China Clarifies 2025 Cross-Border Data Transfer Rules

In April 2025, the Cyberspace Administration of China (CAC) released new clarifications on Data Cross-Border Security Management Policies in an official Q&A, offering practical interpretations of how companies can comply with China’s evolving framework for cross-border data transfer. It provides important clarifications on several areas that have posed challenges for businesses, especially multinational companies. It sheds light on how “general data” can flow freely across borders, how companies should assess the necessity of personal information exports, and what qualifies as “important data.”

Notably, the cross-border data transfer Q&A introduces measures to help companies avoid unnecessary repetition of compliance procedures. These include allowing group companies to submit consolidated applications for data export compliance, outlining conditions under which the validity of security assessments can be extended, and confirming that certified multinationals do not need to sign new contracts for each cross-border data flow repeatedly.

Key Points and Implementation

1. Legal framework and core principles 

China’s data export management system is based on the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law. It regulates only important data and personal information, while general data can flow freely across borders. 

Important data outbound is required to pass a security assessment to confirm that it does not jeopardize national security; personal information outbound provides three compliance paths: security assessment, standard contract, and protection certification. The system is designed to balance data security with the efficiency of cross-border flows and to support the business needs of enterprises.

Focused content:

• Regulation is limited to important data and personal information, not the full amount of data.

• Security assessment required for important data outbound, 63.9% pass rate (as of March 2025).

• Multiple path options for personal information exist to enhance flexibility.

2. Innovative Mechanisms and Consistency Guarantees for FTZ Negative Lists

FTZs can formulate a negative list of data outbound, exempting data outside the list from declaration. The state ensures consistency of the list standards through filing and auditing, along with cross-area reference implementation mechanisms. The negative list currently covers 17 areas, including automobiles and pharmaceuticals, and will be gradually expanded in the future.

Focused content:

• Negative lists are approved by provincial net information commissions and filed by the state to ensure compliance.

• The list in the same field can be reused across regions to avoid duplication of formulation.

• Dynamic expansion of the areas covered to promote industrial openness.

3. Criteria for Judging the Necessity of Personal Information Exiting the Country

According to the Personal Information Protection Law, the necessity assessment focuses on four aspects:

Purpose relevance: The exit needs to be directly related to the purpose of processing.

Minimization principle: Limit the scope of data and retention period.

Minimization of impact: Choose the method that has the least impact on the rights and interests of individuals.

In the security assessment, the supervisory authority examines the necessity of the outbound scale and the scope of data items in the context of business scenarios.

4. Identification of important data and outbound management

Important data is defined as data that may jeopardize national security, the economy, and other core interests, and is identified in accordance with Appendix G of the Data Classification and Hierarchical Rules. Security assessment is required for export; however, the Provisions on Promoting and Regulating Cross-border Flow of Data clarify that data that has not been officially notified or made public does not need to be declared, alleviating the burden on enterprises.

5. Equal Opportunities for Foreign Enterprises to Participate in Standard Setting

The National Cybersecurity Standardization Technical Committee allows foreign-funded enterprises to participate in standard-setting on an equal footing:

• Open mechanism: members are openly solicited, and foreign investors can make suggestions throughout the process.

• Transparent procedure: the draft standards are open to the public for comments.

6. Facilitation measures: Group data flow and assessment validity period extension

• Group companies can consolidate the declaration of security assessment or standard contract filing.

• The Personal Information Protection Certification being promoted allows data to be shared within multinational groups without the need for country-by-country contracting.

• The validity period of the security assessment has been extended to three years, with the possibility of applying for an extension 60 days before the expiration date. The process will be clarified.

Summarizing

China’s data export regime is based on classification and grading, optimizing regulation through mechanisms such as negative lists and necessity assessments, while introducing foreign participation in standard-setting, group facilitation, and other initiatives to balance security and openness. This facilitates necessary data flows for business while protecting national security and personal privacy. The evolving regulatory landscape requires companies to stay informed and agile in their compliance strategies. In the future, industry guidelines will be further refined, the coverage of the FTZ negative list will be expanded, and the efficient flow of data across borders will be promoted.

Please contact us for more information.