MHP Observation of New Trends in Cross-border Data Transmission

I. Introduction

In recent years, China has been building a progressively robust and well-structured legal framework for cross-border data transmission. The trifecta of the Cybersecurity Law, the Personal Information Protection Law, and the Data Security Law forms a solid legislative foundation. Additionally, a series of supporting regulations, rules, and technical guidelines have been introduced by the State Council, the Cyberspace Administration of China (CAC), and other relevant departments, such as The Regulations on the Protection of the Security of Critical Information Infrastructure, The Data Export Security Assessment Measures, Measures on the Standard Contract for Outbound Transfer of Personal Information. These measures not only establish a tiered and categorized regulatory pathway for data export but also promote the implementation of data localization, the principle of minimality, and data export declaration mechanisms in practice by enterprises.

The evolution of this regulatory logic focus-from 'security at all costs' to 'encouraging compliant and orderly data flows as long as security is not infringed'reflects China's intent to strike a balance between safeguarding data sovereignty and participating in the global digital economy. The Q&A on Cross-border Data Transfer Security Management Policy (April 2025) (hereinafter referred to as the "2025 Q&A") further interprets and refines the aforementioned legal framework in practical applications. The following is a summary of the key points from the 2025 Q&A.

II. Key Points of 2025 Q&A

In April 2025, the CAC released the 2025 Q&A, which comprises nine questions and answers. It covers various aspects such as institutional design and legal framework, negative list management in pilot free trade zones, personal information export management, important data management, industry standard formulation and foreign enterprise participation, group company cross-border transmission reporting facilitation measures, and the extension of the validity period of data export security assessment results. The 2025 Q&A summarizes some experiences and issues from China's data export security management system in recent years.

(1) Addressing the Consistency of Negative List Standards

Article 2 of the 2025 Q&A discusses the issue of consistency in negative list standards established by different free trade pilot zones and proposes solutions. The Regulations on Promoting and Regulating Cross-border Data Flows, promulgated in March 2024, specifies that free trade pilot zones may establish their own negative lists for data export within the national data classification and grading protection system. However, discrepancies exist in the focus of negative lists formulated and published by different pilot zones. For instance, the Notice on the Issuance of the Free Trade Pilot Zone Data Export Negative List Management Measures and Negative List (2024 Edition) by the Shanghai Cyberspace Administration and four other departments includes important data and personal information in reinsurance, international shipping, and trade sectors (retail and catering, accommodation); the Administrative List for Data Export in the China (Zhejiang) Pilot Free Trade Zone (Negative List) (2024 Edition) encompasses important data and personal information in the business-to-business e-commerce and clearing and settlement sectors.

In practice, enterprises may select free trade pilot zones that offer more convenient conditions for personal information data export by establishing enterprises in relevant zones. To ensure consistency in negative lists across different pilot zones, the 2025 Q&A suggests that if a negative list has already been published for a specific sector by one pilot zone, other pilot zones should refer to it instead of formulating their own. Nonetheless, further clarification is needed in practice on how other pilot zones should refer to the existing negative list for the same sector.

(2) Enhancing the Efficiency of Cross-border Personal Information Transmission in Group Companies

Article 8 of the Q&A provides convenience for group companies in cross-border personal information transmission. Within a group company structure, several domestic affiliated companies often transmit personal information to overseas affiliates or headquarters. If each enterprise were to submit filings individually, it would affect the efficiency of data export from enterprises. The 2025 Q&A clarifies that if multiple domestic subsidiaries under the same group company have similar data export scenarios, the group company may act as the reporting entity to submit a consolidated data export security assessment or file a standard contract for personal information export. However, the definition of a group company within a group is not clear. Which enterprise entity can act as the group company and become the reporting entity still needs to be confirmed with the relevant cyberspace administration departments in practice. After a telephone consultation with the Shanghai Data Cross-border Business Hotline of the Cyberspace Administration, it was learned that when a group company is not an independently existing entity, other subsidiaries that need to report collectively may designate one subsidiary as the reporting entity through a power of attorney to handle joint reporting matters for data export. For example, if the designated subsidiary is located in the Shanghai Free Trade Zone and other subsidiaries participating in the joint reporting are outside the zone, the reporting process should follow the regulations of the Shanghai Free Trade Zone. For instance, if subsidiaries that need to report collectively are located in Shandong and the designated reporting subsidiary is in Shanghai, even if the Shandong subsidiary is not a free trade zone enterprise, the reporting should comply with the regulations of the Shanghai Free Trade Zone. Furthermore, the 2025 Q&A discloses that relevant management measures for personal information export protection certification are being promoted[1]. Multinational groups that pass the certification may conduct personal information export activities within the group without the need to sign separate standard contracts for personal information export with each subsidiary.

(3) Summarizing and Refining Judgment Standards and Operational Processes

The 2025 Q&A summarizes and refines certain judgment standards and operational processes, enabling data processors to have clearer guidelines for cross-border information transmission. 

Article 4 of the Q&A specifies that the judgment standards for the "necessity" of personal information export include four aspects: being directly related to the processing purpose, having the least impact on individuals' rights and interests, being limited to the smallest scope necessary to achieve the processing purpose, and having a retention period that is the shortest necessary to achieve the processing purpose. The CAC will fully consider the business scenarios and actual needs of data processors in conducting data export security assessments and will assess the necessity of personal information export. The assessment will focus on the necessity of the export activity itself, the scale of individuals involved, and the scope of personal information data items. The CAC, in conjunction with relevant industry authorities, is gradually refining specific industry and field data export business scenarios and the necessary scope of personal information export to provide more detailed policy guidance for enterprises and institutions conducting data export. 

Article 5 of the 2025 Q&A clarifies the identification and reporting of "important data" in accordance with relevant laws, regulations, and technical standards, such as the Regulations on the Management of Network Data Security and the GB/T 43697-2024 Data security technology — Rules for data classification and grading, Annex G, Guidelines for Identification of Important Data. Additionally, Article 9 of the 2025 Q&A summarizes the process for applying for an extension of the validity period of data export security assessment results and discloses that the CAC is actively soliciting opinions from all parties to accelerate research on the process for extending the validity period of assessment results. It plans to revise and issue relevant policy documents to provide clearer guidance and create more favorable conditions for enterprises and institutions conducting data export.

III. Impacts of New Regulations and Trends

The new regulations and trends summarized in the 2025 Q&A have significant impacts on enterprises of different sizes. For small and medium-sized enterprises (SMEs), the overall trend presents numerous advantages. On one hand, the promotion of consistency in negative list standards is expected to reduce the compliance confusion and costs that enterprises may encounter when conducting business in different free trade pilot zones. On the other hand, measures such as extending the validity period of data export security assessment results and refining operational processes also bring substantial convenience to SMEs. These measures provide clearer guidelines for SMEs in the cross-border transmission of personal information and data, thereby reducing compliance costs.

For large group companies, enhancing the efficiency of cross-border personal information transmission is particularly crucial. Consolidated reporting and the promotion of certification measures optimize the data export process, reduce repetitive work, improve overall work efficiency, and enhance the flexibility of internal data flows within the group. This helps enterprises conduct business more efficiently on a global scale and further boosts their international competitiveness. Furthermore, with the continuous refinement of judgment standards and operational processes, both SMEs and large group companies can conduct cross-border data transmission in a more compliant manner. This not only helps enterprises avoid potential legal risks but also strengthens their confidence and stability in data export, providing robust support for their international development.

In response to the aforementioned new regulations and trends, it is recommended that:

• Enterprises first comprehensively review their cross-border data business scenarios and data types to clarify whether they involve the export of important data or personal information.

• Second, enterprises should closely monitor the dynamics of negative lists in different free trade pilot zones and select appropriate zones for conducting business based on their business locations and data types.

• Third, enterprises should actively research personal information protection certification, understand and evaluate the process and costs of such certification, and choose a data export method that suits their needs.

• Finally, enterprises should establish internal cross-border data compliance management systems, regularly conduct employee training and compliance audits, and ensure that cross-border data activities consistently comply with legal and regulatory requirements.

【1】 In January 2025, the Cyberspace Administration of China (CAC) issued Personal Information Protection Certification for Cross-border Data Transfers (Draft for Comments). In November 2022, the Cyberspace Administration of China and the State Administration for Market Regulation (SAMR) jointly released Announcement on the Implementation of Personal Information Protection Certification.