The CAC has continued to clarify its outbound data flow policy. It reviewed recent inquiries and published a set of representative questions and answers to address common concerns.

Q&A on outbound data flow policy

The National Internet Information Office Continues to Strengthen the Promotion of Policies on Data Exit Security Management, Guiding and Assisting Data Processors to Carry Out Cross-Border Data Activities Efficiently and in Compliance. Based on research into recent inquiries received, some representative questions and corresponding responses are published as follows.

1. How should one understand the design of China’s data exit security management system?

   
   As cross-border data flows become increasingly common, many countries and regions around the world have, based on their own circumstances, engaged in institutional explorations of the security management of cross-border data flows and have introduced a series of laws, regulations, and standards. The establishment of a data exit security management system in China is mandated by law. The Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law all make clear legal provisions regarding data exit activities. These provisions do not apply to all data but are limited to important data and personal information. For important data that must be transferred abroad, the law provides an institutional framework: if, after a data exit security assessment, it is determined that the outbound data will not endanger national security or public interests, the data may be transmitted abroad. With respect to the cross-border transfer of personal information, the law stipulates several mechanisms including data exit security assessments, personal information protection certifications, and standard contracts for personal information exit. Overall, the legal provisions governing data exit management in China aim to ensure the secure and free flow of data needed by enterprises operating in China while imposing necessary oversight on personal information and important data involving national security and public policy objectives. In principle, general data that does not involve personal information or important data can flow freely across borders, and important data and personal information that reach a specified volume may be transferred abroad once they have successfully passed the data exit security assessment.

   To implement these legal provisions, the National Internet Information Office has successively issued and implemented the Measures for Data Exit Security Assessment, the Measures for Standard Contracts for Personal Information Exit, and the Regulations on Promoting and Regulating Cross-Border Data Flows. In addition, it has issued the Announcement on the Implementation of Personal Information Protection Certification along with supplementary certification rules. These measures clearly delineate the implementation paths for data exit security assessments, standard contracts for personal information exit, and personal information protection certification, and the authorities have been coordinating with local governments and various departments to carry out data exit security management in an orderly manner in accordance with the law.

2. How can consistency be ensured in the formulation of data exit negative lists by different Free Trade Pilot Zones?
   
   The Regulations on Promoting and Regulating Cross-Border Data Flows explicitly state that under the framework of the national data classification and grading protection system, Free Trade Pilot Zones may develop their own data exit negative lists. These lists require approval by the provincial-level cybersecurity and informatization committees and must be filed with the national cyberspace administration and the National Data Administration before implementation. Data exiting that is not included on the negative list will be exempt from undergoing a security assessment, drafting a standard contract, or obtaining protection certification. This represents an innovative measure designed to facilitate cross-border data flows in the Free Trade Pilot Zones. In the process of formulating negative lists, the relevant authorities will be fully consulted. At the time of filing the negative list, the National Internet Information Office, together with the National Data Administration, will review the list. In cases involving the same field, if one Free Trade Pilot Zone has already issued a negative list, other zones may adopt the same list instead of drafting their own, thereby ensuring that the standards of the negative lists across different Free Trade Pilot Zones are consistent and aligned with the requirements of the national data classification and grading protection system.

3. How can the scope of the Free Trade Pilot Zone data exit negative lists be expanded to cover more fields?

   
   In the implementation of the Regulations on Promoting and Regulating Cross-Border Data Flows, the National Internet Information Office and the National Data Administration have successively completed the filing of data exit negative lists for Free Trade Pilot Zones (and Free Trade Ports) in Tianjin, Beijing, Hainan, Shanghai, Zhejiang, and other regions. These negative lists have promoted cross-border data flows in 17 fields, including automobiles, pharmaceuticals, retail, civil aviation, reinsurance, deep-sea industries, and seed industries. The National Internet Information Office, in coordination with the relevant departments, is currently guiding each Free Trade Pilot Zone to develop data exit negative lists tailored to their own industrial development characteristics. As more negative lists are published and implemented, the range of covered fields is expected to expand further. For updates on the publication and implementation of Free Trade Pilot Zone data exit negative lists, one may refer to the official website of the National Internet Information Office (www.cac.gov.cn) as well as the websites of the relevant local Free Trade Pilot Zones.

4. How should the necessity of cross-border transfer of personal information be understood and determined?

   
   Article 6 of the Personal Information Protection Law stipulates that "Personal information should be processed for a clear and reasonable purpose, and in a manner directly related to that purpose, with measures taken to minimize the impact on individual rights. The collection of personal information should be limited to the minimum scope necessary to achieve the purpose of processing and should not involve excessive collection." Furthermore, Article 19 states that "Unless otherwise provided by law or administrative regulations, the retention period of personal information shall be limited to the minimum period necessary to achieve the purpose of processing."

   
   Based on these legal provisions, the factors to be considered in determining “necessity” include: direct relevance to the processing purpose; minimizing the impact on individual rights; limiting collection to the smallest scope necessary to achieve the processing purpose; and retaining data for only the minimum period required to fulfill that purpose. In line with these legal requirements, when conducting data exit security assessments, the National Internet Information Office will fully consider the business scenarios and actual needs declared by data processors and will evaluate the necessity of personal information for cross-border transfer. The assessment will mainly focus on the necessity of the activity itself, the need relative to the number of individuals affected, and the scope of personal information data items involved.

   Since cross-border data transfer involves many industries, the National Internet Information Office, in collaboration with the relevant industry authorities, will gradually further refine and specify the business scenarios for data exit and the necessary scope for the cross-border transfer of personal information for particular industries, thereby providing more detailed policy guidance for enterprises and institutions.

5. How can one identify important data?

   
   According to Article 62 of the Measures for Cyber Data Security Management, "Important data" refers to data from specific fields, groups, or regions or data that reaches a certain level of precision and scale such that if it were tampered with, damaged, leaked, or illegally obtained or used, it could directly endanger national security, economic operation, social stability, or public health and safety. The Appendix G “Guidelines for Identifying Important Data” of the Data Security Technology—Data Classification and Grading Rules (GB/T 43697-2024) provides methods for identifying important data. Data processors may use the relevant laws, technical standards, and other criteria to identify and declare important data.

6. Does the designation of important data mean that it cannot be transferred abroad?

   
   For important data that must be transferred abroad, the law provides an institutional arrangement whereby, if a data exit security assessment determines that the transfer will not jeopardize national security or the public interest, it may proceed. As of March 2025, the National Internet Information Office had completed 298 data exit security assessment projects. Among these, 44 projects involved the declaration of important data. Out of these projects, 7 were not approved, representing a non-approval rate of 15.9%. Furthermore, these 44 projects involved 509 important data items, of which 325 items were approved for outbound transfer after assessment, accounting for 63.9% of the total declared data items.

   It is particularly noted that according to the Regulations on Promoting and Regulating Cross-Border Data Flows, if a data processor declares important data in accordance with the relevant regulations and such data have not been notified or publicly released as important data by the relevant departments or regions, then the data processor is not required to declare these as important data in the data exit security assessment.

7. How can foreign-funded enterprises play a role in the industry standardization process?
   
   The National Internet Information Office guides relevant professional institutions to place high importance on and actively encourage the participation of both domestic and foreign enterprises in the development of industry technical standards, ensuring that the standard-setting process fully considers the needs of both domestic and international stakeholders.

   
   First, the participation mechanism is open and transparent. The National Internet Information Office directs the National Cybersecurity Standardization Technical Committee to adhere to the principles of open cooperation and broad participation, continuously soliciting working group members from the public. Committee members and the members of its working groups include a representative group of foreign-funded enterprises, which, like domestic enterprises, enjoy equal rights and obligations in the standardization and consultation processes. As full members of the working groups, foreign-funded enterprises can participate in every stage of the standard development and fully express their opinions and suggestions.

   
   Second, the procedures for standard-setting are open and transparent. By publicly soliciting standard requirements and the names of organizations participating in the drafting, and by inviting public comments on draft standards, all stakeholders are ensured an opportunity to participate fairly and impartially in the standardization process.

8. Do group companies have more convenient channels for the cross-border transmission of personal information?
   
   On one hand, if multiple domestic subsidiaries belong to the same group company and share similar data exit business scenarios, the group company can act as the applicant to consolidate the submission of the data exit security assessment or filing of standard contracts for personal information exit, thereby improving the efficiency of data exit activities. On the other hand, the National Internet Information Office is promoting the introduction of administrative measures for personal information exit protection certification. These measures will guide third-party professional certification bodies to certify cross-border personal information exit activities. With certification granted to either the domestic enterprise or the overseas recipient, the enterprise can conduct cross-border transfers of personal information within the certified scope. For multinational groups that have been certified, cross-border transfers of personal information can be carried out internally without needing to separately sign standard contracts with each of the country-specific subsidiaries.

9. Is there a specific process for applying for an extension of the validity period of a data exit security assessment result?

   
   The Regulations on Promoting and Regulating Cross-Border Data Flows have extended the validity period of data exit security assessment results from the original two years to three years. It is also specified that if, upon the expiration of the validity period, the data processor still intends to continue cross-border data activities and there has been no occurrence that necessitates re-submission of a data exit security assessment, the data processor may apply to extend the validity of the assessment result. This application must be submitted through the local provincial cyberspace administration, to the national cyberspace administration, at least 60 working days before the current validity period expires. With the approval of the national cyberspace administration, the validity period may be extended by an additional three years. Presently, the National Internet Information Office is actively soliciting opinions from various parties and accelerating the study of the process for extending the validity of assessment results. There is a plan to clarify this through revised policy documents, thus creating more convenient conditions for enterprises and institutions to transfer data abroad.