In April 2025, the Cyberspace Administration of China (CAC) released a policy Q&A addressing key issues frequently raised by enterprises and various stakeholders regarding data export compliance. This document not only clarifies the legal framework in force but also reflects the regulator’s pragmatic and flexible approach in implementation.
This article analyzes the key contents of the Q&A from the perspectives of institutional design, compliance mechanisms, innovation in pilot free trade zones, and the handling of personal information and important data. The aim is to help enterprises and practitioners accurately understand China’s data export regulatory landscape and its evolving trajectory.
I. System Design: Classified Supervision to Ensure Orderly Cross-Border Data Flow
The architecture of China’s data export regime is grounded in three cornerstone laws: the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law. These collectively establish a fundamental regulatory principle characterized by classification-based governance, risk-oriented oversight, and rule-of-law administration. Similar to many major jurisdictions, China does not impose blanket restrictions on all outbound data transfers. Rather, it focuses regulation on important data and personal information, while generally allowing ordinary data to flow freely across borders.
From a compliance perspective, the legal framework offers multiple paths for lawful data export: security assessments for outbound data transfers, standard contracts for personal information exports, and certification for personal information protection. Based on this framework, CAC has successively introduced the Measures for Security Assessment of Data Exports, the Measures on Standard Contracts for Personal Information Export, and the Provisions on Promoting and Regulating Cross-Border Data Flows. It has also issued the Announcement on the Implementation of Personal Information Protection Certification. These supporting regulations constitute a comprehensive regime that responds to national security and public interest concerns, while providing enterprises with a clearly defined path for cross-border business activities.
II. Policy Innovation in Pilot Free Trade Zones: Unlocking Data Flow via the Negative List Mechanism
To enhance institutional flexibility and deepen regional reform, the Provisions on Promoting and Regulating Cross-Border Data Flows explicitly authorize pilot free trade zones (FTZs) to formulate region-specific negative lists for data export, within the overarching framework of China’s national data classification and hierarchical protection system. Data not included on these negative lists may be transmitted abroad without undergoing security assessments, signing standard contracts, or passing personal information protection certification.
To ensure the scientific rigor and consistency of this mechanism, any negative list must be approved by the provincial-level cyberspace administration committee and filed with the CAC and the national data governance authority. If a negative list has already been issued for a given industry or sector by one FTZ, others may refer to and adopt it without developing duplicative lists. This approach effectively ensures the standardization and replicability of the negative list model nationwide.
As of April 2025, FTZs in Beijing, Shanghai, Tianjin, Hainan, and Zhejiang have completed the filing of their negative lists. These cover 17 industries, including automotive, pharmaceuticals, retail, civil aviation, reinsurance, deep-sea industries, and seed breeding. Looking ahead, the CAC will continue to support local FTZs in aligning their lists with local industrial priorities, gradually expanding the range of sectors covered. This mechanism is expected to substantially accelerate the orderly openness of China’s cross-border data flows.
III. Determining the “Necessity” of Personal Information Export: Anchored in the Principle of Minimization
On the issue of personal information export, the Q&A reiterates the core principle of “minimum necessity” as enshrined in the Personal Information Protection Law. Specifically, whether a cross-border transfer of personal information is necessary must be evaluated based on four criteria:1. Whether it is directly related to the processing purpose;2. Whether it is carried out in a way that minimally impacts personal rights and interests;3. Whether the scope of data collected is limited to what is necessary to achieve the processing purpose;4. Whether the retention period is the shortest necessary for the stated purpose.
These standards are not only codified in law but are also integral to the security assessment process conducted by the CAC. When assessing the necessity of personal data exports, the CAC will examine the business scenario provided by the enterprise, focusing on the essentiality of the transfer, the scale of affected individuals, and the appropriateness of the data fields involved.
Furthermore, the CAC is collaborating with sectoral regulators to develop industry-specific guidance on typical data export scenarios and corresponding scopes of necessity. These refined guidelines—particularly in finance, healthcare, and automotive sectors—will significantly enhance the clarity and feasibility of compliance for enterprises.
IV. Identifying and Managing Important Data: Strict Definition, Prudent Assessment, and Conditional Approval
Regarding the concept of important data, the CAC references Article 62 of the Regulation on Network Data Security Management and the newly issued national standard GB/T 43697-2024, specifically Appendix G titled Guide for Identifying Important Data. These documents define important data as data which, if tampered with, destroyed, leaked, or misused, may directly endanger national security, economic operations, social stability, or public health and safety.
Importantly, the policy clarifies that important data is not absolutely prohibited from cross-border transfer. As long as a data exporter passes the mandatory security assessment and is deemed not to pose risks to national security or public interest, the data may be legally transmitted abroad.
According to statistics released by the CAC as of March 2025: A total of 298 security assessment projects have been completed, 44 projects involved important data, 7 applications were denied, reflecting a 15.9% rejection rate. Among 509 important data items submitted, 325 were approved for export, yielding a 63.9% approval rate. Notably, if a data processor has not been notified or publicly informed by competent authorities that the data in question constitutes “important data,” there is no obligation to declare it as such during the export security assessment. This provision significantly reduces the compliance burden on enterprises while ensuring critical protections remain intact.
V. Inclusive Standard-Setting: Ensuring Equal Participation for Foreign-Invested Enterprises
The policy Q&A emphasizes that foreign-invested enterprises (FIEs) enjoy equal rights and responsibilities in the formulation of industry technical standards. The Cyberspace Administration of China places a high priority on openness, transparency, and broad participation in this process.
Specifically, the National Information Security Standardization Technical Committee under the guidance of the CAC, has adopted a long-standing policy of publicly soliciting working group members, ensuring that a diverse range of stakeholders, including FIEs, are involved. Once admitted, foreign companies enjoy the same participation rights as domestic entities, including full engagement in discussions, drafting, and the provision of feedback throughout the standard development lifecycle. In addition, draft standards are subject to public comment and review, ensuring procedural fairness and allowing all parties to voice their concerns and suggestions. This inclusive framework not only aligns Chinese standards with international practices but also enhances the institutional transparency and global compatibility of China’s data governance regime.
VI. Optimizing Compliance Channels for Multinational Corporate Groups
The CAC also addressed the practical issue of how multinational enterprise groups can streamline personal data export compliance. Two key facilitation measures have been introduced:1. Centralized Assessment Filing: When multiple subsidiaries of a group company engage in similar cross-border data transfer scenarios, the parent company may file a consolidated security assessment or standard contract application on behalf of its subsidiaries. This measure significantly improves efficiency and reduces the procedural burden.2. Cross-Border Certification Mechanism: The CAC is in the process of advancing personal information protection certification, wherein qualified third-party institutions evaluate the data export practices of enterprises. Once either the domestic exporter or overseas recipient obtains certification, the certified entity may carry out cross-border data transfers within the scope of certification without needing to sign a separate standard contract for each transfer.
VII. Extended Validity for Data Export Security Assessments
In a move to enhance regulatory predictability and reduce compliance friction, the CAC has revised the validity period of data export security assessment results. The period has been extended from two years to three years, providing enterprises with a longer window of certainty. If an enterprise wishes to continue data export activities beyond the original validity period, and if no substantive changes in the data processing activities or risk profile have occurred, the enterprise may apply for an extension. The application must be submitted at least 60 working days before expiration, via the local provincial-level cyberspace authority. Upon approval, the validity period may be extended by another three years, enabling a maximum validity of six years.
The CAC has also indicated it is working to further refine the extension process through updated policy documents. This will provide enterprises with more clear, operable procedures and further promote a stable and business-friendly regulatory environment.
[Comment]
In conclusion, the April 2025 Q&A issued by the Cyberspace Administration of China offers not only a comprehensive summary of the existing legal framework, but also pragmatic guidance on compliance implementation. As regulatory mechanisms, technical standards, and sector-specific guidelines continue to evolve, corporate compliance practices will become increasingly clear, actionable, and predictable. Enterprises are strongly advised to closely monitor the latest publications by the CAC and related authorities, and to proactively align their data governance practices with the current regulatory landscape.
This article analyzes the key contents of the Q&A from the perspectives of institutional design, compliance mechanisms, innovation in pilot free trade zones, and the handling of personal information and important data. The aim is to help enterprises and practitioners accurately understand China’s data export regulatory landscape and its evolving trajectory.
I. System Design: Classified Supervision to Ensure Orderly Cross-Border Data Flow
The architecture of China’s data export regime is grounded in three cornerstone laws: the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law. These collectively establish a fundamental regulatory principle characterized by classification-based governance, risk-oriented oversight, and rule-of-law administration. Similar to many major jurisdictions, China does not impose blanket restrictions on all outbound data transfers. Rather, it focuses regulation on important data and personal information, while generally allowing ordinary data to flow freely across borders.
From a compliance perspective, the legal framework offers multiple paths for lawful data export: security assessments for outbound data transfers, standard contracts for personal information exports, and certification for personal information protection. Based on this framework, CAC has successively introduced the Measures for Security Assessment of Data Exports, the Measures on Standard Contracts for Personal Information Export, and the Provisions on Promoting and Regulating Cross-Border Data Flows. It has also issued the Announcement on the Implementation of Personal Information Protection Certification. These supporting regulations constitute a comprehensive regime that responds to national security and public interest concerns, while providing enterprises with a clearly defined path for cross-border business activities.
II. Policy Innovation in Pilot Free Trade Zones: Unlocking Data Flow via the Negative List Mechanism
To enhance institutional flexibility and deepen regional reform, the Provisions on Promoting and Regulating Cross-Border Data Flows explicitly authorize pilot free trade zones (FTZs) to formulate region-specific negative lists for data export, within the overarching framework of China’s national data classification and hierarchical protection system. Data not included on these negative lists may be transmitted abroad without undergoing security assessments, signing standard contracts, or passing personal information protection certification.
To ensure the scientific rigor and consistency of this mechanism, any negative list must be approved by the provincial-level cyberspace administration committee and filed with the CAC and the national data governance authority. If a negative list has already been issued for a given industry or sector by one FTZ, others may refer to and adopt it without developing duplicative lists. This approach effectively ensures the standardization and replicability of the negative list model nationwide.
As of April 2025, FTZs in Beijing, Shanghai, Tianjin, Hainan, and Zhejiang have completed the filing of their negative lists. These cover 17 industries, including automotive, pharmaceuticals, retail, civil aviation, reinsurance, deep-sea industries, and seed breeding. Looking ahead, the CAC will continue to support local FTZs in aligning their lists with local industrial priorities, gradually expanding the range of sectors covered. This mechanism is expected to substantially accelerate the orderly openness of China’s cross-border data flows.
III. Determining the “Necessity” of Personal Information Export: Anchored in the Principle of Minimization
On the issue of personal information export, the Q&A reiterates the core principle of “minimum necessity” as enshrined in the Personal Information Protection Law. Specifically, whether a cross-border transfer of personal information is necessary must be evaluated based on four criteria:1. Whether it is directly related to the processing purpose;2. Whether it is carried out in a way that minimally impacts personal rights and interests;3. Whether the scope of data collected is limited to what is necessary to achieve the processing purpose;4. Whether the retention period is the shortest necessary for the stated purpose.
These standards are not only codified in law but are also integral to the security assessment process conducted by the CAC. When assessing the necessity of personal data exports, the CAC will examine the business scenario provided by the enterprise, focusing on the essentiality of the transfer, the scale of affected individuals, and the appropriateness of the data fields involved.
Furthermore, the CAC is collaborating with sectoral regulators to develop industry-specific guidance on typical data export scenarios and corresponding scopes of necessity. These refined guidelines—particularly in finance, healthcare, and automotive sectors—will significantly enhance the clarity and feasibility of compliance for enterprises.
IV. Identifying and Managing Important Data: Strict Definition, Prudent Assessment, and Conditional Approval
Regarding the concept of important data, the CAC references Article 62 of the Regulation on Network Data Security Management and the newly issued national standard GB/T 43697-2024, specifically Appendix G titled Guide for Identifying Important Data. These documents define important data as data which, if tampered with, destroyed, leaked, or misused, may directly endanger national security, economic operations, social stability, or public health and safety.
Importantly, the policy clarifies that important data is not absolutely prohibited from cross-border transfer. As long as a data exporter passes the mandatory security assessment and is deemed not to pose risks to national security or public interest, the data may be legally transmitted abroad.
According to statistics released by the CAC as of March 2025: A total of 298 security assessment projects have been completed, 44 projects involved important data, 7 applications were denied, reflecting a 15.9% rejection rate. Among 509 important data items submitted, 325 were approved for export, yielding a 63.9% approval rate. Notably, if a data processor has not been notified or publicly informed by competent authorities that the data in question constitutes “important data,” there is no obligation to declare it as such during the export security assessment. This provision significantly reduces the compliance burden on enterprises while ensuring critical protections remain intact.
V. Inclusive Standard-Setting: Ensuring Equal Participation for Foreign-Invested Enterprises
The policy Q&A emphasizes that foreign-invested enterprises (FIEs) enjoy equal rights and responsibilities in the formulation of industry technical standards. The Cyberspace Administration of China places a high priority on openness, transparency, and broad participation in this process.
Specifically, the National Information Security Standardization Technical Committee under the guidance of the CAC, has adopted a long-standing policy of publicly soliciting working group members, ensuring that a diverse range of stakeholders, including FIEs, are involved. Once admitted, foreign companies enjoy the same participation rights as domestic entities, including full engagement in discussions, drafting, and the provision of feedback throughout the standard development lifecycle. In addition, draft standards are subject to public comment and review, ensuring procedural fairness and allowing all parties to voice their concerns and suggestions. This inclusive framework not only aligns Chinese standards with international practices but also enhances the institutional transparency and global compatibility of China’s data governance regime.
VI. Optimizing Compliance Channels for Multinational Corporate Groups
The CAC also addressed the practical issue of how multinational enterprise groups can streamline personal data export compliance. Two key facilitation measures have been introduced:1. Centralized Assessment Filing: When multiple subsidiaries of a group company engage in similar cross-border data transfer scenarios, the parent company may file a consolidated security assessment or standard contract application on behalf of its subsidiaries. This measure significantly improves efficiency and reduces the procedural burden.2. Cross-Border Certification Mechanism: The CAC is in the process of advancing personal information protection certification, wherein qualified third-party institutions evaluate the data export practices of enterprises. Once either the domestic exporter or overseas recipient obtains certification, the certified entity may carry out cross-border data transfers within the scope of certification without needing to sign a separate standard contract for each transfer.
VII. Extended Validity for Data Export Security Assessments
In a move to enhance regulatory predictability and reduce compliance friction, the CAC has revised the validity period of data export security assessment results. The period has been extended from two years to three years, providing enterprises with a longer window of certainty. If an enterprise wishes to continue data export activities beyond the original validity period, and if no substantive changes in the data processing activities or risk profile have occurred, the enterprise may apply for an extension. The application must be submitted at least 60 working days before expiration, via the local provincial-level cyberspace authority. Upon approval, the validity period may be extended by another three years, enabling a maximum validity of six years.
The CAC has also indicated it is working to further refine the extension process through updated policy documents. This will provide enterprises with more clear, operable procedures and further promote a stable and business-friendly regulatory environment.
[Comment]
In conclusion, the April 2025 Q&A issued by the Cyberspace Administration of China offers not only a comprehensive summary of the existing legal framework, but also pragmatic guidance on compliance implementation. As regulatory mechanisms, technical standards, and sector-specific guidelines continue to evolve, corporate compliance practices will become increasingly clear, actionable, and predictable. Enterprises are strongly advised to closely monitor the latest publications by the CAC and related authorities, and to proactively align their data governance practices with the current regulatory landscape.