Navigating China’s 2025 Data Regulations: Cross-Border Data Transfers

January 30, 2025

As we approach 2025, China’s data protection framework continues to evolve, significantly impacting multinational companies operating within its borders. The rapid advancements in data protection laws, driven by the Chinese government, are underpinned by crucial legislation: the Cybersecurity Law (CSL), the Data Security Law (DSL), and the Personal Information Protection Law (PIPL). These laws collectively govern the lifecycle of data processing in China, shaping business operations and cross-border data transfers. Businesses must navigate this complex regulatory environment to ensure compliance and streamline operations.

Provisions on Promoting and Regulating Cross-Border Data Flows

Introduction of CBDT Provisions

One of the significant developments in 2024 was the issuance of the Provisions on Promoting and Regulating Cross-Border Data Transfer (CBDT Provisions) by the Cyberspace Administration of China (CAC) on March 22, 2024. These provisions were positively received by the business community because they simplify the requirements for transferring data outside of Mainland China. Previously, companies had to complete formal mechanisms established by the PIPL for cross-border data transfers, which included conducting an official security assessment by the CAC, obtaining security certification from a third party, or executing standard contractual clauses (SCCs) with the receiving party. The new CBDT Provisions reduce the necessity for these mechanisms in several circumstances. This change is a welcome relief for many businesses, significantly decreasing the administrative burden and operational complexities involved in data transfers.

New Exemptions from the CBDT Mechanisms

Under the CBDT Provisions, specific scenarios are exempt from the previously mandatory CBDT mechanisms. These exemptions include the transfer of personal information (PI) collected or generated outside of China, as long as no Chinese PI or Important Data is introduced during the processing in China. Additionally, the transfer of PI necessary for entering into and performing a contract, such as cross-border shopping, delivery, and payment services, is exempt. Other exemptions cover the transfer of employee PI necessary for cross-border human resources management and the transfer of PI necessary for protecting life, health, or safety in emergencies. Further, the transfer of PI involving less than 100,000 individuals by non-CIIO processors within the current year and the transfer of data that does not contain PI or Important Data are also exempt. These changes provide businesses with more flexibility in managing their data transfer needs and reduce the need for extensive compliance procedures.

Relaxed Thresholds for CBDT Mechanisms

Adjusted Thresholds for Security Reviews

The CBDT Provisions have also relaxed the thresholds for when the onerous CAC security review would be triggered. Previously, transferring PI of just 100,000 individuals in the preceding year would require a security review. The new provisions raise these thresholds, making it easier for businesses to comply with the regulations. No CBDT mechanism is required for transfers involving less than 100,000 individuals’ PI in the current year. Certifications or SCCs are required for transfers involving 100,000 to one million individuals’ PI, or sensitive PI of less than 10,000 individuals within the current year. A CAC security assessment is required for transfers exceeding one million individuals’ PI, transfers of 10,000 or more individuals’ sensitive PI, transfers of any amount of Important Data, or transfers made by critical infrastructure information operators (CIIO). This adjustment in thresholds is a significant shift, allowing businesses to navigate the regulatory landscape with greater ease and focus their resources on more critical aspects of their operations.

Network Data Security Regulations

Introduction and Objectives

On September 30, 2024, the CAC published the Network Data Security Regulations, which took effect on January 1, 2025. These regulations, initially introduced in 2021, represent the first administrative regulations-level legal instrument on data protection since the CSL, DSL, and PIPL. The regulations build on the CAC’s insights and experiences from the past three years and aim to mitigate challenges for businesses created by previous practices. By establishing clearer standards and providing more guidance on compliance, these regulations help companies better understand their obligations and implement necessary security measures. This approach aims to strike a balance between protecting data and facilitating business operations within China.

Clarifying Compliance and Important Data

The Network Data Security Regulations provide clearer guidelines for processors of Important Data, including the appointment of a network data security officer, establishment of a data security management organization, and the execution of risk assessments when sharing Important Data. Additionally, a National Data Security Coordination Mechanism will be established to develop catalogues of Important Data. Local and industrial regulators will identify Important Data within their jurisdictions, and network data processors will use these catalogues to report Important Data to corresponding regulators. These measures ensure that businesses have a structured approach to manage Important Data, enhancing their overall data security framework. By implementing these guidelines, companies can minimize the risk of data breaches and ensure compliance with China’s stringent data protection laws.

New Exemption Under Network Data Security Regulations

The Network Data Security Regulations introduce a new exemption beyond the CBDT Provisions, allowing companies to transfer PI necessary for performing statutory duties or obligations without undergoing the CBDT mechanisms. This exemption provides additional flexibility for businesses, enabling them to navigate the regulatory landscape more effectively. By leveraging this exemption, companies can simplify their data transfer processes and ensure that they meet their legal obligations without facing unnecessary administrative hurdles. This provision reflects China’s attempt to create a more business-friendly environment while maintaining high standards of data protection.

Obligations for Large-Scale Network Platform Service Providers

Definition and Requirements

The Network Data Security Regulations impose additional obligations on large-scale network platform service providers, defined as having over 50 million registered users or more than 10 million monthly active users. These providers, whose data processing activities significantly impact national security or public welfare, must conduct annual network risk assessments and publish an annual personal protection social responsibility report. This requirement ensures that large-scale providers maintain a high level of data security and transparency in their operations. By holding these entities to higher standards, the regulations aim to protect sensitive user data and prevent potential security threats that could arise from the extensive data processing activities of large-scale providers.

Regional and Policy Developments Supporting Cross-Border Data Transfers

Beijing Free Trade Zone Initiatives

2024 saw regional and policy initiatives to foster cross-border data transfers and bolster foreign investment. For instance, Beijing issued a “negative list” on August 30, 2024. Companies registered in the Beijing Free Trade Zone (FTZ) can freely transfer data not included in this list, which currently covers Important Data and PI in the automobile, medicine, retail, civil aviation, and artificial intelligence industries. This initiative aims to promote business activities and reduce regulatory hurdles for companies operating in these sectors. By streamlining data transfer processes, the Beijing FTZ creates a more conducive environment for innovation and international collaboration.

Moreover, on September 10, 2024, the CAC and the Macau Special Administrative Region (SAR) issued guidelines on SCC filing procedures for data transfers within the Greater Bay Area (GBA), aiding data flows between the Hong Kong SAR and nine Mainland cities, including Shenzhen. These guidelines facilitate smoother data transfers and compliance with existing regulations, enhancing the overall business ecosystem within the GBA. The collaboration between the CAC and Macau SAR underscores the importance of regional cooperation in addressing data protection challenges and promoting economic growth.

Actionable Takeaways for Businesses

In light of these regulatory shifts, businesses are advised to:

Evaluate exemptions: Examine data activities to determine eligibility for the new cross-border transfer exemptions, which can reduce the need for extensive security assessments. Enhance compliance procedures: Update compliance protocols, especially for handling Important Data, to align with new requirements for risk assessments and data security reporting. Leverage regional policies: Take advantage of industry-specific guidelines and exemptions in FTZs or the GBA to ease cross-border data handling. Monitor emerging regulations: Stay informed about new data catalogues and sector-specific data security requirements to adjust long-term compliance strategies accordingly.

Conclusion

As we move closer to 2025, China’s data protection landscape is undergoing significant transformation, profoundly affecting multinational corporations operating within its jurisdiction. Spearheaded by the Chinese government, the rapid progress in data protection legislation is anchored by three pivotal laws: the Cybersecurity Law (CSL), the Data Security Law (DSL), and the Personal Information Protection Law (PIPL). Collectively, these regulations oversee all aspects of data processing within China, from inception to deletion, influencing both domestic business activities and international data exchanges. Companies operating in China must skillfully navigate this intricate regulatory framework to ensure they remain in compliance while optimizing their operations. Failing to adhere to these rigorous standards can result in severe penalties, tarnishing an organization’s reputation and financial standing. Thus, a thorough understanding and strategic approach to these evolving data protection laws are essential for any business aiming to succeed in the Chinese market.

Subscribe to our weekly news digest.

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for Subscribing!
We'll be sending you our best soon!
Something went wrong, please try again later