https://www.cac.gov.cn/2025-04/09/c_1745906286623776.htm - in Chinese only
On 9 April, China’s CAC issued a set of 𝗙𝗔𝗤𝘀 𝗼𝗻 𝘁𝗵𝗲 𝗖𝗵𝗶𝗻𝗲𝘀𝗲 𝗱𝗮𝘁𝗮 𝗲𝘅𝗽𝗼𝗿𝘁 𝗹𝗲𝗴𝗮𝗹 𝗿𝗲𝗴𝗶𝗺𝗲.
🛡️ 𝗦𝗰𝗼𝗽𝗲 𝗼𝗳 𝗿𝗲𝘀𝘁𝗿𝗶𝗰𝘁𝗶𝗼𝗻𝘀: Data export restrictions under Chinese laws apply only to ‘important data’ and ‘personal information’. This highlights the need for organisations subject to China’s data laws to classify any such data in their possession, in order to effectively address compliance requirements.
🔐 𝗥𝗲𝘀𝘁𝗿𝗶𝗰𝘁𝗶𝗼𝗻𝘀 - 𝗶𝗺𝗽𝗼𝗿𝘁𝗮𝗻𝘁 𝗱𝗮𝘁𝗮: By default, important data must be stored in China. Exporting important data requires going through a security assessment conducted by the CAC (ie a regulatory approval process) to ensure that the data export does not endanger national security or the public interest.
💡 𝗥𝗲𝘀𝘁𝗿𝗶𝗰𝘁𝗶𝗼𝗻𝘀 - 𝗽𝗲𝗿𝘀𝗼𝗻𝗮𝗹 𝗶𝗻𝗳𝗼𝗿𝗺𝗮𝘁𝗶𝗼𝗻: In contrast, exporting personal information is less restricted. In fact, there are no specific restrictions on non-CIIO organisations exporting non-sensitive personal information of fewer than 100,000 people in any one calendar year. However, exporting sensitive personal information (eg biometrics, financial or medical data) is restricted, as is the export of non-sensitive personal information of 100,000 people or more in any one calendar year. Depending on the transfer scenarios (sensitivity and volume), one of three mechanisms - security assessment, standard contract or certification - must be implemented.
✅ ‘𝗡𝗲𝗰𝗲𝘀𝘀𝗶𝘁𝘆’ 𝗳𝗼𝗿 𝗽𝗲𝗿𝘀𝗼𝗻𝗮𝗹 𝗶𝗻𝗳𝗼𝗿𝗺𝗮𝘁𝗶𝗼𝗻 𝗲𝘅𝗽𝗼𝗿𝘁: What is sometimes forgotten is the prerequisite that a data export of personal information must be ‘necessary’. The FAQs clarify that ‘necessity’ means the data export must directly relate to the processing purpose, have minimal adverse impact on the individuals, and adhere to the data minimisation and storage limitation principles.
🤝 𝗚𝘂𝗶𝗱𝗮𝗻𝗰𝗲 𝗳𝗼𝗿 𝗠𝗡𝗖𝘀: The FAQs also address the practical challenges faced by groups of companies in complying with China’s data export requirements. It suggests that a group’s parent company can apply for a security assessment or sign the standard contract on behalf of its subsidiaries, so as to reduce administrative burden. Additionally, the CAC is preparing the ‘certification’ mechanism, which will allow multinational groups to obtain a single certification from an accredited third party and eliminate the need for each group entity to sign and file separate standard contracts.
The different free trade zone in China can apply the relaxation rules on cross border data flow available in other free trade zone. In other words, companies in Shanghai Lin Gang Free Trade zone can also benefit from the relaxation rules available for companies in Beijing Free Trade Zone.