity in cross-border operations, especially for those handling high volumes of personal information or important data.
About Us
China Briefing is one of five regional Asia Briefing publications, supported by Dezan Shira & Associates. For a complimentary subscription to China Briefing’s content products, please click here.
Dezan Shira & Associates assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Haikou, Zhongshan, Shenzhen, and Hong Kong. We also have offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Dubai (UAE) and partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh, and Australia. For assistance in China, please contact the firm at china@dezshira.com or visit our website at www.dezshira.com.
- Previous Article China Manufacturing Tracker 2025
- Next Article Visa for China: Who Needs to Apply and How?
