[Editor to fill: 200-word domain overview explaining the three transfer pathways, recent regulatory shifts, and why overseas readers should care.]
§ DOMAIN · CROSS-BORDER DATA
Cross-Border Data.
数据跨境
Rules governing the transfer of personal information and important data outside mainland China — including the security assessment, standard contract, and certification pathways.
The legal corpus.
11 laws.
- CN-SG Joint Guide China–Singapore Joint Data Compliance Guide: Practical Handbook — China Chapter 中国—新加坡联合数据合规指引:实务手册(中国篇)
- RULE Measures for the Security Assessment of Data Export 数据出境安全评估办法
- RULE Provisions on Promoting and Regulating Cross-border Data Flows 促进和规范数据跨境流动规定
- REGULATION Regulation on Network Data Security Management 网络数据安全管理条例
- SCC Measures Measures on the Standard Contract for the Outbound Transfer of Personal Information 个人信息出境标准合同办法
- PIPL Personal Information Protection Law of the People's Republic of China 中华人民共和国个人信息保护法
- RULE Guide to the Filing of the Standard Contract for Outbound Transfer of Personal Information (First Edition) 个人信息出境标准合同备案指南(第一版)
- RULE Measures for the Certification of the Cross-border Provision of Personal Information 个人信息出境认证办法
- RULE Cybersecurity Review Measures 网络安全审查办法
- DSL Data Security Law of the People's Republic of China 中华人民共和国数据安全法
- FISR Measures Measures for the Security Review of Foreign Investments 外商投资安全审查办法
In this domain.
7 briefs.
- § 01 · ANONYMIZATION
From 'Cannot Be Restored' to 'Difficult to Restore' — TRIMPS on Whether Anonymization Is Absolute, and Whether It's Recipient-Relative
The Third Research Institute of the Ministry of Public Security (TRIMPS) — the body behind China's classified-protection regime and national eID platform — takes on the two questions that determine whether anonymization actually gets data out of PIPL scope. First: does PIPL's 'cannot be restored' standard (Art 73) require re-identification probability of literally zero? The 2025 draft PI Anonymization Guide quietly softened it to 'difficult to restore,' aligning China with the GDPR 'all reasonable means' test and reframing anonymization as a dynamic, continuously-assessed, risk-based process rather than a one-time terminal state. Second: is anonymization recipient-relative — can the same dataset be PI in one party's hands and anonymized in another's? TRIMPS reads the EU SRB v EDPS case and UK ICO guidance toward 'yes,' with major implications for how overseas counsel structure data sharing and cross-border transfer.
- § 02 · IMPORTANT-DATA
'Important Data' Is a Category, Not a Tier
Hong Yanqing argues the mainstream reading of Article 21 of the Data Security Law confuses enterprise asset-inventory language with state-level legal-interest protection — with real consequences for cross-border transfers, enforcement, and how PIPL and DSL stack.
- § 03 · FOREIGN-INVESTMENT-SECURITY-REVIEW
Why China Used Foreign Investment Security Review on Manus — Not Tech or Data Export
Hong Yanqing on Beijing's banning of Meta's Manus acquisition. The regulator's choice of pathway — Foreign Investment Security Review, not Technology or Data Export — signals a shift from 'transaction-level' to 'capability-level' oversight of frontier AI projects, with implications for any overseas tech investment touching China.
- § 04 · CROSS-BORDER
Cross-Border Data Discovery — How the U.S., EU, and China Each Play Offense and Defense
When a foreign authority wants data stored in China — or vice versa — three doctrines compete. The U.S. uses a 'data controller standard' (CLOUD Act) that reaches globally on offense and shields domestically through ECPA blocking on defense. The EU uses 'market access' leverage (GDPR Article 3 jurisdictional reach plus Article 48 blocking). China uses a 'data location standard' (territorial sovereignty plus the MLA Law, DSL, and PIPL blocking clauses). Wang Qinglan maps the four discovery paths, the three jurisdictional doctrines, and what compliance teams should build to survive the squeeze.
- § 05 · CROSS-BORDER
Mutual Trust Mechanisms for Cross-Border Data Flow — China's 'Trusted Data Space' Bet
Compliance Talker's global legal policy team analyzes three competing models for cross-border data mutual trust: the EU's 'rule trust' (adequacy + SCC), the US's 'market trust' (CLOUD Act + DPF), and China's 'technology trust' bet on Trusted Data Spaces (TDS). The NDA's November 2024 *TDS Development Action Plan 2024-2028* makes confidential computing, federated learning, and blockchain the technical layer through which China seeks to demonstrate cross-border data flow can be 'usable but invisible.' For overseas teams, this is the most concrete view of where Chinese cross-border data infrastructure is heading.
- § 06 · IMPORTANT-DATA
How to Identify 'Important Data' — A Plain-Language Method from Wang Qinglan
Wang Qinglan, head of compliance at a Chinese data exchange, walks through China's unique 'important data' concept in plain language: where it came from, why no other major jurisdiction has anything quite like it, how the U.S., EU, Japan and Korea solve the same problem differently, and — most useful for compliance teams — three methods to identify whether a dataset is 'important' in practice. Her own 'unorthodox' shortcut: ask whether a hostile foreign actor could use this data to cause trouble. If yes, treat it as important data.
- § 07 · CROSS-BORDER
FTZ Data Export Negative Lists — How 17 Sectors Across Seven Provinces Now Identify Important Data
Article 6 of the 2024 CBDF Provisions authorized Free Trade Zones to publish data-export negative lists. Since then, Tianjin, Beijing, Hainan, Shanghai, Zhejiang and others have published negative lists covering 17 sectors — automotive, pharmaceuticals, retail, civil aviation, reinsurance, deep-sea industry, seed industry, and more. Compliance Talker's analysis walks through the structural convergence of the negative lists, the important-data identification refinements each FTZ has produced, and the operational impact on enterprises both inside and outside the FTZs.