On April 9, 2025, The Cyberspace Administration of China (CAC) released a Question & Answer to address common questions regarding data export security management policies. This Q&A aims to help the data processors strengthen their understanding of the best compliance practices in cross-border data activities. The Q&A consists of three parts, and this is the part 2.

Before starting to read the Q&A, a list of China’s current laws and regulations regarding data security is provided below to help reader gain a structured overview of China’s current legal framework:

Question 4: How should the necessity of personal information export be understood and assessed?

Answer:

Article 6 of the Personal Information Protection Law (PIPL) stipulates that “the processing of personal information should have a clear and reasonable purpose, be directly related to the purpose of processing, and adopt methods that have the minimal impact on individual rights. The collection of personal information should be limited to the minimum scope necessary to achieve the purpose of processing, and excessive collection of personal information is prohibited.”

Article 19 stipulates that “unless otherwise provided by laws or administrative regulations, the retention period of personal information should be the shortest time necessary to achieve the purpose of processing.”

Based on the above legal provisions, the factors for determining “necessity” include being directly related to the purpose of processing, minimizing the impact on individual rights, limiting to the minimum scope necessary to achieve the purpose of processing, and retaining personal information for the shortest time necessary to achieve the purpose of processing. To implement the legal requirements, the CAC will fully consider the business scenarios and actual needs declared by data processors during its data export security assessment process. It will evaluate the necessity of personal information transfers abroad, with key assessment points including the necessity of the outbound activity itself, the necessity of the scale of individuals involved, and the necessity of the scope of personal information data items transferred abroad.

Numerous industries and fields involve cross-border data transfer. The CAC, in collaboration with relevant industry regulators, will gradually refine and clarify specific business scenarios for data export and the necessary scope of personal information transfers in various industries, providing more detailed policy guidance for enterprises and institutions conducting data outbound transfer.

Question 5: How can important data be identified?

Answer:

According to Article 62 of the Regulations on Network Data Security Management, important data refers to data in specific domains, groups, or regions, or data of certain precision and scale, whose compromise could directly threaten national security, economic operations, social stability, or public health and safety. GB/T 43697-2024 The Data Security Technology – Data Classification and Grading Rules provides guidelines for identifying important data, enabling data processors to classify and report such data in compliance with laws and standards.

Question 6: Does important data mean it cannot be transferred abroad?

Answer:

For important data that indeed needs to be transferred abroad, the law provides a regulatory framework. If the data export security assessment determines that the transfer will not harm national security or public interest, the data can be transferred abroad.

As of March 2025, the CAC has completed 298 data export security assessment projects. Among these, 44 applications involved important data, with seven failing the assessment, resulting in a failure rate of 15.9%.

These 44 applications covered 509 important data items, of which 325 were approved for export after assessment, accounting for 63.9% of the total number of declared data items.

Access to Part 1 & 3

Access to the original Q&A in Chinese

https://www.cac.gov.cn/2025-04/09/c_1745906286623776.htm