China Issues Further Clarifications on Cross-Border Data Transfer Rules

On October 31, 2025, the Cyberspace Administration of China (CAC, 国家互联网信息办公室) released a new FAQ following its April 2025 guidance, further clarifying the implementation of China’s cross-border data transfer regime and offering additional practical guidance for data processors. We have summarized the key content from the FAQ and analyze its implications below.

1. Exemptions From the Provisions on Promoting and Regulating Cross-Border Data Flows (the Provisions, 促进和规范数据跨境流动规定)

Article 5 of the Provisions states that certain data transfer scenarios may be exempted from the requirement that data processors complete one of three standard data transfer mechanisms for cross-border transfer of personal information: Security Assessment (数据出境安全评估), Standard Contractual Clauses (SCC Filing, 个人信息出境标准合同备案), or Personal Information Protection Certification (PIP Certification, 个人信息保护认证).

In the October 2025 FAQ, the CAC states that exemptions from these cross-border data transfer obligations should be narrowly construed:

• Data transfer for contract performance. Article 5(1)(a) of the Provisions provides an exemption if data is transferred —

“For the conclusion or performance of a contract to which an individual is a party — such as cross-border shopping, shipping, remittance, payment, account opening, hotel and flight booking, visa application, or examination services — where it is necessary to transfer personal information abroad…”

The FAQ clarifies that the examples listed in Article 5(1)(a) are illustrative rather than exhaustive. To qualify for this exemption, both of the following conditions must be met: (1) the transfer is for the conclusion or performance of a contract to which the individual is a party, and (2) it is necessary to transfer the personal information abroad.

• Data transfer for HR management. Article 5(1)(b) of the Provisions provides an exemption —

“Where cross-border human resources management is carried out under lawfully formulated employment rules and policies or lawfully concluded collective employment contracts, and it is necessary to transfer employees’ personal information abroad…”

The FAQ emphasizes that to qualify for this exemption (1) such transfers must be necessary for the purpose of HR management, (2) the scope of any transfers must be limited to employees’ personal information directly relevant to HR management, and (3) companies should transfer the personal information in a way that minimizes impact on employees. Companies should not transfer employees’ higher-risk personal information such as ID number, passport information, or bank account information without first checking if the potential transfer meets these three criteria.

The FAQ also emphasizes that companies transferring personal information abroad must still comply with other basic obligations under PIPL and other applicable regulations, including notifying the relevant individuals, obtaining separate consent for cross-border transfer, and conducting a personal information protection impact assessment (PIA, 个人信息保护影响评估).

2. Updates on Security Assessment Requirements

The FAQ provides additional clarifications on when and how companies should conduct a Security Assessment for cross-border data transfers.

• Deadline for applying for a Security Assessment for Important Data. Important Data are limited to the data which may pose risks to national security or the public interest if leaked, and are usually related to national defense, nuclear energy, biosecurity, macro economics, public healthcare, and other key areas of importance to the nation. The processing and transfer of Important Data is heavily regulated in China.

Article 2 of the Provisions states that if data has not been identified or publicly announced as Important Data by the relevant authorities or regions, data processors are not required to apply for a Security Assessment for its cross-border transfer.

The CAC in its May 2025 FAQ notes that the identification and determination of Important Data in each industry is controlled by the relevant government authorities, e.g., the National Medical Products Administration has responsibility for determining Important Data for the life sciences industry. In practice, government authorities are expected to promptly notify companies when the identification and determination of Important Data in their industry is completed.

The FAQ clarifies that if a data processor is notified that it holds Important Data or if a public announcement to that effect is made, the data processor must apply for a Security Assessment within two months of the notification, and any transfers of Important Data should stop until after the Security Assessment is complete. Given that there is no grace period for the two-month deadline, the FAQ recommends that companies prepare the necessary application materials for Security Assessment while the process of identifying and determining whether data is Important Data is ongoing.

The identification and determination of Important Data in various industries is currently in progress and companies should watch closely for updates from the relevant government authorities for their industry.

• Determination of cross-border data transfer. The Guidelines for Data Export Security Assessment (Version 3) (数据出境安全评估申报指南（第三版）), effective June 27, 2025, provide that if overseas personnel (e.g., staff of overseas institutions or organizations) can access data stored in mainland China, such access is deemed a cross-border data transfer. The FAQ clarifies that when overseas personnel travel to mainland China and access data locally without transferring the data abroad, such access is NOT deemed to be cross-border data transfer, and that whether a cross-border data transfer occurs depends on where the access takes place.

• Conditions triggering reassessment. According to the Measures for Security Assessment of Cross-border Data Transfers (数据出境安全评估办法), effective September 1, 2022, data processors must reapply for Security Assessment if there are substantial changes to their data transfer scenarios, such as changes to the purpose, scope, type, or method of transfer; the overseas recipient’s processing activities and retention period; applicable foreign laws; or other circumstances that may affect the security of cross-border data transfers. The FAQ clarifies that routine system upgrades or replacements generally do not require reassessment unless they impact the security of data transfers.

3. Clarifications Regarding SCC Filing

The FAQ further clarifies the practical implementation of the SCC Filing mechanism, providing more detailed guidance on when re-filing is required and how continuous transfers should be handled.

• SCC Filing for continuous cross-border transfer of personal information. The FAQ confirms that if personal information is continuously transferred to the same overseas recipient and the annual volume of transfers remains within the SCC Filing thresholds, companies may file SCCs once based on a reasonable estimate of total annual transfers, without repeated filings. For example, if the China subsidiary of a multinational company transfers data to its overseas headquarters on a regular basis, and the volume and type of data remains relatively consistent, the subsidiary could potentially file SCCs once and not need to repeatedly file every year. However, if the cumulative transfer volume exceeds the thresholds that trigger a Security Assessment (e.g., more than 1 million individuals’ personal information or the sensitive personal information of 10,000 individuals calculated from January 1 of the relevant year), the data processor must apply for a Security Assessment.

• Conditions triggering re-filing. The Measures for Standard Contractual Clauses for Cross-Border Transfer of Personal Information (个人信息出境标准合同办法), effective June 1, 2023, provide that companies should update or revise their SCC filing if, during the valid period of an existing filing, there are substantial changes, including changes in the purpose of transfer, server location, data recipients, or other conditions impacting individuals’ rights. The FAQ emphasizes that when a company engages in new cross-border data transfers, it needs to consider whether such new transfers are “substantial” enough that they would require an update or revision to the SCC Filing. Currently, the CAC has not provided any simplified process for updating or revising an existing SCC Filing, meaning that if re-filing is required, processors will need to file an updated version of the entire package of materials submitted with the original SCC Filing.

• Disclosure of Onward Transfers. The FAQ clarifies that if the overseas recipient intends to transfer the personal information onward to a third party abroad, this must be explicitly disclosed in Appendix I (titled “Description of the Cross-Border Transfer of Personal Information”) of the SCC filing.

4. Implementation of PIP Certification

Following the release of the Measures on Certification for Cross-Border Transfer of Personal Information (Measures, 个人信息出境认证办法) on October 14, 2025, the FAQ provides further guidance on the implementation of PIP Certification. The FAQ notes that during the PIP Certification process, both CAC-Approved Certification Institutions and companies applying for certification should refer to two key guidance documents:

• The Announcement on the Implementation of Personal Information Protection Certification (关于实施个人信息保护认证的公告). Key points from this announcement include:

• Provides two types of PIP Certifications: one without cross-border data transfer, the other with cross-border data transfer
• Specifies the PIP Certification process: technical verification, on-site review, and post-certification supervision
• Provides general implementation procedures for PIP Certification
• Sets out requirements for the PIP Certification issued, including period of validity, renewal, revocation, and publication

• The national standard Data Security Technology — Security Certification Requirements for Cross-Border Processing Activity of Personal Information (GB/T 46068-2025) (数据安全技术—个人信息跨境处理活动安全认证要求). Key points from this standard include:

• Specifies the scope, objectives, and general requirements for certification of cross-border processing of personal information, providing guidance for data processors, Certification Institutions, and regulators
• Lists personal information rights and the responsibilities and obligations of the data processor and the foreign recipients such as notification, consent, and retention of processing records
• Provides typical scenarios relating to cross-border transfer of personal information

In accordance with the Measures, the CAC will also publish a list of approved professional Certification Institutions on its official website. This development indicates that PIP Certification may become a more practical compliance pathway, particularly for multi-national companies and large digital platforms seeking to facilitate internal or intra-group cross-border data transfers. For more detailed analysis of the PIP Certification regime, please see our November 13, 2025 Advisory.

For questions on this or any other subject, please reach out to the authors or any of their colleagues in Arnold & Porter’s Privacy, Cybersecurity & Data Strategy practice group.

© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.