China: New Challenges Ahead: How To Comply With Cross-Border Data Transfer Regulation In China


Following EU's release of General Data Protection Regulation ("GDPR") and numerous nations or regions' issuance of data protection laws including Russia, Singapore, Australia, Canada, India and South Korea, China's first comprehensive law of data protection, i.e. the Cybersecurity Law of the People's Republic of China ("CSL"), took effect on 1 June 2017.

Compared with EU's so-called strictest privacy law GDPR, the CSL appears to be even stricter in terms of cross-border data transfer for the purposes of which include safeguarding cyberspace sovereignty, national security and public interests, far beyond the ordinary legislative purpose of protecting citizen's personal information. In this regard, the CSL not only targets personal information but also important data. And its supporting legal documents require operators of critical information infrastructure ("CII") to localize data within the territory of China in principle and all network operators to conduct security assessments prior to the data export.

This article's objective is to shed light on the latest progress of cross-border data transfer requirements in China and to provide compliance recommendations for multinational companies operating business in China.


Before talking about specific requirements of cross-border data transfer in China, it shall be noted that the CSL is still in a grace period since many terms and obligations remain unclear. For instance, the terms of "CII" and "important data" are first brought up by the CSL but the scope of which can only be determined following the issuance of the CSL's supporting regulations and guidelines. As shown in the table below, the CSL's implementation requires regulations, rules and guidelines and most of which are still in the pipeline with their drafts being released in order to solicit public opinions.

Category Title Legal Status
Laws CSL Effective
Regulations and Rules Measures for Security Assessment of Cross-border Transfer of Personal Information and Important Data ("Draft Security Assessment Measures")1 In the pipeline
Regulation on Security Protection of Critical Information Infrastructure ("Draft CII Regulation")2 In the pipeline
(National Standards)
Information Security Techniques – Personal Information Security Specification ("Personal Information Security Specification")3 Effective
Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment ("Draft Security Assessment Guidelines")4 In the pipeline

As the CSL's supporting legal documents may come into effect in the next two years, multinational companies conducting businesses in China shall catch up closely with the legislative progress and wrap up compliance preparations.


This chapter introduces basic terms and concepts under the CSL, including "cross-border data transfer", "personal information", "important data", "CII operators" and "network operators", which helps to understand the subjects and obligors of cross-border data transfer requirements.

3.1 Circumstances of Cross-border Data Transfer

Similar to most data protections laws in the world including the GDPR, the CSL only regulates outbound data flow from China, which is defined as network operators' provision of personal or important data collected and generated during its operation within China to entities, organizations or individuals located outside of China. Besides, cross-border data transfer also covers the following circumstances:

  1. providing personal information and important data to entities located in China but that are not subject to Chinese jurisdiction or are not registered in China;
  2. data which are not transferred and stored outside of China but are accessed by entities, organizations, or individuals outside of China (except for accessing public information or webpages); and
  3. data cross-border transfer within a network operator's group companies, involving personal information or important data collected and generated during operation within China.

3.2 CSL Targets Both Personal Information and Important Data

Most data protection laws like GDPR only concern personal information, while the CSL also capture non-personal information, namely important data, as the subject of cross-border data transfer.

(1) Personal Information

Personal information refers to information which can be used alone or in combination with other information to recognize the identity of a natural person. For instance, online search records in combination of IP addresses directing to a specific natural person constitute personal information. However, once personal information undergoes anonymization, which prevent a specific natural person from being identified and being restored, it can no longer be defined as personal information.

(2) Important Data

To safeguard national security and public interest, the CSL also limit the cross-border transfer of "important data", which is defined as data closely related to national security, economic development and societal and public interests. The scope of important data shall be determined in specific sectors, and reference can be made to the non-exhaustive list of exemplar information in 27 sectors provided by Appendix A of the Draft Security Assessment Guidelines, such as telecommunication, electronic information, finance, e-commerce, credit investigation, food and drug, population health and post express. For example, where testing results of Chinese citizens' genes have been anonymized for cross-border transfer, even if the results will not be regarded as personal information, it may constitute important data and shall be localized within China.

3.3 CII Operators Face Stricter Obligations Compared with Network Operators

Both network operators and CII operators need to fulfill cross-border data transfer obligations under the CSL and its supporting rules, while the CII operators face stricter restrictions concerning data localization and security assessment, which will be deliberated in the chapter four.

Similar with the concepts of "controller or processors of personal data" under the GDPR, network operators shall be interpreted broadly to encompass owners, managers and service providers of a network. CII operators are a subset of network operators, operating critical information infrastructure in important industries and sectors that, once damaged, disabled or data disclosed, may severely threaten the national security, national economy, people's livelihood and public interests.

The Draft CII Regulation listed more than 20 industries or sectors as exemplary "important industries and sectors", including government administration, energy, finance, transportation, water conservation, health care, education and information networks. And a guideline for identifying CII will be formulated by the Cyberspace Administration of China ("CAC"), China's chief internet watchdog, in conjunction with other relevant authorities in the future, according to which the identification of CII in certain industry or sector will be conducted by industry supervising authorities.


Article 37 of the CSL initially requires CII operators to store within China personal information and important data generated during its operation in China or to conduct security assessment where cross-border data transfer is needed for business purposes. Notably, the Draft Security Assessment Measures expanded the security assessment requirement from CII operators to all network operators.

4.1 Data Localization

At present, only CII operators need to fulfill the obligation of storing personal information and important data within China, such as data localized in the servers, clouds, or other systems within China. Some multinational companies have already taken compliance measures. On 28 February 2018, Apple announced that it has transferred it iCloud Services in China to its data center in Guizhou Province, which aims to store data including photos, videos, files and backups within the territory of China, and it has also informed iCloud users of the data transfer via email.

4.2 Two Sets of Security Assessments

Security assessment under the CSL is a two-tiered framework, consisting of self-assessment and official assessment. In principle, network operators shall conduct a security self-assessment where cross-border data transfer occurs. In special circumstances, an official security assessment is conducted by industry supervising authorities or CAC where involving personal information of more than 500,000 individuals, containing information in critical industries, or other circumstances that possibly affect national security and societal and public interests.

In addition, before transferring personal information overseas, network operators shall notify data subjects the purpose, scope, type and the country or region in which the recipient is located and obtain his/her consent, except for the occurrence of urgent circumstances under which the security of the person's lives and properties are endangered. The notification is advised to be stated in explicit statements in privacy policies, pop-ups and non-ticked boxes in internet websites, and phone voices, etc. Besides, data subjects' behaviors of making international phone calls, sending international emails, conducting international instant messaging and conducting cross-border trading through internet can be regarded as giving implicit consent to cross-border data transfer.

4.3 Legal Liabilities

The fines imposed by the CSL for breaching cross-border data transfer requirements is relatively small: ranging from 50,000 yuan to 500,000 yuan. But the enforcement of the CSL focuses on severe penalties such as suspension of related business or shutdown of the website and revocation of business licenses. Besides, violators may also face penalties in forms of warning, rectification and confiscation of illegal gains.


Although the CSL is still in a grace period, enforcement actions have been taken by Chinese authorities. In July 2017, the CAC and other three departments have jointly initiated the special action of privacy policy review against 10 notable domestic network product and service providers, including WeChat, Taobao, JD, AutoNavi, Baidu Maps, Didi Chuxing, Alipay, Sina Weibo, Umetrip and Ctrip. Afterwards, the review result was released to the public in September, and most of the investigated companies have taken rectifying measures to improve their privacy policies, including explicitly stating the ways and purposes of collecting and using personal information and obtaining data subjects' prior consent.

Against this backdrop, though the CSL still left a fair number of issues unresolved with respect to cross-border data transfer, companies doing business in China, whether or not it has a physical presence in China, are advised to make preparation to achieve compliance. To this end, efforts can be made in terms of policy update, technical preparation, manning and training and keeping up with the implementation of the CSL and seeking professional advice.

First, companies doing business in China are advised to update their privacy policies or establish a policy on cross-border data transfer, in which the scope, purpose and type of personal information and the country or region of the recipient shall be articulated in an explicit way. To obtain data subjects' consent, it is suggested to adopt a check box which is not checked by default.

Second, to fulfill data localization requirement or reduce security assessment cost, companies can reduce the amount of personal information and important data to a minimum necessary for business purposes or take measures of anonymization where data export is needed. For companies which are likely to be regarded as CII operators, they can set up their own servers or clouds within China or outsource the data storage service to operators within China.

Third, companies can add positions for data protection where necessary or at least provide training on cross-border data transfer requirements for employees on a regular basis.

Finally, as multiple issues regarding cross-border data transfer requirement remain unclear, it is advised to keep up with the next implemented rules of the CSL and to seek professional advice for interpretation and compliance in a timely manner.


1. CAC published a draft of Security Assessment Measures on 11 April 2017, see, which was updated later in May 2017.

2. CAC published a draft of CII Regulation on 10 July 2017, see

3. Chinese version of the Personal Information Security Specification,

4. The National Information Security Standardization Technical Committee ("TC260", in which some officials of CAC serve as its members) published a draft of Security Assessment Guidelines on 30 August 2017, see

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions