China’s New Rules to Ease Data Cross-border Transfer

On March 22, 2024, the Cyberspace Administration of China officially announced the Regulations on Facilitating and Regulating Cross-border Data Flow (“Regulations”) and took effect upon the date of announcement. According to the previous regulatory requirements for data outbound transfer, there are three main methods for data outbound transfer: security assessment, standard contract, and protection certification. The Regulations aim to facilitate the cross-border flow of data and further relax the conditions for cross-border flow of data. It has an important impact on corporate data outbound activities, which will be briefly interpreted in this article.

  1. 1. The Regulations contain exemptions from the prior supervision procedure in the following cases:

  1. (1) Cross-border transfer of data that does not contain personal information or important data in international trade, cross-border transportation, academic cooperation, cross-border manufacturing and marketing activities;
  2. Transit of personal information: personal information collected and generated overseas is transmitted to China for processing and then made available outside of China, and the processing does not introduce personal information or important data from China;

  1. (2) Necessary for the conclusion and performance of a contract to which the individual is a party, such as cross-border shopping, cross-border mailing, cross-border remittance, cross-border payment, cross-border account opening, air ticket and hotel booking, visa processing, and examination services;

  1. (3) Transfer of employees’ personal information based on human resource management needs;

  1. (4) To protect the life, health and property safety of natural persons in case of emergency;
  2. Non-critical information infrastructure operators (“general enterprises”) that have cumulatively provided less than 100,000 people’s personal information (excluding sensitive personal information) outside of China since January 1 of the year.

  1. 2. In the case of not being exempt from prior supervision, general enterprises should adopt the data outbound transfer system

(1) Since January 1 of the year, a total of more than 100,000 people and less than 1 million people to provide overseas personal information (excluding sensitive personal information) or less than 10,000 sensitive personal information, shall be in accordance with the law with the overseas recipient of personal information outbound standard contract or through the personal information protection certification;

(2) Since January 1 of the year, the personal information of more than 1 million people (excluding sensitive personal information) or the sensitive personal information of more than 10,000 people has been provided overseas, it shall be reported to the national cyberspace administration through the provincial internet information department where it is located and pass the security assessment for data outbound transfer.

3. Special policy space for Pilot Free Trade Zones

The Regulations state that the FTZs may, on their own, formulate a list of data that need to be included in the scope of management of data outbound security assessment, personal information outbound standard contract, and personal information protection certification, which is called the “negative list”. Data transfers outside the Negative List are exempt from prior supervision.

4. Other compliance obligations after exemption

Enterprises should be reminded that, regardless of whether there are circumstances or numbers of persons that can be exempted from security measures for data outbound transfer, Article 10 of the Regulations still emphasizes that if an enterprise provides personal information overseas, it shall still fulfill its obligations under the PIPL such as informing, obtaining the individual’s separate consent, conducting personal information protection impact assessment.

To sum up, the Regulations further establishes a regulatory framework to promote and regulate the free flow of data cross-border transfer, lowers the regulatory threshold for data outbound transfer by setting up a variety of exemptions, and optimizes the business environment for enterprises engaged in cross-border business. However, we suggest that enterprises still need to pay attention to data compliance management, combine with own business conditions, and adapt appropriate data processing practices to ensure data processing compliance.

Jennie Lin Jennie Lin

Jennie Lin

Junior Associate
Jennie Lin, a Junior Associate at D’Andrea & Partners Legal Counsel, is based in the Shanghai office.

Contact us for a
free consultation


This field is for validation purposes and should be left unchanged.
This site is registered on as a development site. Switch to a production site key to remove this banner.