How Businesses Can Navigate China’s Data Regulations in 2025

The People’s Republic of China’s data protection laws have evolved rapidly in recent years, reflecting the global trend towards greater data privacy and security. The cornerstone of this legal framework has been a trio of measures: the Cybersecurity Law (CSL), the Data Security Law (DSL), and the Personal Information Protection Law (PIPL). These three laws collectively govern the whole lifecycle of data processing.

As we approach 2025, data protection remains a focus for the Chinese government and multinational companies alike, with significant developments that reshape and streamline cross-border data transfers and other compliance requirements. Here, we review key updates from 2024, offering practical insights into China’s evolving regulatory landscape and its impact on business

Provisions on Promoting and Regulating Cross-Border Data Flows

On March 22, 2024, the Cyberspace Administration of China (CAC) issued the long-awaited Provisions on Promoting and Regulating Cross-Border Data Transfer (CBDT Provisions). The Provisions were welcomed by the business community, as they significantly lessen the cases in which companies need to complete the formal mechanisms established in the PIPL to transfer data outside of Mainland China, which had been: an official security assessment by the CAC, a security certification by a third party, or execution of the standard contractual clauses (SCCs) with the receiving party (collectively, CBDT Mechanisms).

New Exemptions from the CBDT Mechanisms

Under the CBDT Provisions, a company need not meet any of the three CBDT Mechanisms in the following circumstances:

1. Transfer of personal information (PI)1that is collected or generated outside of China, provided that no Chinese PI or Important Data2 is introduced during the processing in China.
2. Transfer of PI that is necessary for entering into and performing a contract to which the individual transferor is a party, such as cross-border shopping, delivery, remittances and payment, bank account opening, air ticket or hotel reservations, visa processing, or exam services.
3. Transfer of employee PI that is necessary for implementing cross-border human resources management in accordance with lawfully formulated labor or employment policies or signed collective contracts.
4. Transfer of PI that is necessary for protecting the life, health, or safety of persons in emergencies.
5. Transfer of PI of less than 100,000 individuals by non-CIIO3 (critical infrastructure information operator) processors in the current year.
6. Transfer of data that does not contain PI or Important Data.

Relaxed Thresholds for CBDT Mechanisms

Prior to the CBDT Provisions, the volume threshold for an onerous CAC security review was relatively low—transferring only 100,000 individuals’ PI since January 1 of the preceding year. Transfer of PI below this threshold triggered SCCs or security certification. Now, the CBDT Provisions significantly relax these thresholds as follows:

No CBDT Mechanism at all required for:

• Transfers of PI of less than 100,000 individuals in the current year.

Certifications or SCCs are required for:

• Transfers of PI ranging from 100,000 to one million individuals in the current year; or
• Transfers of sensitive PI4 of less than 10,000 individuals in the current

A CAC security assessment is required for:

• Transfers of PI exceeding one million individuals in the current year;
• Transfers of sensitive PI of 10,000 individuals or more in the current year;
• Transfers of any amount of Important Data; or
• Transfers made by

Network Data Security Regulations

Published on September 30, 2024, and effective January 1, 2025, the Network Data Security Regulations were first introduced by the CAC in 2021. They are the first administrative regulations-level legal instrument on data protection since the three fundamental laws noted above. As such, they supersede any rules previously issued by the CAC. That said, the Regulations reflect insights and experience that the CAC has obtained over the past three years, particularly where prior practices sometime created challenges for businesses.

Clarifying Compliance and Important Data 

The Regulations provide more detail on how processors of Important Data can meet their obligations, including regarding the appointment of a network data security officer, establishment of a data security management organization, and conducting risk assessments when providing and sharing Important Data with other parties.

Under the Regulations, a National Data Security Coordination Mechanism will be established to develop catalogues of Important Data. Local and industrial regulators are tasked to identify and safeguard Important Data within their jurisdictions or industries. Network data processors must use these catalogues to identify and report Important Data to the corresponding regulators.

In addition, the Regulations clarify that processing PI of more than 10 million individuals triggers the same requirements as processing Important Data. By contrast, the draft Regulations had set the threshold at only PI of one million individuals.

Additional Exemption from the CBDT Mechanisms

The Regulations introduced a new exemption beyond those under the new CBDT Provisions. The new exemption allows companies to transfer PI necessary to perform statutory duties or obligations without going through any of the CBDT Mechanisms.

Additional Obligations for Large-Scale Network Platform Service Providers:

The Regulations impose additional compliance obligations on network platform service providers, defined as having over 50 million registered users or more than 10 million monthly active users, with complex business types whose network data processing activity significantly impacts national security, economic operations, or public welfare. Large-scale network platform service providers are now required to conduct annual network risk assessments and publish an annual personal protection social responsibility report.

Regional and Policy Developments to Support Cross-Border Data Transfers

In 2024, China introduced a range of regional and policy-based initiatives in strategic markets to further ease cross- border data transfers and support foreign investment.

For instance, on August 30, 2024, Beijing issued a “negative list,” where only transfers of data on the negative list must comply with corresponding CBDT Mechanisms. Currently, the negative list covers transfers of Important Data and PI by companies in five industries: automobiles, medicine, retail, civil aviation, and artificial intelligence. Data not included in the negative list can be freely transferred out of China by companies registered in the Beijing Free Trade Zone (FTZ).

On September 10, 2024, the CAC and the Macau Special Administrative Region (SAR) jointly issued guidelines on SCC filing procedures for data flows within the Greater Bay Area (GBA). Prior to this, the CAC had issued similar guidelines to facilitate and streamline cross-border data flows between the Hong Kong SAR and nine Mainland cities in the GBA, including the tech hub Shenzhen.

Actionable Takeaways for Businesses

In 2024, China witnessed a series of regulatory shifts that balance stringent compliance with practical flexibility, providing opportunities for companies to reduce administrative burdens. Here’s how businesses can adapt:

Evaluate Exemptions for Cross-Border Transfers: Review data activities to determine eligibility for the new cross- border PI transfer exemptions. Utilizing these exemptions can help reduce the need for time-consuming security assessments and streamline data flows across borders.

Enhance Compliance Procedures: Companies handling Important Data should update their compliance protocols, including their risk assessments and data security reporting. Ensuring that key personnel understand China’s new compliance standards will be critical for seamless operations.

Leverage Regional Policies: For businesses in the FTZs or GBA, taking advantage of industry-specific guidelines and exemptions can further ease cross-border data handling. Business should regularly monitor updates to FTZ policies to remain aligned with any regional changes.

Monitor Emerging Regulations: Anticipate further sector-specific data security requirements. Staying informed on new data catalogues or proposed guidelines can help align long-term compliance strategies with China’s evolving regulatory priorities