How Can I Legally Transfer Data Out of China? Understanding China’s Cross-Border Data Transfer Laws

By Marcos SabioLast Updated on Jul 15, 2025

China’s data governance framework has significantly evolved in  2025, with new regulations and clarifications that reshape how businesses handle cross-border data transfers. The introduction of the Network Data Security Management Regulations in January 2025, combined with the Cyberspace Administration of China’s (CAC) comprehensive Q&A guidance in April, provides greater clarity for foreign businesses operating in China’s digital economy.

What Is the New Regulatory Foundation for Data Transfers?

What Are the Network Data Security Management Regulations?

The Network Data Security Management Regulations, which came into effect on January 1, 2025, represent a major milestone in China’s data governance evolution. These regulations establish a comprehensive framework for data security management that applies to both domestic and international entities engaged in data processing activities within China.

Key Scope and Applicability:

  • Applies to all entities processing data related to individuals or organisations in China
  • Covers foreign-based entities offering products or services in China
  • Extends to organisations analyzing or evaluating behavior within China
  • Includes handling of “important” domestic data by international companies

The regulations build upon China’s existing data protection framework, including the: 

Altogether providing detailed implementation guidance that businesses have long awaited.

What Is the Provisions on Promoting and Regulating Cross-border Data Flows?

Released and promulgated in 2024, China’s Provisions on Promoting and Regulating Cross-border Data Flows introduced key updates that impact how businesses handle personal information (PI) transfers abroad. While some core principles remain unchanged, new exemptions and thresholds significantly shift compliance requirements for many companies.

What Remains the Same?

  • Definition of Personal Information (PI): Data remains classified as PI even if anonymized or encrypted—so long as it can be re-identified after decryption.
  • Data Localization: Businesses must still store personal data in China before exporting it, regardless of exemptions.

What Has Changed?

1. Industry-Based Exemptions (Article 5.1 to 5.3)

Businesses are exempt from all cross-border data compliance procedures if the transfer is essential for:

  • Fulfilling a contract involving an individual (e.g., cross-border shopping, payments, flight/hotel bookings).
  • Managing cross-border HR operations according to employment laws.
  • Protecting life, health, or property during emergencies.

Note: Exemptions are limited to specific sectors. Broader interpretations (e.g., general app logins) do not qualify.

2. Volume-Based Exemptions (Article 5.4)

Businesses handling PI of less than 100,000 individuals annually (excluding sensitive data) are fully exempt from all compliance procedures.

3. Security Assessment Thresholds (Article 7)

Mandatory for businesses handling:

  • 1 million+ PI or
  • 10,000+ sensitive PI (SPI) per year

Security assessments are valid for 3 years with an optional extension

4. Standard Contract Requirement (Article 8)

Applies to businesses handling:

  • 100,000–1 million PI, or
  • Up to 10,000 SPI annually
    Must sign a standard contract or undergo PI protection certification.

5. Free Trade Zone Exemption Path (Article 6)

Companies located in designated pilot free trade zones may bypass security assessments or contracts if their data types fall outside locally defined negative lists.

What Does the CAC’s Cross-Border Data Transfer Q&A (April 2025) Clarify?

In April 2025, the CAC released comprehensive Q&A guidance on cross-border data transfer policies, addressing practical implementation challenges that have posed difficulties for multinational companies. Below are translations from the official Q&A transcript: 

Question 1: What constitutes “general data” and can it flow freely across borders? Clarification: General data is defined as data excluding important and core data. The CAC confirmed that general data can flow freely across borders without requiring security assessments, standard contracts, or other compliance procedures. This represents the majority of routine business data.

Question 2: How should companies assess the “necessity” of personal information exports? Clarification: The CAC established four specific criteria: direct relationship to processing purpose, minimal impact on individual rights, minimum scope requirement, and shortest retention period. Companies must demonstrate that data export meets all four criteria to satisfy necessity requirements.

Question 3: How can companies identify whether their data qualifies as “important data”? Clarification: Companies should use national data classification standards (GB/T 43697-2024) and consult industry-specific guidelines. The CAC emphasized that data previously declared as important but not officially designated may not require security assessments.

Question 4: What streamlined processes are available for multinational corporations? Clarification: The CAC confirmed that parent companies can submit unified security assessments for subsidiaries, validity periods are extended from 2 to 3 years, and certified multinational groups can transfer data internally without separate contracts for each subsidiary.

Question 5: How do Free Trade Zone negative lists work in practice? Clarification: If one FTZ has issued a negative list for a specific industry, other FTZs can reference this list rather than creating new ones. This ensures consistency across different FTZs and reduces administrative burden for businesses operating across multiple zones.

These clarifications not only show the CAC’s openness and willingness to clarify any difficult to understand aspects of cross-border data transer (CBDT), but also shows a level of encouragement for foreign investment and cooperation in the domestic market. 

How Does China’s Data Classification System Work?

What Are the Three Tiers of Data Classification?

China’s data governance operates on a three-tier classification system that determines the level of regulatory oversight required:

General Data:

  • Defined as data excluding important and core data
  • Can flow freely across borders without additional compliance requirements
  • No mandatory security assessments or standard contracts required
  • Represents the majority of routine business data

Important Data:

  • Data in specific fields, groups, or regions that could endanger national security, economic operation, social stability, or public health if compromised
  • Requires security assessment before export
  • Must be handled by designated data security personnel in organizations processing large volumes
  • Subject to strict risk assessment and reporting requirements

Core Data:

  • Data with high coverage, precision, and scale that could affect political security if misused
  • Primarily includes data related to national security, economic lifelines, and major public interests
  • Subject to the most stringent controls and restrictions

How Can Foreign Businesses Identify Data Classification?

For foreign businesses, the challenge lies in accurately identifying which data falls into each category. The CAC’s guidance provides practical clarification:

  • Companies can rely on official data classification standards (GB/T 43697-2024)
  • If data has been declared as important but not officially designated, companies may not need security assessments
  • Free Trade Zones (FTZs) offer alternative classification through negative lists

To read more about China’s data classification, read the full AppInChina guide. 

What Opportunities Do Free Trade Zones Offer?

How Does the Negative List Approach Work?

China’s FTZs have emerged as testing grounds for more flexible data transfer policies. Currently, five major FTZs have implemented negative list approaches:

  • Tianjin FTZ: China’s first negative list for cross-border data transfer
  • Beijing FTZ: Comprehensive negative lists covering multiple industries
  • Shanghai FTZ: Both negative lists and general data catalogs
  • Zhejiang FTZ: Industry-specific negative lists
  • Hainan Free Trade Port: Broader negative list coverage

Industries Covered: The negative lists currently cover 17 industries including:

  • Automotive
  • Pharmaceuticals
  • Retail
  • Civil aviation
  • Reinsurance
  • Deep-sea industry
  • Seed industry
  • Biopharmaceuticals
  • Mutual funds

How Are FTZs Standardized Across China?

The CAC’s guidance emphasizes consistency across different FTZs. If one FTZ has issued a negative list for a specific industry, other FTZs can reference this list rather than creating new ones. This approach ensures:

  • Continuity across different FTZs
  • Compliance with national data classification standards
  • Reduced administrative burden for businesses operating across multiple zones
  • Accelerated expansion of negative list coverage

What Are the Personal Information Export Requirements?

Unlock Your Solution’s Potential in China – Get Your FREE Customized Report Today

Schedule a call with our legal counsel to receive a free, customized report explaining what you need to do to make sure you’re compliant with China’s strict data laws and how you can then transfer your data abroad.

Book Your Free Call

How Does the Necessity Assessment Framework Work?

One of the most significant clarifications in the 2025 guidance concerns the “necessity” assessment for personal information exports. The CAC has established four key criteria for determining necessity:

  1. Direct Relationship to Processing Purpose: The export must be directly related to the intended data processing purpose
  2. Minimal Impact on Individual Rights: The transfer should minimize impact on individual rights and interests
  3. Minimum Scope Requirement: Data collection should be limited to the minimum scope necessary
  4. Shortest Retention Period: Data retention should be for the shortest time necessary to fulfill the purpose

What Are the Compliance Pathways for Personal Information?

Companies have three main pathways for personal information exports:

Security Assessment:

  • Required for large-scale personal information exports
  • Validity period extended from 2 to 3 years
  • Extension possible for another 3 years if no material changes occur
  • Must be applied for 60 working days before expiration

Standard Contracts:

  • Suitable for smaller-scale exports
  • Streamlined process for group companies
  • Multinational corporations can avoid repeated contract signing through certification

Personal Information Protection Certification:

  • Third-party certification system being developed
  • Once certified, either domestic or overseas entities can conduct transfers
  • Particularly beneficial for multinational groups with complex data flows

Below is a visual summary of compliance pathways for CBDT: 

Data Volume / TypeCompliance RouteValidity
<100k PIExemptN/A
100k–1m PI / <10k SPIStandard Contract or Certification3 years
>1m PI or >10k SPISecurity Assessment3 years

What Are the Realities of Important Data Export?

Is Important Data Actually Prohibited from Export?

Contrary to common belief, important data is not automatically prohibited from export. The CAC’s statistics reveal the actual landscape:

  • 298 security assessment projects completed by March 2025
  • 44 projects involved important data
  • 7 projects rejected (15.9% rejection rate)
  • 325 out of 509 important data items approved for export (63.9% approval rate)

These statistics demonstrate that while important data requires careful assessment, export is often possible when properly justified and secured.

How Can Companies Identify Important Data?

The regulations provide guidance on identifying important data:

Companies must establish dedicated data security management systems and designate responsible personnel for important data handling.

How Are Multinational Corporations Getting Streamlined Compliance?

What Advantages Do Group Companies Have?

The 2025 guidance introduces several measures to reduce compliance burden for multinational corporations:

Consolidated Applications:

  • Parent companies can submit unified security assessments for subsidiaries
  • Reduces individual compliance requirements for each subsidiary
  • Particularly beneficial for companies with similar business models across entities

Extended Validity Periods:

  • Security assessment validity extended from 2 to 3 years
  • Possibility of further 3-year extensions
  • Reduces frequency of reapplication requirements

Certification Benefits:

  • Certified multinational groups can transfer data internally without separate contracts
  • Third-party certification system being developed
  • Eliminates need for repeated contract signing with each subsidiary

What Are the Best Implementation Strategies?

For multinational corporations, the key strategies include:

  1. Centralized Data Governance: Establish group-wide data classification and management systems
  2. Strategic FTZ Utilization: Consider establishing operations in FTZs with relevant negative lists
  3. Proactive Important Data Declaration: Declare important data proactively to avoid unnecessary assessments
  4. Certification Preparation: Prepare for upcoming certification systems to streamline future operations

What Are the Enhanced Data Security Requirements?

What Comprehensive Protection Measures Are Required?

The new regulations mandate comprehensive data security measures:

Technical Safeguards:

  • Data encryption and backup systems
  • Access controls and security authentication
  • Regular security assessments and vulnerability testing
  • Incident response and emergency procedures

Administrative Requirements:

  • Designated data security personnel for large-scale processors
  • Three-year minimum record retention for personal information and important data
  • Contractual agreements for third-party data sharing
  • Regular risk assessments and security drills

Incident Response:

  • Immediate notification of affected parties in case of security incidents
  • Detailed reporting to relevant authorities
  • Comprehensive incident documentation and remediation plans

What Are the Penalties for Non-Compliance?

The regulations establish clear penalties for non-compliance:

Administrative Penalties:

  • Warnings and rectification orders
  • Fines ranging from CNY 100,000 to CNY 10 million depending on the severity of the violation. 
  • Potential business suspension for serious violations

Additional Consequences:

  • Civil liability for damages
  • Criminal charges for severe violations
  • Regulatory scrutiny and increased oversight

What Are the Industry-Specific Considerations?

How Does Sector-Specific Guidance Work?

The CAC has indicated that industry-specific guidance will be developed to provide more targeted policy direction:

Current Industry Focus:

  • Automotive: Detailed guidance on vehicle data and user information
  • Healthcare: Specific requirements for medical data and patient information
  • Financial Services: Enhanced requirements for financial data and transaction records
  • Telecommunications: Specialized rules for network and communication data

How Can AppInChina Help?

The future of cross-border data transfers in China depends on businesses’ ability to balance legitimate operational needs with regulatory compliance. The 2025 updates provide the foundation for this balance, but success will require ongoing attention to regulatory developments and proactive engagement with China’s evolving data governance ecosystem. At AppInChina, we can help with:

  • Compliance Audits: We assess your data collection and export practices against the latest CBDT rules, including thresholds for PI, SPI, and important data.
  • Legal Guidance: Our team helps you understand whether your operations qualify for exemptions, need a standard contract, or require a full security assessment.
  • Document Preparation: We draft, localize, and submit the required documentation, whether for Standard Contract or security assessments.

Whether you’re scaling operations, entering China for the first time, or reassessing risk under the new framework, AppInChina offers a fast and reliable path to compliance. Contact us to get started!

Related Content

What Are China’s Data Types and Why Are They Important?Provisions on Promoting and Regulating Cross-border Data FlowsRegulation on Network Data Security Management

Ready to get started?

Contact Us