Exporting Data from China:
A Practical Guide for Compliance
📅 25/03/2025
China's data export regime is in a state of flux. Since its initial introduction in 2021, the legal landscape has been continually evolving. The Regulation on Promoting and Regulating Cross-border Data Flows (Cross-border Data Flows Regulation), effective from March 2024, and the Regulations on the Management of Cyber Data Security that came into force in January 2025, have brought important changes to the regime. These new rules signal a shift towards streamlining compliance by clarifying when data export mechanisms are legally required, raising thresholds for triggering them, and introducing key exemptions.
This article provides a high-level overview of how to export data from China and comply with the evolving data export regulations.
What constitutes outbound transfer of data?
According to the Application Guide for Security Assessment of Data Export (Version 2), the following situations constitute data export activities:
• transferring domestically collected or generated data in China to an overseas entity;
• storing data domestically while allowing foreign entities/individuals to access, retrieve, download, or export it; and
• activities that fall under Article 3 of the Personal Information Protection Law (PIPL), such as analysing and evaluating the behaviour of domestic natural persons in China and processing their personal information overseas.
When does data export occur?
There are many scenarios in which a company may need to export data from China. The most common scenarios include sharing data between business operations in China and overseas, transferring employee information to overseas headquarters, and providing data for legal proceedings or regulatory enforcement actions in a foreign jurisdiction.
During day-to-day business operations, data export can occur when data collected by domestic enterprises or generated during their operations is stored directly on overseas servers, or when data stored on domestic servers is accessible for querying, retrieving, downloading, and exporting by overseas entities.
In the human resources management context, a transfer is deemed to occur when a China-based entity directly sends personal information of job applicants or employees to overseas parent companies, or when such information is uploaded to domestic servers and directly accessed by overseas parent companies.
Another common reason for exporting data is for legal proceeding in international disputes. Domestic enterprises may voluntarily or be required to provide domestically stored data or personal information to overseas judicial or law enforcement agencies as evidence.
What types of data are regulated under the data export regime?
China’s data export regime, operating under the legal framework consisting of the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law, primarily regulates the outbound transfer of “important data” and personal information, including “sensitive personal information”.
• Important Data
The concept of important data is a cornerstone of China’s data export regime, as the transfer of this type of data requires the highest level of regulatory scrutiny and compliance checks. According to the Regulations on the Management of Cyber Data Security, important data refers to data within specific fields, groups, regions, or of a certain precision and scale, which, if tampered with, damaged, leaked, or illegally obtained or used, may directly endanger national security, economic operations, social stability, or public health and safety.
For the identification of important data, the national standard "Data Security Technology - Data Classification and Grading Rules" (GB/T 43697-2024) provides guidance on data classification and grading, and Appendix G offers guidance on identifying important data.
While these standards provide some guidance, they are not sufficiently detailed and specific. Currently, various regions and industries are developing more specific and actionable important data catalogues or guidelines tailored to their sectors.
The 2024 Cross-border Data Flows Regulation provides that if the data processors have not received notification from the relevant industrial or regional authorities that it processes important data or certain types of data have not been publicly declared as important data, they do not need to undergo security assessment. This will temporarily release the data exporters from the obligations of the security assessment process regarding important data until the authorities define the scope.
It is recommended that companies continuously monitor the important data catalogues and lists that may be released by competent authorities, while maintaining active and transparent communication with competent authorities, so they can adjust their cross-border data strategies in a timely manner to avoid potential compliance risks.
• Sensitive personal information
According to the PIPL, personal information refers to various information related to identified or identifiable natural persons recorded electronically or by other means, excluding anonymised information.
Sensitive personal information means personal information that, once leaked or illegally used, may easily harm the dignity of natural persons or endanger their personal or property safety, including biometric identification, religious beliefs, specific identities, medical health, financial accounts, and tracking information, as well as the personal information of minors under the age of 14.
Data export mechanisms and when will be triggered
China’s data export regulations mandate specific mechanisms based on whether the exporter is a critical information infrastructure operator (CIIO), and the type and volume of data being transferred. The three primary mechanisms are:
Exemptions
The Cross-border Data Flows Regulation introduces several exemptions from the requirements for security assessments, SCCs, and PIP certification. These exemptions aim to reduce the compliance burden on businesses while ensuring that data protection standards are maintained. When assessing whether an export mechanism applies, it is essential to check if any exemptions apply.
Here are the key exemptions:
• Outbound transfer of data that is collected and generated in international trade, cross-border transportation, academic cooperation, multinational production, and marketing activities that do not contain personal information or important data.
• Personal information collected and generated by data processors overseas is transferred to China for processing and then exported overseas, without introducing Chinese personal information or important data during the processing, known as the “temporary transit”.
• Outbound transfer of personal information, which excludes important data, is necessary for concluding or performing contracts where the individual is a party, such as cross-border shopping, delivery, remittances, payments, account opening, ticket and hotel reservations, visa processing, and exam services.
• Outbound transfer of employee personal information, excluding important data, is necessary for cross-border human resources management under legally formulated labour rules and regulations and legally executed collective contracts.
• Outbound transfer of personal information, excluding important data, is necessary in emergencies to protect the life, health, and property safety of natural persons.
• Data exports of less than 100,000 individuals' personal information, excluding sensitive and important data, cumulatively from 1 January of the current year by data processors other than CIIOs.
• Outbound transfer of data outside the negative list by data processors within a free trade zone.
Other compliance tips
While the current data export regime specifies exemptions for transferring data from China without triggering the data export compliance mechanisms, it is still crucial for companies to adhere to the data protection principles outlined in the PIPL. This includes:
• notification;
• obtaining separate consent;
• conducting personal information protection impact assessments to evaluable the risks associated with the transfer; and
• ensuring overseas recipients maintain the same level of personal information protection in the scenario of outbound personal information transfers.
In addition to important data and personal information, companies must consider other legal and regulatory restrictions or obligations specified in the laws of other relevant industry or sector, such as the prohibition of exporting state secrets under the Law on the Protection of State Secrets. If human genetic resource information is involved, reporting to and submitting information backups to the science and technology department of the State Council are required under the China’s Biosecurity Law.
Key contacts / Authors
Yuhua YANG: yuhua.yang@thornhill-legal.com
April XIAO: april.xiao@thornhill-legal.com
Rhea YU: rhea.yu@thornhill-legal.com
Standard Terms of Business | Legal Notice | Privacy Policy | Terms & Conditions | Our Compliants Policy | Cookies Policy
© Copyright Thornhill Legal Ltd. All rights reserved.
We need your consent to load the translations
We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.