In recent years, China has established a comprehensive legal framework for cross-border data transfers through the Cybersecurity Law (CSL, 网络安全法), the Data Security Law (DSL, 数据安全法), the Personal Information Protection Law (PIPL, 个人信息保护法), and other regulations. On April 9, 2025, the Cyberspace Administration of China (CAC, 国家互联网信息办公室) published an FAQ for cross-border data transfers. While the FAQ is not legally binding, it reflects the CAC's attitude towards cross-border data transfer and provides practical guidance for data processors. We have summarized the key content of the FAQ and other recent regulatory updates below.
1. Legal Framework for Cross-Border Data Transfer
The CAC reiterates that the current cross-border data transfer
regime mainly regulates important data and personal information,
and other types of data may be freely transferred overseas. Current
laws and regulations provide three mechanisms to transfer important
data and personal information abroad, including a Security
Assessment performed by the CAC (Security Assessment,
数据出境安全评估),
Personal Information Protection Certification issued by
CAC-approved institutions (PIP Certification,
个人信息保护认证),
and filing Standard Contractual Clauses (SCC Filing,
个人信息出境标准合同备案).
The CAC states that when conducting Security Assessment or
reviewing SCC filings, it considers whether the transfer is
necessary, whether the number of individuals affected is
proportionate to the business purpose, and whether the scope of
personal information collected and processed is appropriately
limited. The FAQ also indicates that additional industry-specific
guidance will be developed going forward to help businesses
evaluate whether transfers are "necessary" within
specific industry contexts.
2. Free Trade Zone "Negative Lists"
Free trade zones (FTZs,
自贸试验区) are permitted to develop
"negative lists" for cross-border data transfer, meaning
that all data is exempted from the general legal framework and can
be transferred cross-border from these FTZs without restriction, so
long as the data is not contained on the "negative
lists." Significantly, the FAQ confirms that "negative
lists" enacted by one FTZ will be automatically effective in
other FTZs to ensure consistency across regions.
At present, FTZs in Tianjin, Beijing, Hainan, Shanghai, and
Zhejiang have released "negative lists" covering 17
industry sectors. In its FAQ, the CAC states that it encourages
FTZs to develop additional "negative lists" tailored to
local industries, with further expansion expected in the coming
months.
It is noteworthy that the Beijing FTZ published a "negative
list" in August 2024 which covers, among other sectors, the
automobile and life sciences industries. Although the Shanghai FTZ
also published a "negative list" in 2025, it only covers
reinsurance, international shipping, and membership programs run by
retailers, the food and beverage industry, or hotels. The CAC's
confirmation allows companies in industries that are not covered by
the "negative lists" published by their local FTZs to
refer to the Beijing FTZ "negative list" or
"negative lists" from other FTZs when determining their
cross-border data transfer obligations.
3. Identification and Cross-Border Transfer of Important Data
The CAC reiterates the definition of important data and
clarifies that data processors do not need to treat their data as
important data unless the relevant government authorities
specifically notify them.
The CAC reiterates that important data is defined as data related
to specific domains, populations, or regions, or data of a certain
scale or sensitivity, such that its leakage or breach may endanger
national security, economic stability, social order, or public
health. The CAC also recommends that data processors refer to
industrial standards for further guidance, including the standard
"Data Security Technology — Data Classification and
Categorization Rules (GB/T 43697-2024)."
The CAC notes, however, that important data can still be transferred abroad if it passes Security Assessment, stating that as of March 2025, CAC has completed the review of 298 Security Assessment submissions, 44 of which involved important data, and that of these 44 submissions, seven failed Security Assessment. The CAC also noted that these 44 submissions covered 509 data items, of which 325 were approved for cross-border transfer.
4. Cross-Border Data Transfer for MNCs
The CAC confirms that for multinational corporations (MNC) with
multiple subsidiaries in China that share similar businesses, one
of the subsidiaries may submit a Security Assessment or SCC Filing
on behalf of all related entities. In addition, the CAC encourages
MNCs to apply for PIP Certification, which to date has only been
used by large-scale internet platforms such as Alibaba and JD.com,
noting that personal information can be transferred within a
company group and across borders more efficiently if the Chinese
subsidiary or MNC headquarters obtains PIP Certification.
The CAC also states that it encourages MNCs to participate in
shaping data privacy policy, including by participating in the
design and review of industrial standards.
5. Extension of Security Assessments and Updates to SCC Filings
The CAC notes that the validity of approved Security Assessments
has been extended from two years to three years. Data processors
may apply for an extension if they need to continue their existing
data transfer and there is no change that would trigger an update
to the Security Assessment submission. Data processors should
submit their extension applications through the provincial CAC
within 60 working days before the validity period expires. The CAC
is still developing a formal detailed process for extension
applications.
An SCC filing is valid as long as the SCC remains valid. Data
processors need to submit an updated or revised SCC Filing if there
are changes in the transfer purpose, server location, data
recipients, or other conditions provided in the relevant
regulations. Changes in the volume (but not type) of data
transferred will not require an update or revision to the SCC
Filing, as long as such change does not cause the total volume of
data transferred to cross the threshold that would require Security
Assessment (i.e., if the personal information of more than one
million individuals or the sensitive personal information of more
than 10,000 individuals is transferred abroad within a year).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
