The Cyberspace Administration of China (CAC) released an important Q&A on cross-border data transfer requirements and policies in early April, providing clarification on a number of issues of concern to companies in China. Key points include:
Data other than important data and personal data can flow freely across borders. The Q&A emphasizes that, in principle, the requirements of Chinese law are intended to ensure the security and free flow of data. They apply only to personal data and important data because the transfer of such data outside of China may affect national security and public interests.
The methodology for assessing the necessity of transferring personal data outside China has been further elaborated. The CAC will consider whether there is a necessity for the transfer itself, the types of data subjects involved, and the categories of personal data transferred (each an “assessed factor”). The necessity test is satisfied with respect to an assessed factor if (i) the data to be transferred are directly related to, limited to the minimum necessary for, and retained only for the time required to achieve the purposes of the processing, and (ii) the processing has a minimal impact on the data subjects concerned. Thus, the context of the transfer is very important. The Chinese authorities will formulate sector-specific guidance to assist companies in assessing necessity in different transfer contexts.
Important data can be transferred outside of China if a security assessment shows that the transfer will not endanger national security or public interests. As of March 2025, the central CAC has completed a total of 44 applications for transferring important data outside of China. 7 out of 44 of such applications failed the assessment. The failure rate at the application level is 15.9%. These 44 applications include 509 important data fields, of which 325 important data fields were allowed to be transferred outside China after the assessment. The success rate at the data field level is 63.9%.
As to the scope of important data, the Q&A provides that companies may identify the important data that they process in accordance with a national standard (i.e. GB/T 43697-2024 Technical Data Security Data Classification and Grading Rules Appendix G Guidelines for Identifying Important Data) and report the identification results with the relevant authorities. But the Q&A restates and emphasizes at the same time that, it is not necessary for companies to make assessment applications for transferring important data outside of China, unless they have been notified by the authorities that the data being processed is important data or has been included in any public important data catalogues.
There are certain convenient channels that international organizations may consider to legitimize their intra-group transfers. For example, if several Chinese affiliates are transferring data outside of China in the same or similar patterns, they may choose a representative and make a filing or application on a group basis. If the transfers are more complex, the group affiliates, both inside and outside China, may consider applying for a transfer compliance certificate to cover all intra-group transfers. This certificate will exempt the covered affiliates from the requirement to sign stand-alone bilateral Standard Contractual Clauses (SCCs).
More flexible transfer arrangements will be made available to companies registered in free trade zones (FTZs). At present, the FTZs in Tianjin, Beijing, Hainan, Shanghai, Zhejiang and other places have published negative lists covering cross-border data transfers in 17 sectors, such as automobiles, medicine, retail, civil aviation, reinsurance, deep-sea industry and seed industry. Transfers covered by the negative lists can be exempted from the requirements of signing SCCs, making filings, or obtaining government approvals. More importantly, according to the Q&A, if one FTZ has already published a negative list for the same sector, the other FTZs can directly refer to and implement it. This means that companies registered in different FTZs may be able to benefit from the same policy.
Overall, this Q&A has sent a positive signal. After completing the necessary compliance actions, companies can transfer personal data and important data outside of China to carry out legitimate intra-group management and international business activities. The Chinese authorities are committed to further clarifying the rules and providing flexible arrangements for data transfers. As relevant guidelines and standards continue to be issued, “no clear rules” will no longer be a reasonable excuse. For companies that have not yet taken steps to address cross-border data transfers, we recommend that they plan and begin this work as soon as possible.
[View source.]
