Cross-Border Data Transfers Official Q&A (II)
China’s cybersecurity regulator recently released the second cross-border data transfer Q&A. This updated guide highlights important procedures around identifying and reporting important data, security assessments, and timelines, helping businesses stay compliant amid tightening enforcement.
To support data processors in conducting cross-border data activities efficiently and in compliance with national regulations, on May 30, 2025, China’s Cyberspace Administration (CAC) released another Q&A guidance addressing common questions about important data identification and outbound data transfer requirements.
This was the second official Q&A released by the cybersecurity regulator this year—the first one was released on April 9, 2025.
Below is a summary of two key issues clarified in the latest policy Q&A.
Q1: What is the process for identifying and declaring important data?
A: According to Article 21 of the Data Security Law, a national coordination mechanism is responsible for organizing the development of important data catalogs and strengthening protection. Regional and industry authorities are tasked with determining important data under their jurisdiction, based on China’s classified and graded data protection system.
Per Article 29 of the Regulations on Network Data Security Management, network data processors must identify and report important data in accordance with national regulations. Once data is confirmed as important, the relevant authorities will inform the data processor directly or publish the information.
To implement these legal requirements, competent authorities in various industries are formulating detailed classification standards and reporting rules. Several sectors have already released official guidance, such as:
- Manufacturing: Guidelines for Identifying Important Data in the Industrial Sector
- Telecommunications: Telecom Sector Important Data Identification Guidelines
- Natural resources: Geographic Information Data Classification and Grading Guidelines (Trial)
- Statistics: Statistical Data Security Management Measures
Other departments may communicate rules through meetings, internal documents, or direct notifications.
Data processors must follow the applicable standards, report important data accordingly, and fulfill their legal responsibilities if notified that their data is categorized as important.
If no identification standards have been released for a particular sector, and a processor has not been notified to declare data as important, failure to identify or report such data will not be considered a violation, and no penalties will be imposed.
Q2: How can companies legally transfer important data outside of China?
A: Under Article 37 of the Cybersecurity Law, Article 31 of the Data Security Law, and Article 37 of the Regulations on Network Data Security Management, important data collected or generated in China that must be transferred abroad is subject to a security assessment organized by the CAC.
Processors should refer to the official Outbound Data Security Assessment Application Guide published by the CAC for details on the procedure. If the data passes the assessment, indicating no risk to national security or public interest, it may be legally transferred abroad.
Key compliance points include:
- Only data that is confirmed as important data, either through direct notification or public announcement, requires a mandatory security assessment.
- If a company has not been informed that its data is important and the data has not been publicly listed, outbound transfers of that data do not require assessment and will not be penalized.
- If data is confirmed as important, and the company intends to continue transferring it abroad, it must apply for a CAC security assessment within two months of being notified or the data being published as important.
Once the assessment is complete, the data processor must follow the results and recommendations issued by the CAC to ensure compliance and protect data security.
Takeaway for businesses
Both foreign and domestic companies should closely monitor regulatory updates in their industry regarding data classification and reporting obligations. For businesses handling potentially sensitive or large volumes of data, proactive communication with local authorities and legal teams is essential to avoid compliance risks in cross-border data activities.
Read more: China Clarifies Cross-Border Data Transfer Rules: Key Takeaways from Official Q&A (I)
About Us
China Briefing is one of five regional Asia Briefing publications, supported by Dezan Shira & Associates. For a complimentary subscription to China Briefing’s content products, please click here.
Dezan Shira & Associates assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Haikou, Zhongshan, Shenzhen, and Hong Kong. We also have offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Dubai (UAE) and partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh, and Australia. For assistance in China, please contact the firm at china@dezshira.com or visit our website at www.dezshira.com.
- Previous Article China Monthly Tax Brief: May 2025
- Next Article US-China Relations in the Trump 2.0 Era: A Timeline