On September 9, 2025, Chinese police fined fashion giant Dior's Shanghai subsidiary because the company illegally transmitted data overseas without security screening, failed to obtain separate consent and to adopt appropriate security measures. It is a landmark case after China's data export regulatory framework finally established. In this article, we will navigate you through China's cross-border data transfer mechanisms.
China's data export regulatory framework is shaped by the country's Cybersecurity Law ("CSL"), Data Security Law ("DSL"), and Personal Information Protection Law ("PIPL"), which set forth three routes for data export that meet the prescribed thresholds: (i) data export security assessment (the "Security Assessment"); (ii) personal information export standard contract clauses (the "SCC Filing"); and (iii) personal information protection certification (the "Certification"). In this article, the obligations mentioned (i) through (iii) are collectively referred to as "Data Export Approvals".
The three data export routes are further supplemented by the following regulations issued by the CAC:
- Data Export Security Assessment Measures (the "Security Assessment Measures"): effective from September 1, 2022;
- Announcement re Implementation of Personal Information Protection Certification (the "Protection Certification Measures"): effective from November 4, 2022; and Measures for Personal Information Protection Certification for Personal Information Export (Exposure Draft) (the "Export Certification Measures"): announced on January 3, 2025:
- Personal Information Export Standard Contract Clauses Measures (the "SCC Measures"): effective from June 1, 2023;
- Facilitation and Regulation of Data Cross-border Transfer Measures (the "Data Export Measures"): effective from March 22, 2024.
With the CSL, DSL, PIPL and the above supplementary rules, China now has a well-established data export regulatory framework, mainly regulating the export of personal information and important data.
|
Key points:
|
|
Main Contents:
|
1. Evolvement of China's Data Export Regulatory Framework
In 2017, CSL came into effect. The CSL is the first legislation to regulate data export activities, requiring CIIOs to locally store personal information and important data collected in China. Prior to data export due to business needs, security assessment should be conducted in accordance with the law.
The PIPL came into force in 2021, and it sets forth the regulatory framework for the export of personal information.
Effective in 2022, the Security Assessment Measures require that CIIOs and non-CIIOs which meet the thresholds prescribed in the Security Assessment Measures must file for and complete Security Assessments before they can export important data and personal information.
In 2022 and 2023, the Protection Certification Measures and the SCC Measures came into effect respectively. These two regulations basically require any entity that exports any personal information to file for and complete a SCC Filing or Certification. The detailed rules for personal information export certification measures, i.e., the Export Certification Measures was announced to seek public opinions on January 3, 2025. The Export Certification Measures provides that if the PIPL applies to a personal data controller located out of China, the personal information collection thereof will be deemed as "personal information export".
In March 2024, the Data Export Measures came into effect. The Data Export Measures significantly amends the legal framework established under the Security Assessment Measures, the Protection Certification Measures and the SCC Measures, providing for the Block Exemptions to alleviate the burden on a large number of entities to obtain the Data Export Approvals.
Accordingly, a thorough understanding of China's current data export regulatory framework requires a comprehensive reading of all the regulations above, bearing in mind that the Data Export Measures trump any contradictory requirements in previous legislations.
Under China's current data export regulatory framework, different types of data exporters regulated and the types of data regulated is summarized as follows:
| Types of data exporters regulated | Types of data regulated | |
| CSL | CIIOs | Personal information + important data |
| DSL | All data controllers | Important data |
| PIPL | CIIOs + personal data controllers meeting relevant thresholds | Personal information |
| Security Assessment Measures | All data controllers | Personal information + important data |
| SCC Measures, Protection Certification Measures and Export Certification Measures | Personal data controllers meeting relevant thresholds | Personal information |
| Data Export Measures | CIIOs + personal data controllers meeting relevant thresholds | Personal information + important data |
2. Application of the Data Export Approvals
Before diving into details, below we prepare two flowcharts (for CIIOs and non-CIIOs respectively) for data exporters' easy reference in determining whether they need a Data Export Approval and which one to apply for:
2.1. The Block Exemptions and free flow of data
As mentioned above, the most significant change made by the Data Export Measures to the previous data export regulatory framework is the introduction of the Block Exemptions. As the word "Facilitation" in the title of the Data Export Measures suggests, the regulation aims to facilitate the free flow of data by introducing the Block Exemptions.
Specifically, the Block Exemptions mean that in the following circumstances, a data exporter that otherwise is subject to the Data Export Approvals is exempted from such obligations and can freely export the personal information it intends to export:
- where it is necessary to export personal information for the purpose of concluding or performing a contract to which a data subject is a party, such as cross-border E-commerce, cross-border shipping, cross-border wire transfer, cross-border payment, cross-border account opening, air ticket and hotel reservation, visa processing and examination services;
- where it is necessary to export employees' personal information for the purpose of conducting cross-border human resources management in accordance with internal corporate policies and regulations formulated in accordance with law, and collective contracts concluded in accordance with law;
- where it is necessary to export personal information in an emergency to protect the life, health and property safety of a natural person; or
- where a non-CIIO data controller exports the personal information (excluding sensitive personal information) of not more than 100,000 persons accumulatively since January 1 of the given year.
(Please note that the Block Exemptions only apply to the export of personal information)
Therefore, for data exporters in China, the first step to determine whether they need to obtain a Data Export Approval is to determine whether any of the Block Exemptions apply to them. In a specific data export scenario (such as the export of employees' personal information, the export of consumers' personal information), if the answer is yes, then the data exporter is free to export its personal information. However, if there are any data export scenarios where none of the Block Exemptions apply, then the data exporter needs to determine which one of the Data Export Approvals it needs to apply for and obtain.
2.2. The Security Assessment
The Security Assessment applies to the export of both personal information and important data.
2.2.1. Personal information
In terms of personal information, as mentioned above, the Security Assessment is only applicable where the Block Exemptions do not apply.
Where the Block Exemptions do not apply, the Security Assessment will be triggered if: (i) a CIIO exports any personal information; or (ii) a data exporter exports personal information of more than one million people, or sensitive personal information of more than ten thousand people since January 1 of a given year.
2.2.2. Important data
Block Exemptions do not apply to export of important data. Any data exporter that exports important data, regardless of the data's amount or the purpose of the export, and regardless of the data exporter's status as a CIIO or non-CIIO, must apply for and go through the Security Assessment.
Please note that personal information in certain special forms may constitute important data under PRC law (for example, in the automotive industry, the combination of personal information of more than 100,000 persons is deemed important data), and the Block Exemptions cannot be applied to the export of such personal information and a Security Assessment must be applied for.
2.3. The SCC Filing/Certification
The SCC Filing or the Certification only applies to the export of personal information.
Where the Block Exemptions do not apply, the SCC Filing/Certification will be triggered if a data exporter exports personal information of more than 100,000 people (but less than one million people), or any sensitive personal information since January 1 of a given year.
If a personal data controller located out of China needs to go through Certification, the application should be made by its specialized agency or its designated representative in China.
To view the full article click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
