cyberspace Photo:VCG

Themk provisions of Chinese law on data outbound transfer are intended to ensure the security and free flow of cross-border data for enterprises in China due to legitimate business purposes, while also conducting necessary supervision over the cross-border flow of personal information and important data involving national security and public policy objectives, China's top cyberspace regulator said on Wednesday.

In an online post in response to questions regarding China's regulation on outbound transfer of data, the Cyberspace Administration of China (CAC) said that China's relevant regulations do not apply to all data, but only to important data and personal information. 

The CAC clarifies that only "important data" and "personal information" that involves specified quantities will be subject to outbound security assessments. General data, which does not fall into these categories, will be allowed to flow freely across borders.

As cross-border data flows become increasingly frequent, many countries and regions have explored institutional arrangements for the security management of cross-border data flows based on their conditions, and they have formulated laws, regulations, rules and standards, said the CAC.

China's establishment of an outbound data security management system is stipulated by law, based on provisions such as the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law. These laws specify that important data and personal information are subject to specific management requirements, said the CAC. 

One of the most notable innovations introduced by the CAC is the implementation of negative lists in free trade zones (FTZs) in locations such as Tianjin, Beijing, Hainan, Shanghai and Zhejiang. These lists identify specific types of data that require assessment or contractual agreements for outbound transfers and cover 17 sectors including vehicles, pharmaceuticals, retail, civil aviation, reinsurance, deep-sea industries and seed industries. 

Data not included on these negative lists are exempt from such requirements, facilitating smoother cross-border data flows, according to the CAC. 

In addition to these efforts, the CAC is working on streamlining the process by extending the validity period of data outbound security assessments from two to three years. This move is expected to create more convenient conditions for enterprises and institutions to conduct cross-border data transfers.

This comprehensive approach is expected to enhance compliance and facilitate digital trade, particularly in FTZs, positioning China as a leader in data governance and digital innovation, Wang Peng, an associate research fellow at the Beijing Academy of Social Sciences, told the Global Times on Wednesday.

As of March 2025, the CAC had completed 298 outbound data security assessments. Among them, 44 projects involving important data saw seven failures (a 15.9 percent failure rate). Of the 509 important data items assessed, 63.9 percent were approved for outbound transfers. 

These figures highlight the rigorous yet balanced approach of the CAC in ensuring data security while facilitating necessary data flows, said Wang.

The CAC said it also encourages foreign-invested enterprises to participate in the formulation of industry technical standards, ensuring that the standard-setting process is open and transparent. 

"By enhancing openness and security in cross-border data flows, these regulations seek to attract foreign investment, thereby fostering stable and high-quality economic development," Wang added.