){kind=logo}
China’s primary data regulator, the Cyberspace Administration of China (CAC), released two sets of Q&As with respect to exporting data from China, one in April and one in May. The questions were selected from those raised through the CAC’s hotline, opened specifically to respond to inquiries about security assessments of outbound data transfer as well as filing standard contracts for the export of personal information, spread over 32 provinces, municipalities and autonomous regions.
In April’s guidance, the CAC starts by explaining China’s legislation hierarchy for data export, with the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law laying the foundation, and with the implementing rules, such as the Security Assessment Measures for Data Provision Abroad, the Measures on the Standard Contract for Outbound Transfer of Personal Information and the Provisions on Promoting and Regulating Cross-border Data Flows, providing the next level of guidance. More importantly, the CAC points out that these laws and rules only cover the “necessary regulation” over data export that involves national security and public policy implications, and average data that is irrelevant to personal information or critical data is free to move across the border.
The message from the CAC seems to be that China is promoting the free flow of information as opposed to limiting any foreign companies in China from sharing data overseas.
Importantly, the CAC addresses questions on the often-asked topic of “important data.” In April’s guidance, the CAC briefly clarified that important data should be identified based on Appendix G to the Rules of Classification and Grading of Important Data. The CAC followed up with its May guidance to elaborate on the specific process for identifying important data as well as how important data can be exported in compliance with the law.
In this regard, because the burden of issuing specific guidance on how to identify important data lies with each industry’s regulator, the CAC said in its May guidance that each department is drafting its own industry standard. For example, the Ministry of Industry and Information Technology has issued its Guidelines for Identifying Important Data in the Industrial Sector and Guidelines for Identifying Important Data in the Telecommunications Sector, the Ministry of Natural Resources has issued its Guidelines for the Classification and Grading of Geographic Information Data (Trial) and the National Bureau of Statistics has issued its Statistical Data Security Management Measures.
The CAC also grants a safe harbor to data processors in cases where there is no public standard on identification of important data and the data processor is not informed by relevant departments that it should identify and report important data. Under the safe harbor, the data processor is exempt from any administrative penalties for failing to identify and report important data.
However, if the data processor has been informed that it possesses important data and it wants to continue exporting such data, it must submit a security assessment within two months of the notice.
In its May guidance, the CAC reiterated that important data does not by itself mean no export at all will be permitted. To support this assertion, the CAC reported that as of March 2025, it had completed 298 data outbound security assessment projects, of which 44 reported projects involved important data and, of those, seven failed the assessment—a failure rate of 15.9%. The 44 reported projects involved 509 important data items, of which 325 were allowed to leave China after the assessment, accounting for 63.9% of the total number of reported data items.
Once again, the CAC is messaging support for exporting data outside China.
The CAC continues to discuss how to ensure consistency of negative lists for data export among different free trade zones (FTZs)—the 21 strategically located areas designated to implement preferential policies to attract foreign investment and promote international trade—and how to expand these negative lists to cover more industries in order to give clear guidance. Per the CAC, in 2025, FTZs in Zhejiang, Hainan, Shanghai, Beijing and Tianjin have released their negative lists for data export.
Also in the May guidance, the CAC specifically emphasized involving foreign companies in China in drafting industry standards, and announced that a company is allowed to declare one copy of the security assessment for similar data transfer activities on behalf of its affiliates within China, saving its affiliates the effort of each making its own declarations. Finally, the CAC promised to quickly provide the process of extending the valid period of one security assessment.
All in all, the April and May guidance both reflect the CAC’s ongoing efforts to facilitate foreign companies exporting data abroad. We are keeping a close eye on the next set of guidance from the CAC.
-
Counsel