Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · PROVISIONS ON PROMOTING AND REGULATING CROSS-BORDER DATA FLOWS

Provisions on Promoting and Regulating Cross-border Data Flows.

促进和规范数据跨境流动规定

Promulgated by: Cyberspace Administration of China (CAC).
Document No.: Decree No. 16 of the Cyberspace Administration of China.
Adopted at the 26th executive meeting in 2023 of the CAC on November 28, 2023.
Promulgated and effective March 22, 2024.
Zhuang Rongwen, Minister of CAC.


Article 1. In order to protect data security, protect personal information rights and interests, and promote the orderly and free flow of data in accordance with the law, these Provisions are enacted in accordance with the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China, and other relevant laws and regulations for the implementation of systems for provision of data abroad, such as security assessment for data to be provided abroad, the standard contract for provision of personal information abroad and personal information protection authentication.

Article 2. Data handlers shall identify and declare important data in accordance with relevant provisions. If the data have not been informed or publicly announced as important data by relevant departments or regions, data handlers are not required to declare security assessment for cross-border provision of the data as important data.

Article 3. To provide the data collected and generated in such activities as international trade, cross-border transport, academic cooperation, transnational manufacturing and marketing, which do not contain personal information or important data, to overseas parties, it is exempted from declaring security assessment for data to be provided abroad, concluding a standard contract for personal information to be provided abroad or passing authentication for protection of personal information.

Article 4. Where a data handler provides personal information collected and generated abroad to overseas parties after being provided to China for processing, and no domestic personal information or important data is introduced in the process of processing, the data handler is exempted from declaring security assessment for data to be provided abroad, concluding a standard contract for personal information to be provided abroad or passing authentication for protection of personal information.

Article 5. A data handler providing personal information abroad may be exempted from declaring security assessment for data to be provided abroad, concluding a standard contract for personal information to be provided abroad or passing authentication for protection of personal information if it satisfies any of the following conditions: 1. Where it is really necessary to provide personal information abroad for the purpose of concluding or performing a contract to which an individual concerned is a party, such as cross-border shopping, cross-border delivery, cross-border remittance, cross-border payment, cross-border account opening, air ticket and hotel reservation, visa handling and examination services; 2. Where it is really necessary to provide employees’ personal information abroad for the purpose of conducting cross-border human resources management in accordance with the employment rules and regulations formulated in accordance with the law and collective contracts concluded in accordance with the law; 3. Where it is really necessary to provide personal information abroad in an emergency to protect the life, health and property safety of a natural person; or 4. Where a data handler other than a critical information infrastructure operator provides abroad the personal information (excluding sensitive personal information) of not more than 100,000 persons accumulatively as of January 1 of the current year. For the purpose of the preceding paragraph, “personal information provided abroad” does not include important data.

Article 6. Under the framework of the national system for classified and hierarchical protection of data, pilot free trade zones may, at their own discretion, formulate lists of data that need to be included in the scope of administration of security assessment for providing data abroad, the standard contract for providing personal information abroad and authentication for personal information protection (hereinafter referred to as the “negative list” in short), which shall be filed with the national cyberspace administration and the national data administration for the record upon approval by the cyberspace administration at the provincial level. Any data handler in a pilot free trade zone providing overseas parties with any data not included in the negative list may be exempted from declaring a security assessment for providing data abroad, concluding a standard contract for providing personal information abroad or passing authentication for personal information protection.

Article 7. To provide data abroad, any data handler shall declare security assessment for providing data abroad to the national cyberspace administration through the cyberspace administration authority at the provincial level at its locality if it satisfies either of the following condition: 1. Where a critical information infrastructure operator provides personal information or important data abroad; or 2. Where any data handler other than a critical information infrastructure operator provides important data abroad or, as of January 1 of the current year, provides personal information (excluding sensitive personal information) of not less than 1 million people or sensitive personal information of not less than 10,000 people in aggregate to overseas parties. Where the circumstance falls under the provisions of Article 3, 4, 5 1 1 or 6 hereof, such provisions shall apply.

Article 8. Where any data handler other than a critical information infrastructure operator provides abroad the 1 personal information (excluding sensitive personal information) of not less than 100,000 but not more than 1 million persons, or the sensitive personal information of not 100 more than 10,000 persons, accumulatively as of January 1 of the current year, it shall conclude a standard contract with 1 overseas recipients for provision of personal information abroad or go through the authentication on protection of personal information in accordance with the law. Where the circumstance falls under the provisions of Article 3, 4, 5 or 6 hereof, such provisions shall apply.

Article 9. The result of security assessment for providing data abroad remains valid for three years, commencing from the 3 date of issuance of the assessment result. Where it is necessary to continue providing the data abroad and there is no circumstance requiring re-declaration for security assessment for the data abroad upon expiry of the period of validity, the data handler may, within 60 workdays by the expiry of the period of validity, apply to the national cyberspace administration through the local cyberspace administration at the provincial level for extending the period 60 of validity of the assessment result. Upon approval by the national cyberspace administration, the period of validity of the assessment result may be extended by three years. 3

Article 10. To provide personal information abroad, a data handler shall, in accordance with laws and administrative regulations, perform obligations such as notification, obtaining individual consent and conducting assessment of impact of personal information protection.

Article 11. Any data handler providing data abroad shall abide by the provisions of laws and regulations, perform data security protection obligations, and take technical and other necessary measures to ensure the security of data to be provided abroad. If a data security incident occurs or may occur, the data handler shall take remedial measures, and report to the cyberspace administration at the provincial level or above and other competent authorities in a timely manner.

Article 12. Local cyberspace administrations shall strengthen guidance and supervision over the cross-border provision of data by data handlers, improve the security assessment system for data to be provided abroad, and optimize the assessment process; they shall also strengthen the whole- chain and full-range regulation before the event, during the event and after the event, and require the data handler to make rectifications and eliminate hidden dangers if it is found that there are relatively high risks in the data to be provided abroad or that a data security incident has occurred; and the data handler shall be investigated for legal liability according to the law if it refuses to make rectifications or the accident has caused serious consequences.

Article 13. In case of any discrepancy between these Provisions and the relevant provisions such as the Security Assessment Measures for Data Provision Abroad (Decree No. 11 of the Cyberspace Administration of China) promulgated 11 on July 7, 2022 and the Measures on Standard Contracts for 2023 2 22 Cross-border Provision of Personal Information (Decree No. 13 of the Cyberspace Administration of China) promulgated on February 22, 2023, these Provisions shall prevail. 13

Article 14. These Provisions shall come into force as of the date of promulgation.

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

8 briefs reference this law.

  • § 01 · CROSS-BORDER

    The Negative-List Map, Region by Region: Ten Zones, Two Models, and the Year Data Export Went Province-Wide

    As of July 2026, ten Chinese regions — nine free-trade zones plus the Hainan Free Trade Port — have published data-export negative lists under Article 6 of the 2024 Cross-border Data Flows Provisions, and this year Beijing and Shanghai took the mechanism province- and city-wide, off the FTZ footprint entirely. DCC's roundup maps the full set: which sectors each zone lists (from Tianjin's 13 commodity categories to Guangdong's smart-manufacturing and personal-credit fields, Chongqing's intelligent-connected-vehicle chain, and Jiangsu's biopharma-only list), the two management models that have crystallized — pre-export filing versus Shanghai and Guangdong's 'transfer-first, report-after' — and how an overseas team should read the map. Compiled from the CAC's national negative-list index and each region's official notice, and paired with DCC's new downloadable negative-list registry.

    cross-border · negative-list · ftz-negative-list
  • § 02 · CROSS-BORDER

    First Filing Under Shanghai's Citywide Data-Export Negative List: Inditex's China Arm Drops from Security Assessment to Standard-Contract Filing

    On June 26, 2026, ITX Asia Pacific Enterprise Management Co., Ltd. (爱特思亚太企业管理有限公司) — the Inditex group entity behind ZARA and Pull&Bear in China — received Shanghai's first data-export negative-list filing result notice (数据出境负面清单备案结果通知书) issued under the Shanghai Data-Export Negative List Administrative Measures, cleared jointly by the Shanghai CAC and the Shanghai Data Bureau after same-day district-level initial review at the Jing'an District Cross-Border Data Service Center. The practical effect: member-information exports that previously sat in Data Export Security Assessment territory now clear on a Personal Information Standard Contract filing. DCC reads the case as the first operational proof of Shanghai's two policy moves — negative-list eligibility extended citywide beyond Pudong-registered enterprises, and volume thresholds inside listed scenarios (retail member management) raised so that non-sensitive member data between 1 and 10 million individuals falls to the standard-contract/certification tier. For overseas retail groups running membership programs out of China, this is the template case.

    cross-border · negative-list · shanghai
  • § 03 · ENFORCEMENT

    Ctrip's ¥10 Million Fine: China's First Publicly Disclosed Cross-Border Data Penalty — and the 'Necessity' Doctrine Behind Four Cases

    In June 2026 Shanghai's cyberspace authority fined Shanghai Ctrip Commerce ¥10 million for unlawfully exporting personal information without implementing data-export security-assessment requirements — the first time a Chinese cross-border data penalty amount has been made public. DCC reads the fine against the three earlier Shanghai / MPS cross-border cases compiled by HexCode in 数据何规 (a hotel company that exported fields the CAC assessment had rejected, a property company that exported accommodation and financial-account data with no approval at all, and the Dior breach case) to surface the doctrine all four share: building a CRM or central-reservation system offshore does not make the bulk transfer of customer PI to headquarters 'necessary,' so it cannot escape the security-assessment / standard-contract / certification gate or PIPL's separate-consent and individual-notification requirements. The enforcement gradient — the assessment-rejected exporter was fined while the no-approval exporter was only warned — signals that subjective culpability is weighing on penalty severity.

    enforcement · cross-border-data · pipl
  • § 04 · HEALTH-DATA

    China's Hospitals Get Their Own Data Rulebook: Reading the 2026 Healthcare Data Security & PI Measures

    On 12 February 2026 five agencies — the National Health Commission, the Ministry of Public Security, the Cyberspace Administration of China, the National Administration of Traditional Chinese Medicine, and the National Disease Control and Prevention Administration — jointly issued the Measures for the Administration of Data Security and Personal Information Protection of Healthcare Institutions (Trial). It is the first operational, sector-specific rulebook that turns the Data Security Law, PIPL, and the Network Data Security Regulation into concrete hospital obligations: a three-tier core/important/general data classification keyed to MLPS levels and commercial cryptography; a five-pillar full-lifecycle security system; a ten-item data prohibition list and an eight-item personal-information prohibition list; heightened protection for special groups; limits on facial recognition and AI; and a real enforcement chain running from named-person accountability through regulatory interviews, administrative penalties, civil tort liability, and criminal referral. DCC reads it for overseas pharma, medtech, and hospital-JV counsel — with the cross-border choke point and its academic-cooperation carve-out as the parts that most affect global clinical-data flows.

    health-data · healthcare · data-classification
  • § 05 · CROSS-BORDER

    Cross-Border Data Discovery — How the U.S., EU, and China Each Play Offense and Defense

    When a foreign authority wants data stored in China — or vice versa — three doctrines compete. The U.S. uses a 'data controller standard' (CLOUD Act) that reaches globally on offense and shields domestically through ECPA blocking on defense. The EU uses 'market access' leverage (GDPR Article 3 jurisdictional reach plus Article 48 blocking). China uses a 'data location standard' (territorial sovereignty plus the MLA Law, DSL, and PIPL blocking clauses). Wang Qinglan maps the four discovery paths, the three jurisdictional doctrines, and what compliance teams should build to survive the squeeze.

    cross-border · data-sovereignty · mlat
  • § 06 · CROSS-BORDER

    Mutual Trust Mechanisms for Cross-Border Data Flow — China's 'Trusted Data Space' Bet

    Compliance Talker's global legal policy team analyzes three competing models for cross-border data mutual trust: the EU's 'rule trust' (adequacy + SCC), the US's 'market trust' (CLOUD Act + DPF), and China's 'technology trust' bet on Trusted Data Spaces (TDS). The NDA's November 2024 *TDS Development Action Plan 2024-2028* makes confidential computing, federated learning, and blockchain the technical layer through which China seeks to demonstrate cross-border data flow can be 'usable but invisible.' For overseas teams, this is the most concrete view of where Chinese cross-border data infrastructure is heading.

    cross-border · trusted-data-space · confidential-computing
  • § 07 · IMPORTANT-DATA

    How to Identify 'Important Data' — A Plain-Language Method from Wang Qinglan

    Wang Qinglan, head of compliance at a Chinese data exchange, walks through China's unique 'important data' concept in plain language: where it came from, why no other major jurisdiction has anything quite like it, how the U.S., EU, Japan and Korea solve the same problem differently, and — most useful for compliance teams — three methods to identify whether a dataset is 'important' in practice. Her own 'unorthodox' shortcut: ask whether a hostile foreign actor could use this data to cause trouble. If yes, treat it as important data.

    important-data · data-classification · cross-border
  • § 08 · CROSS-BORDER

    FTZ Data Export Negative Lists — How 17 Sectors Across Seven Provinces Now Identify Important Data

    Article 6 of the 2024 CBDF Provisions authorized Free Trade Zones to publish data-export negative lists. Since then, Tianjin, Beijing, Hainan, Shanghai, Zhejiang and others have published negative lists covering 17 sectors — automotive, pharmaceuticals, retail, civil aviation, reinsurance, deep-sea industry, seed industry, and more. Compliance Talker's analysis walks through the structural convergence of the negative lists, the important-data identification refinements each FTZ has produced, and the operational impact on enterprises both inside and outside the FTZs.

    cross-border · important-data · ftz-negative-list
§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.

SUPPORT DCC

Keep the publication free to read. Suggested support is $19.99, or choose your own amount.

Support →