On April 9, 2025, The Cyberspace Administration of China (CAC) released a Question & Answer to address common questions regarding data export security management policies. This Q&A aims to help the data processors strengthen their understanding of the best compliance practices in cross-border data activities. The Q&A consists of three parts, and this is the part 1.
Before starting to read the Q&A, a list of China’s current laws and regulations regarding data security is provided below to help reader gain a structured overview of China’s current legal framework:
Questions 1: How should we understand the design of China’s data export security management system?
Answer:
As cross-border data flows become more frequent, many countries and regions have explored regulatory frameworks based on their specific circumstances, enacting laws and standards to manage cross-border data flows.
China’s data export security management system is established by law. The Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law (PIPL) provide clear legal provisions for cross-border data activities.
These rules apply only to important data and personal information. For important data that must be transferred abroad, legal provisions allow it to be exported if a security assessment confirms it poses no threat to national security or public interests. For personal information export, multiple pathways are available, including security assessments, protection certifications, and standard contracts.
Overall, China’s legal framework aims to ensure the secure and free cross-border flow of data for businesses while imposing necessary oversight on data involving national security and public policy objectives. General data not involving personal information or important data can flow freely across borders, while important data and personal information meeting specified thresholds can be legally transferred after passing a security assessment.
Question 2: How can consistency in the standards for negative lists of cross-border data flow across free trade zones be ensured?
Answer:
The Provisions on Promoting and Regulating Cross-Border Data Flows allow free trade zones to develop their own negative lists under the national data classification and grading protection framework.
These lists, approved by provincial cybersecurity and informatization committees, filed with the CAC and the National Data Administration, exempt data outside the lists from security assessments, standard contract, or certification. This is an innovative measure to facilitate cross-border data flows in free trade zones.
During development, relevant authorities’ opinions are sought, and the CAC and National Data Administration review the lists during filing. If a list already exists for a specific sector, other free trade zones can adopt it without duplication. This ensures alignment with national data protection requirements and consistency across zones.
Question 3: How can the scope of negative lists for cross-border data flows in free trade zones be expanded to cover more sectors?
Answer: In line with the Provisions on Promoting and Regulating Cross-Border Data Flows, the CAC and the National Data Administration have completed filings for negative lists in free trade zones (ports) in Tianjin, Beijing, Hainan, Shanghai, and Zhejiang, promoting cross-border data flows in 17 sectors such as automotive, pharmaceuticals, retail, civil aviation, reinsurance, deep sea and seed industry. The figure below shows 17 affected sectors.
The CAC is guiding free-trade zones to develop lists based on their industrial characteristics, with coverage expected to broaden as more lists are implemented. Updates can be monitored on the CAC website (www.cac.gov.cn) and relevant local free trade zone websites.
Access to Part 2&3
- Part 2: Part 2—Q&A on China’s Data Export Security Management Policies – sesec.eu
- Part 3: Part 3—Q&A on China’s Data Export Security Management Policies – sesec.eu
Access to the original Q&A in Chinese
