China Clarifies Cross-Border Data Transfer Rules: Practical Guidance for Compliance
In recent years, China has established a comprehensive legal framework for cross-border data transfers through the Cybersecurity Law (CSL, 网络安全法), the Data Security Law (DSL, 数据安全法), the Personal Information Protection Law (PIPL, 个人信息保护法), and other regulations. On April 9, 2025, the Cyberspace Administration of China (CAC, 国家互联网信息办公室) published an FAQ for cross-border data transfers. While the FAQ is not legally binding, it reflects the CAC’s attitude towards cross-border data transfer and provides practical guidance for data processors. We have summarized the key content of the FAQ and other recent regulatory updates below.
1. Legal Framework for Cross-Border Data Transfer
The CAC reiterates that the current cross-border data transfer regime mainly regulates important data and personal information, and other types of data may be freely transferred overseas. Current laws and regulations provide three mechanisms to transfer important data and personal information abroad, including a Security Assessment performed by the CAC (Security Assessment, 数据出境安全评估), Personal Information Protection Certification issued by CAC-approved institutions (PIP Certification, 个人信息保护认证), and filing Standard Contractual Clauses (SCC Filing, 个人信息出境标准合同备案).
The CAC states that when conducting Security Assessment or reviewing SCC filings, it considers whether the transfer is necessary, whether the number of individuals affected is proportionate to the business purpose, and whether the scope of personal information collected and processed is appropriately limited. The FAQ also indicates that additional industry-specific guidance will be developed going forward to help businesses evaluate whether transfers are “necessary” within specific industry contexts.
2. Free Trade Zone “Negative Lists”
Free trade zones (FTZs, 自贸试验区) are permitted to develop “negative lists” for cross-border data transfer, meaning that all data is exempted from the general legal framework and can be transferred cross-border from these FTZs without restriction, so long as the data is not contained on the “negative lists.” Significantly, the FAQ confirms that “negative lists” enacted by one FTZ will be automatically effective in other FTZs to ensure consistency across regions.
At present, FTZs in Tianjin, Beijing, Hainan, Shanghai, and Zhejiang have released “negative lists” covering 17 industry sectors. In its FAQ, the CAC states that it encourages FTZs to develop additional “negative lists” tailored to local industries, with further expansion expected in the coming months.
It is noteworthy that the Beijing FTZ published a “negative list” in August 2024 which covers, among other sectors, the automobile and life sciences industries. Although the Shanghai FTZ also published a “negative list” in 2025, it only covers reinsurance, international shipping, and membership programs run by retailers, the food and beverage industry, or hotels. The CAC’s confirmation allows companies in industries that are not covered by the “negative lists” published by their local FTZs to refer to the Beijing FTZ “negative list” or “negative lists” from other FTZs when determining their cross-border data transfer obligations.
3. Identification and Cross-Border Transfer of Important Data
The CAC reiterates the definition of important data and clarifies that data processors do not need to treat their data as important data unless the relevant government authorities specifically notify them.
The CAC reiterates that important data is defined as data related to specific domains, populations, or regions, or data of a certain scale or sensitivity, such that its leakage or breach may endanger national security, economic stability, social order, or public health. The CAC also recommends that data processors refer to industrial standards for further guidance, including the standard “Data Security Technology — Data Classification and Categorization Rules (GB/T 43697-2024).”
The CAC notes, however, that important data can still be transferred abroad if it passes Security Assessment, stating that as of March 2025, CAC has completed the review of 298 Security Assessment submissions, 44 of which involved important data, and that of these 44 submissions, seven failed Security Assessment. The CAC also noted that these 44 submissions covered 509 data items, of which 325 were approved for cross-border transfer.
4. Cross-Border Data Transfer for MNCs
The CAC confirms that for multinational corporations (MNC) with multiple subsidiaries in China that share similar businesses, one of the subsidiaries may submit a Security Assessment or SCC Filing on behalf of all related entities. In addition, the CAC encourages MNCs to apply for PIP Certification, which to date has only been used by large-scale internet platforms such as Alibaba and JD.com, noting that personal information can be transferred within a company group and across borders more efficiently if the Chinese subsidiary or MNC headquarters obtains PIP Certification.
The CAC also states that it encourages MNCs to participate in shaping data privacy policy, including by participating in the design and review of industrial standards.
5. Extension of Security Assessments and Updates to SCC Filings
The CAC notes that the validity of approved Security Assessments has been extended from two years to three years. Data processors may apply for an extension if they need to continue their existing data transfer and there is no change that would trigger an update to the Security Assessment submission. Data processors should submit their extension applications through the provincial CAC within 60 working days before the validity period expires. The CAC is still developing a formal detailed process for extension applications.
An SCC filing is valid as long as the SCC remains valid. Data processors need to submit an updated or revised SCC Filing if there are changes in the transfer purpose, server location, data recipients, or other conditions provided in the relevant regulations. Changes in the volume (but not type) of data transferred will not require an update or revision to the SCC Filing, as long as such change does not cause the total volume of data transferred to cross the threshold that would require Security Assessment (i.e., if the personal information of more than one million individuals or the sensitive personal information of more than 10,000 individuals is transferred abroad within a year).
For questions on this or any other subject, please reach out to the authors or any of their colleagues in Arnold & Porter’s Privacy, Cybersecurity & Data Strategy practice group.
© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.