Connect with us
China Clarifies Cross-Border Data Transfer Regulations: Essential Insights from Official Q&A China Clarifies Cross-Border Data Transfer Regulations: Essential Insights from Official Q&A

China

China Clarifies Cross-Border Data Transfer Regulations: Essential Insights from Official Q&A

Published

on

On April 9, 2025, China’s CAC released a Q&A clarifying cross-border data transfer policies. It details compliance for data exports, emphasizes general data can flow freely, and distinguishes between general and important data, aiding multinational businesses in navigating regulations.


On April 9, 2025, China’s Cyberspace Administration (CAC) released a Q&A on Data Cross-Border Security Management Policies (hereinafter, “cross-border data transfer Q&A”), offering practical interpretations of how companies can comply with China’s evolving framework for cross-border data transfer. The cross-border data transfer Q&A clarifies implementation details for key systems, including data export security assessments, standard contracts for personal information exports, and certification mechanisms.

While the document does not introduce any new laws or signal a broad regulatory easing, it provides important clarifications on several areas that have posed challenges for businesses, especially multinational companies. It sheds light on how “general data” can flow freely across borders, how companies should assess the necessity of personal information exports, and what qualifies as “important data.”

The cross-border data transfer Q&A states that “general data that does not involve personal information or important data can flow freely across borders”.

Regulations on the handling of general data have not been explicitly stipulated in any of China’s main data laws – including the Cybersecurity Law, the Data Security Law, or the Personal Information Protection Law – nor is it mentioned in regulations specifically on cross-border data transfer.

It is mentioned in some industry-specific regulations on data security and export, such as the Measures for Data Security Management in the Field of Industry and Information Technology (Trial Implementation). These measures require industrial and telecom companies to organize data into three categories – important, core, and general data – for data security purposes. Core and important data are subject to stricter regulations, including mandatory domestic storage within China and a required security assessment prior to export.

These regulations have been interpreted to mean that general data is not subject to the same stringent requirements, although the texts do not explicitly confirm this. The CAC’s clarification—that general data can be transferred freely across borders—is therefore significant, as it eliminates any uncertainty surrounding the validity of this interpretation.


This article was first published by China Briefing , which is produced by Dezan Shira & Associates. The firm assists foreign investors throughout Asia from offices across the world, including in in ChinaHong KongVietnamSingapore, and India . Readers may write to info@dezshira.com for more support.

Read the rest of the original article.