[Editor to fill: 200-word domain overview explaining the three transfer pathways, recent regulatory shifts, and why overseas readers should care.]
Cross-Border Data.
数据跨境
Rules governing the transfer of personal information and important data outside mainland China — including the security assessment, standard contract, and certification pathways.
The legal corpus.
22 laws.
- CN-SG Joint Guide China–Singapore Joint Data Compliance Guide: Practical Handbook — China Chapter 中国—新加坡联合数据合规指引:实务手册(中国篇)
- RULE Measures for the Security Assessment of Data Export 数据出境安全评估办法
- RULE Provisions on Promoting and Regulating Cross-border Data Flows 促进和规范数据跨境流动规定
- REGULATION Regulation on Network Data Security Management 网络数据安全管理条例
- SCC Measures Measures on the Standard Contract for the Outbound Transfer of Personal Information 个人信息出境标准合同办法
- PIPL Personal Information Protection Law of the People's Republic of China 中华人民共和国个人信息保护法
- RULE Guide to the Filing of the Standard Contract for Outbound Transfer of Personal Information (First Edition) 个人信息出境标准合同备案指南(第一版)
- RULE Measures for the Certification of the Cross-border Provision of Personal Information 个人信息出境认证办法
- RULE Cybersecurity Review Measures 网络安全审查办法
- DSL Data Security Law of the People's Republic of China 中华人民共和国数据安全法
- HGR Regulation Regulation of the People's Republic of China on the Administration of Human Genetic Resources 中华人民共和国人类遗传资源管理条例
- HGR Implementing Rules Implementing Rules for the Regulation on the Administration of Human Genetic Resources 人类遗传资源管理条例实施细则
- Automotive Data Provisions Several Provisions on Automotive Data Security Management (Trial) 汽车数据安全管理若干规定(试行)
- PI Certification Rules Implementation Rules for Personal Information Protection Certification 个人信息保护认证实施规则
- Data Export Declaration Guide (v3) Guidelines for the Declaration of Data Export Security Assessment (Third Edition) 数据出境安全评估申报指南(第三版)
- GBA (Mainland-Macao) SCC Guidelines Implementation Guidelines for the Standard Contract for the Cross-Border Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Macao) 粤港澳大湾区(内地、澳门)个人信息跨境流动标准合同实施指引
- GBA (Mainland-Hong Kong) SCC Guidelines Implementation Guidelines for the Standard Contract for the Cross-Border Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong) 粤港澳大湾区(内地、香港)个人信息跨境流动标准合同实施指引
- FISR Measures Measures for the Security Review of Foreign Investments 外商投资安全审查办法
- STANDARD Guidelines for the Security of Automotive Data Export (2026 Edition) 汽车数据出境安全指引(2026版)
- GB/T 35273 (2026 draft) Data Security Technology — Personal Information Security Specification (2026 Draft for Comment) 数据安全技术 个人信息安全规范(征求意见稿)
- GB/T 46068 Data Security Technology — Security Certification Requirements for Cross-Border Processing of Personal Information (GB/T 46068-2025) 数据安全技术 个人信息跨境处理活动安全认证要求 (GB/T 46068-2025)
- Cybercrime Prevention Law (Draft) Cybercrime Prevention Law (Draft for Public Consultation) 网络犯罪防治法(征求意见稿)
In this domain.
13 briefs.
- § 01 · SECURITY-REVIEW
One Company, Four Reviews: JunHe Maps China's Security-Review 'Matrix' in the Security-First Era
With the Measures for Network Data Security Risk Assessment (Order No. 24) in place, China's security-review architecture has four operating pillars: foreign investment security review (NDRC + MOFCOM), cybersecurity review (CAC + 12 departments), data export security assessment (CAC), and the new normalized network data security risk assessment (CAC coordination + sectoral authorities). JunHe lawyer Chen Sijia walks each regime through the same five questions — who reviews, what is reviewed, when review is triggered, and with what legal consequences — and lands on two points overseas counsel should not miss. First, the four regimes differ in kind: the first three are ex-ante, admission-style reviews with veto power, while the risk assessment is an annual, improvement-oriented 'physical exam.' Second, review decisions are effectively final — the mainstream view treats them as final administrative acts with no administrative reconsideration or litigation available — so cooperation during the review is the only real strategy. A closing lifecycle walkthrough shows how a single AI-model company can trip all four lines in sequence: FDI review at fundraising, cybersecurity review at GPU procurement, export assessment at model training, cybersecurity review again at foreign listing, and the annual risk assessment as a standing duty.
- § 02 · CROSS-BORDER
The Negative-List Map, Region by Region: Ten Zones, Two Models, and the Year Data Export Went Province-Wide
As of July 2026, ten Chinese regions — nine free-trade zones plus the Hainan Free Trade Port — have published data-export negative lists under Article 6 of the 2024 Cross-border Data Flows Provisions, and this year Beijing and Shanghai took the mechanism province- and city-wide, off the FTZ footprint entirely. DCC's roundup maps the full set: which sectors each zone lists (from Tianjin's 13 commodity categories to Guangdong's smart-manufacturing and personal-credit fields, Chongqing's intelligent-connected-vehicle chain, and Jiangsu's biopharma-only list), the two management models that have crystallized — pre-export filing versus Shanghai and Guangdong's 'transfer-first, report-after' — and how an overseas team should read the map. Compiled from the CAC's national negative-list index and each region's official notice, and paired with DCC's new downloadable negative-list registry.
- § 03 · CROSS-BORDER
First Filing Under Shanghai's Citywide Data-Export Negative List: Inditex's China Arm Drops from Security Assessment to Standard-Contract Filing
On June 26, 2026, ITX Asia Pacific Enterprise Management Co., Ltd. (爱特思亚太企业管理有限公司) — the Inditex group entity behind ZARA and Pull&Bear in China — received Shanghai's first data-export negative-list filing result notice (数据出境负面清单备案结果通知书) issued under the Shanghai Data-Export Negative List Administrative Measures, cleared jointly by the Shanghai CAC and the Shanghai Data Bureau after same-day district-level initial review at the Jing'an District Cross-Border Data Service Center. The practical effect: member-information exports that previously sat in Data Export Security Assessment territory now clear on a Personal Information Standard Contract filing. DCC reads the case as the first operational proof of Shanghai's two policy moves — negative-list eligibility extended citywide beyond Pudong-registered enterprises, and volume thresholds inside listed scenarios (retail member management) raised so that non-sensitive member data between 1 and 10 million individuals falls to the standard-contract/certification tier. For overseas retail groups running membership programs out of China, this is the template case.
- § 04 · GBT-35273
From Consent to Governance: What the 2026 Draft Revision of GB/T 35273 Changes Against the 2020 Standard
On June 17, 2026 the National Cybersecurity Standardization Technical Committee (TC260), with CESI as drafting lead, released for public comment a systematic revision of GB/T 35273 — China's most-cited personal-information standard, the de-facto 'small PIPL.' The draft retitles the standard from 'Information Security Technology' to 'Data Security Technology' and expands its normative references from one standard to eight. DCC reads the revision as a role change, not a clause count: the standard moves from a consent-and-notice manual into a governance-capability framework. The substantive increments against GB/T 35273-2020: a new Chapter 5 importing PIPL Article 13's seven lawful bases as a standalone chapter with hard boundaries on each (contract-necessity, HR, public-disclosure) plus an evidence-chain duty; a sensitive-PI redefinition aligned to PIPL Article 28 with a new aggregation rule (multiple items that together meet the threshold are treated as sensitive as a whole); a formal 'separate consent' definition (3.7) with a negative list; a new eighth basic principle, 'quality assurance' (Chapter 4(f)); dedicated AI clauses on the collection side (6.7), in minimum-necessity (6.1 d–f), in aggregation/training (8.4), and a new generative-AI use clause (8.5.4) with output review and a 15-working-day deletion SLA; a unified-account-system clause (8.6) aimed at one-account-many-products groups; a terminal/IoT collection clause (6.8); a wholly new Chapter 11 on overseas-jurisdiction determination and conflict handling; and a systematized internal-control chapter (13) covering the person in charge of personal information protection, working body, processing-activity records, impact assessment, and a GB/T 46903-anchored compliance audit. Subject-rights response time tightens from 30 days to 15 working days. Clause numbers are from the comment draft and are not final; formal release is expected after 2027.
- § 05 · ENFORCEMENT
Ctrip's ¥10 Million Fine: China's First Publicly Disclosed Cross-Border Data Penalty — and the 'Necessity' Doctrine Behind Four Cases
In June 2026 Shanghai's cyberspace authority fined Shanghai Ctrip Commerce ¥10 million for unlawfully exporting personal information without implementing data-export security-assessment requirements — the first time a Chinese cross-border data penalty amount has been made public. DCC reads the fine against the three earlier Shanghai / MPS cross-border cases compiled by HexCode in 数据何规 (a hotel company that exported fields the CAC assessment had rejected, a property company that exported accommodation and financial-account data with no approval at all, and the Dior breach case) to surface the doctrine all four share: building a CRM or central-reservation system offshore does not make the bulk transfer of customer PI to headquarters 'necessary,' so it cannot escape the security-assessment / standard-contract / certification gate or PIPL's separate-consent and individual-notification requirements. The enforcement gradient — the assessment-rejected exporter was fined while the no-approval exporter was only warned — signals that subjective culpability is weighing on penalty severity.
- § 06 · HEALTH-DATA
China's Hospitals Get Their Own Data Rulebook: Reading the 2026 Healthcare Data Security & PI Measures
On 12 February 2026 five agencies — the National Health Commission, the Ministry of Public Security, the Cyberspace Administration of China, the National Administration of Traditional Chinese Medicine, and the National Disease Control and Prevention Administration — jointly issued the Measures for the Administration of Data Security and Personal Information Protection of Healthcare Institutions (Trial). It is the first operational, sector-specific rulebook that turns the Data Security Law, PIPL, and the Network Data Security Regulation into concrete hospital obligations: a three-tier core/important/general data classification keyed to MLPS levels and commercial cryptography; a five-pillar full-lifecycle security system; a ten-item data prohibition list and an eight-item personal-information prohibition list; heightened protection for special groups; limits on facial recognition and AI; and a real enforcement chain running from named-person accountability through regulatory interviews, administrative penalties, civil tort liability, and criminal referral. DCC reads it for overseas pharma, medtech, and hospital-JV counsel — with the cross-border choke point and its academic-cooperation carve-out as the parts that most affect global clinical-data flows.
- § 07 · ANONYMIZATION
From 'Cannot Be Restored' to 'Difficult to Restore' — TRIMPS on Whether Anonymization Is Absolute, and Whether It's Recipient-Relative
The Third Research Institute of the Ministry of Public Security (TRIMPS) — the body behind China's classified-protection regime and national eID platform — takes on the two questions that determine whether anonymization actually gets data out of PIPL scope. First: does PIPL's 'cannot be restored' standard (Art 73) require re-identification probability of literally zero? The 2025 draft PI Anonymization Guide quietly softened it to 'difficult to restore,' aligning China with the GDPR 'all reasonable means' test and reframing anonymization as a dynamic, continuously-assessed, risk-based process rather than a one-time terminal state. Second: is anonymization recipient-relative — can the same dataset be PI in one party's hands and anonymized in another's? TRIMPS reads the EU SRB v EDPS case and UK ICO guidance toward 'yes,' with major implications for how overseas counsel structure data sharing and cross-border transfer.
- § 08 · IMPORTANT-DATA
'Important Data' Is a Category, Not a Tier
Hong Yanqing argues the mainstream reading of Article 21 of the Data Security Law confuses enterprise asset-inventory language with state-level legal-interest protection — with real consequences for cross-border transfers, enforcement, and how PIPL and DSL stack.
- § 09 · FOREIGN-INVESTMENT-SECURITY-REVIEW
Why China Used Foreign Investment Security Review on Manus — Not Tech or Data Export
Hong Yanqing on Beijing's banning of Meta's Manus acquisition. The regulator's choice of pathway — Foreign Investment Security Review, not Technology or Data Export — signals a shift from 'transaction-level' to 'capability-level' oversight of frontier AI projects, with implications for any overseas tech investment touching China.
- § 10 · CROSS-BORDER
Cross-Border Data Discovery — How the U.S., EU, and China Each Play Offense and Defense
When a foreign authority wants data stored in China — or vice versa — three doctrines compete. The U.S. uses a 'data controller standard' (CLOUD Act) that reaches globally on offense and shields domestically through ECPA blocking on defense. The EU uses 'market access' leverage (GDPR Article 3 jurisdictional reach plus Article 48 blocking). China uses a 'data location standard' (territorial sovereignty plus the MLA Law, DSL, and PIPL blocking clauses). Wang Qinglan maps the four discovery paths, the three jurisdictional doctrines, and what compliance teams should build to survive the squeeze.
- § 11 · CROSS-BORDER
Mutual Trust Mechanisms for Cross-Border Data Flow — China's 'Trusted Data Space' Bet
Compliance Talker's global legal policy team analyzes three competing models for cross-border data mutual trust: the EU's 'rule trust' (adequacy + SCC), the US's 'market trust' (CLOUD Act + DPF), and China's 'technology trust' bet on Trusted Data Spaces (TDS). The NDA's November 2024 *TDS Development Action Plan 2024-2028* makes confidential computing, federated learning, and blockchain the technical layer through which China seeks to demonstrate cross-border data flow can be 'usable but invisible.' For overseas teams, this is the most concrete view of where Chinese cross-border data infrastructure is heading.
- § 12 · IMPORTANT-DATA
How to Identify 'Important Data' — A Plain-Language Method from Wang Qinglan
Wang Qinglan, head of compliance at a Chinese data exchange, walks through China's unique 'important data' concept in plain language: where it came from, why no other major jurisdiction has anything quite like it, how the U.S., EU, Japan and Korea solve the same problem differently, and — most useful for compliance teams — three methods to identify whether a dataset is 'important' in practice. Her own 'unorthodox' shortcut: ask whether a hostile foreign actor could use this data to cause trouble. If yes, treat it as important data.
- § 13 · CROSS-BORDER
FTZ Data Export Negative Lists — How 17 Sectors Across Seven Provinces Now Identify Important Data
Article 6 of the 2024 CBDF Provisions authorized Free Trade Zones to publish data-export negative lists. Since then, Tianjin, Beijing, Hainan, Shanghai, Zhejiang and others have published negative lists covering 17 sectors — automotive, pharmaceuticals, retail, civil aviation, reinsurance, deep-sea industry, seed industry, and more. Compliance Talker's analysis walks through the structural convergence of the negative lists, the important-data identification refinements each FTZ has produced, and the operational impact on enterprises both inside and outside the FTZs.