On April 9, 2025, The Cyberspace Administration of China (CAC) released a Question & Answer to address common questions regarding data export security management policies. This Q&A aims to help the data processors strengthen their understanding of the best compliance practices in cross-border data activities.

Before starting to read the Q&A, a list of China’s current laws and regulations regarding data security is provided below to help reader gain a structured overview of China’s current legal framework:

Questions 1: How should we understand the design of China’s data export security management system?

Answer:

As cross-border data flows become more frequent, many countries and regions have explored regulatory frameworks based on their specific circumstances, enacting laws and standards to manage cross-border data flows.

China’s data export security management system is established by law. The Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law (PIPL) provide clear legal provisions for cross-border data activities.

These rules apply only to important data and personal information. For important data that must be transferred abroad, legal provisions allow it to be exported if a security assessment confirms it poses no threat to national security or public interests. For personal information export, multiple pathways are available, including security assessments, protection certifications, and standard contracts.

Overall, China’s legal framework aims to ensure the secure and free cross-border flow of data for businesses while imposing necessary oversight on data involving national security and public policy objectives. General data not involving personal information or important data can flow freely across borders, while important data and personal information meeting specified thresholds can be legally transferred after passing a security assessment.

Question 2: How can consistency in the standards for negative lists of cross-border data flow across free trade zones be ensured?

Answer:

The Provisions on Promoting and Regulating Cross-Border Data Flows allow free trade zones to develop their own negative lists under the national data classification and grading protection framework.

These lists, approved by provincial cybersecurity and informatization committees, filed with the CAC and the National Data Administration, exempt data outside the lists from security assessments, standard contract, or certification. This is an innovative measure to facilitate cross-border data flows in free trade zones.

During development, relevant authorities’ opinions are sought, and the CAC and National Data Administration review the lists during filing. If a list already exists for a specific sector, other free trade zones can adopt it without duplication. This ensures alignment with national data protection requirements and consistency across zones.

Question 3: How can the scope of negative lists for cross-border data flows in free trade zones be expanded to cover more sectors?

Answer: In line with the Provisions on Promoting and Regulating Cross-Border Data Flows, the CAC and the National Data Administration have completed filings for negative lists in free trade zones (ports) in Tianjin, Beijing, Hainan, Shanghai, and Zhejiang, promoting cross-border data flows in 17 sectors such as automotive, pharmaceuticals, retail, civil aviation, reinsurance, deep sea and seed industry. The figure below shows 17 affected sectors.

The CAC is guiding free-trade zones to develop lists based on their industrial characteristics, with coverage expected to broaden as more lists are implemented. Updates can be monitored on the CAC website (www.cac.gov.cn) and relevant local free trade zone websites.

Question 4: How should the necessity of personal information export be understood and assessed?

Answer:

Article 6 of the Personal Information Protection Law (PIPL) stipulates that “the processing of personal information should have a clear and reasonable purpose, be directly related to the purpose of processing, and adopt methods that have the minimal impact on individual rights. The collection of personal information should be limited to the minimum scope necessary to achieve the purpose of processing, and excessive collection of personal information is prohibited.”

Article 19 stipulates that “unless otherwise provided by laws or administrative regulations, the retention period of personal information should be the shortest time necessary to achieve the purpose of processing.”

Based on the above legal provisions, the factors for determining “necessity” include being directly related to the purpose of processing, minimizing the impact on individual rights, limiting to the minimum scope necessary to achieve the purpose of processing, and retaining personal information for the shortest time necessary to achieve the purpose of processing. To implement the legal requirements, the CAC will fully consider the business scenarios and actual needs declared by data processors during its data export security assessment process. It will evaluate the necessity of personal information transfers abroad, with key assessment points including the necessity of the outbound activity itself, the necessity of the scale of individuals involved, and the necessity of the scope of personal information data items transferred abroad.

Numerous industries and fields involve cross-border data transfer. The CAC, in collaboration with relevant industry regulators, will gradually refine and clarify specific business scenarios for data export and the necessary scope of personal information transfers in various industries, providing more detailed policy guidance for enterprises and institutions conducting data outbound transfer.

Question 5: How can important data be identified?

Answer:

According to Article 62 of the Regulations on Network Data Security Management, important data refers to data in specific domains, groups, or regions, or data of certain precision and scale, whose compromise could directly threaten national security, economic operations, social stability, or public health and safety. GB/T 43697-2024 The Data Security Technology – Data Classification and Grading Rules provides guidelines for identifying important data, enabling data processors to classify and report such data in compliance with laws and standards.

Question 6: Does important data mean it cannot be transferred abroad?

Answer:

For important data that indeed needs to be transferred abroad, the law provides a regulatory framework. If the data export security assessment determines that the transfer will not harm national security or public interest, the data can be transferred abroad.

As of March 2025, the CAC has completed 298 data export security assessment projects. Among these, 44 applications involved important data, with seven failing the assessment, resulting in a failure rate of 15.9%.

These 44 applications covered 509 important data items, of which 325 were approved for export after assessment, accounting for 63.9% of the total number of declared data items.

Question 7: How do foreign-invested enterprises play a role in the process of formulating industry technical standards?

Answer:

Guiding relevant professional institutions in the process of formulating sectoral technical standards, the CAC also highly values and actively encourages the participation of both Chinese and foreign enterprises, as well as other stakeholders. This ensures that the standard-setting process fully considers the needs of relevant domestic and international parties.

First, the participation mechanism is open and transparent. The CAC directs the National Cybersecurity Standardization Technical Committee to adhere to the principles of openness, cooperation, and broad participation. It publicly solicits members for working groups on an ongoing basis. Members of the committee and its sub-working groups include a number of representative foreign-invested enterprises. These enterprises enjoy equal rights and obligations as domestic companies and institutions in terms of participating in discussions and contributing to standard development. As members of the working group, foreign-invested enterprises can participate throughout the entire process and provide opinions and suggestions at all stages of standard development.

Second, the procedures for standard-setting are open and transparent. By publicly soliciting standard requirements and co-authoring organizations from society, and by seeking public comments on draft standards, fairness and impartiality are ensured for all relevant parties involved in the standard-setting process.

Question 8: Are those more convenient channels for cross-border personal information transfers within corporate groups?

Answer:

On the one hand, if multiple domestic subsidiaries belong to the same corporate group and their cross-border data transfer scenarios are similar, the parent company can act as the filing entity to consolidate and submit applications for data export security assessments or file standard contracts for personal information transfers abroad. This approach improves the efficiency of cross-border data workflows.

On the other hand, the CAC is promoting the introduction of relevant management measures for certification of personal information protection in cross-border transfers. These measures will guide third-party professional certification bodies to certify cross-border personal information transfer activities.

Once either the domestic enterprise or the overseas recipient passes the certification, the enterprise can conduct personal information transfers abroad within the scope of the certification. For multinational groups that have passed the certification, personal information transfers can be conducted within the group without the need to separately sign standard contracts for personal information transfers with subsidiaries in different countries.

Question 9: Is there a specific process for extending the validity period of data export security assessment results?

Answer:

The Regulation on Promoting and Regulating Cross-Border Data Flows extends the validity period of data export security assessment results from the original 2 years to 3 years. It also clarifies that if the validity period expires, and the data processor needs to continue conducting cross-border data activities without any circumstances requiring a re-application for a data export security assessment, the data processor may apply to extend the validity period of the assessment results within 60 working days before the expiration. The application is submitted through the provincial cyberspace administration department to the national cyberspace administration department.

Upon approval by the national cyberspace administration, the validity period of the assessment results can be extended for another 3 years. Currently, the CAC is actively soliciting opinions from all parties and expediting research on the process for extending the validity period of assessment results. It plans to clarify this process by revising and issuing relevant policy documents, thereby creating more favourable conditions for enterprises and institutions engaging in data export activities.

If you need more information, please contact assistant@bestao-consulting.com