Cross-border data transfers from China: the latest FAQs

by Jun Jie Yang

In recent years, data governance in China has become increasingly important for multinational companies operating within a complex and ever-evolving regulatory framework. With the aim of providing operational interpretative guidance, the Cyberspace Administration of China (the “CAC”) has recently published a series of FAQs on cross-border transfers of personal data (available here, in Chinese), with particular note to the transfer mechanisms set out in the Personal Information Protection Law (“PIPL”): the security assessment procedure, the execution of standard contracts, and the certification processes.

While not legally binding, these FAQs serve as a valuable operational tool for both Chinese and foreign companies that process personal data within the territory of the People's Republic of China. The document helps to outline a more predictable framework, while still adhering to China’s strict regulatory approach, introducing elements of simplification and opportunities for a more effective and efficient compliance strategy.

Among the various clarifications provided, particularly significant are those concerning the definition and applicable rules for so-called general data, as well as the processing of important data and procedural simplification measures, with specific reference to Free Trade Zones (FTZs) [1]. These categories form the basis for the preliminary assessments that companies must conduct to determine whether, and to what extent, cross-border transfer mechanisms must be activated.

General data: when data can flow freely

One of the most stimulating developments concerns the prospect for so-called general data – that is, data which does not fall under the definition of personal data or important data[2] – to be transferred outside Chinese territory without being subject to the restrictive measures applicable to other data categories (for example the mechanisms stipulated by the PIPL).

Although the Chinese legal framework (including the Cybersecurity Law, the Data Security Law, and the PIPL) does not precisely define the category of general data, regulatory practice – particularly standard GB/T 43697-2024 – regards such data as residual to personal and important data. This clarification could help to reduce the  interpretative opacities and allow economic operators to assess their data flows with greater legal certainty, making it easier to identify any transfer-related obligations.

The principle is further explained within the context of FTZs, where the distinction between positive lists and negative lists allows for more targeted management of data flow regulations. Specifically:

  • positive lists (e.g., Shanghai), which explicitly identify data that may be exported without particular restrictions;
  • negative lists (e.g., Tianjin, Beijing), which specify certain data categories or sectors subject to stricter requirements.

This framework also directly reflects the principle of necessity, which emphasizes the legality of cross-border transfers in the case of personal data.

The principle of necessity in cross-border transfers

Continuing with the distinction among data categories, the FAQs confirm that cross-border transfers of personal data are subject, under the PIPL, to the principle of necessity. This principle is the fundamental basis for prompting any of the mechanisms provided for by Chinese law.

In this context, the document clarifies that, both in the self-assessment phase and in the subsequent security assessment conducted by the CAC, the following criteria must be evaluated:

  • the direct correlation between the transfer and the purposes of processing;
  • minimization of the impact on the fundamental rights and freedoms of the data subject;
  • limitation of the transfer to only strictly necessary data;
  • provision for a limited and proportionate retention period.

These criteria, established in Articles 6[3] and 19[4] of the PIPL, require a structured and documented ex ante assessment aimed at demonstrating the proportionality of processing throughout the data lifecycle.

These conditions are even more critical in the case of important data, a category that the CAC addresses separately and with greater scrutiny.

The FAQs dedicate a specific section to important data, noting that classification as such necessarily causes the security assessment mechanism. Although the FAQs also refer to important data, there is still no official, exhaustive, and publicly accessible list of data falling under this definition.

In the absence of such a list, the FAQs clarify that if a data controller proactively declares the type of data being processed and the data are not formally classified as important by the competent authority, the requirement to conduct a security assessment does not apply.

This reveals a potential degree of flexibility for companies, which can shape their compliance strategies based on actual risk levels and transparency with authorities.

Simplification mechanisms and burden reduction for multinationals

Aligned with the goal of promoting simplification and reducing administrative burden, the FAQs introduce several measures in favor of businesses, especially those belonging to multinational groups.

Among these, it is worth highlighting the chance for a parent company to submit a single application to the CAC on behalf of its subsidiaries, both for the security assessment and for the signing of the standard contract, as required by the PIPL. This option would enable streamlined documentation, standardized internal processes, and reduced risk of inconsistencies.

However, these simplifications apply only when the subjective criteria provided by the PIPL are met. For example, if a single legal entity processes a volume of data below the thresholds set by the regulatory provisions, the transfer may occur without activating the specific mechanisms under the PIPL. It must be noted, though, that consolidation of data processed by multiple subsidiaries could lead to exceeding the applicable thresholds, thereby generating additional obligations not originally predicted.

Finally, the FAQs provide that groups of companies that have obtained certification may carry out intra-group transfers across different jurisdictions without needing to sign separate standard contracts for each recipient entity. This represents another step toward scalable and consistent compliance.

The CAC’s FAQs appear to be part of a broader evolution of China’s data protection regulatory framework, aiming to balance sovereign control over strategic data with the need to ensure operational continuity for economic actors, including foreign entities.

In a global context marked by regulatory fragmentation and the coexistence of different models – such as the European GDPR or the recent AI Act – it becomes essential for companies to adopt an integrated, dynamic compliance approach based on solid documentation and organizational structures.

Thus, compliance is not merely a matter of legal obligation, but of deeply understanding the legal and cultural logic driving local regulation. Only in this case companies can operate in a lawful, effective, and competitive manner in an increasingly interconnected and data-driven global environment.

[1] Chinese Free Trade Zones (FTZs) are designated geographic areas within Chinese territory (e.g., Shanghai, Guangdong, Zhejiang, Tianjin, etc.), each with specific features tailored to its geographic location and local economic priorities. These zones implement more simplified and business-friendly economic and regulatory policies compared to the rest of the country. The main goal of the Chinese authorities is to attract foreign investment, promote international trade, and pilot economic reforms that, if proven effective, may later be extended to other parts of China.

[2] Article 19 of the Measures for Security Assessment of Data Exports (in Chinese: "数据出境安全评估办法"), published on July 7, 2022, and in effect since September 1, 2022, specifies that "important data" ("重要数据") refers to any information which, if tampered with, damaged, destroyed, leaked, or obtained or used illegally, could endanger national security, economic operations, social stability, public health, and public safety, etc.

[3] Article 6 of the PIPL – The processing of personal data must have a defined and reasonable purpose and must be directly related to that purpose, using a method that has the least impact on the rights and freedoms of the data subjects.
The collection of personal data must be limited to what is strictly necessary to achieve the purpose of the processing; excessive collection of personal data is not permitted.

[4] Article 19 of the PIPL – Unless otherwise provided by laws or administrative regulations, the retention period of personal data must be limited to the time strictly necessary to achieve the purposes of the processing.