China's recent data export regulations, updated on March 22, have somewhat eased the control over the cross-border transfer of data, particularly personal information. This update has exempted personal information involved in individual-initiated cross-border services transactions—like cross-border shopping and payments—from compliance requirements. This shift appears to favour global corporations with operations in China, especially in the realm of global human resources management, which now faces fewer regulatory hurdles for transferring personal information abroad.

Yet, a less obvious but crucial concern for foreign businesses in China involves company-initiated cross-border transactions, which remain subject to China’s stringent data flow regulations. As some experts have rightly pointed out, despite operating within China, the branches of global companies maintain close ties with their foreign headquarters across various domains, including product design, daily operations, human resources (specifically recruitment, compensation, promotion, training, etc.), and IT systems (email, working platforms, travel applications, etc.). Even products that require local maintenance (such as vehicles and medical equipment) involve maintenance data being reported back to the foreign headquarters, and there may also be cases where replacement parts need to be sourced from abroad.

Additionally, global companies rely on a strategic overall layout of global supply chains to achieve effective cost control and efficiency improvements. Thus, they often establish internal institutions or select suppliers worldwide according to the comparative advantages of certain countries or regions. For example, they might opt for IT remote technology services based in India, R&D centres based in China, and vehicle quality analysis and recall decision-making bodies based in Germany, among others. Such a model heavily depends on close cooperation with suppliers and service providers around the globe to maintain smooth operations.

All the above means that a large volume of data frequently flows across borders. Therefore, data export rules (including data localization) for global companies are not just a matter of data storage, but involve a comprehensive adjustment of supply chain service teams and operational models. Consequently, global companies usually have two major concerns in terms of data export rules of a country: first, whether and to what extent their business and management models will need to change; and second, even if there is no need to change existing models, what the compliance costs will be.

Unfortunately, China's new data rules did not provide exemption to these scenarios, and it might make global companies feel that the new data rules are somewhat of a mixed blessing.

Assuming that the headquarters of a foreign company decides to procure office collaboration software provided by another non-Chinese company (for example, Microsoft's Office 365 ) for use in its branches worldwide to achieve efficient real-time international work collaboration. Since the servers for Office365 are located overseas, the use of this software by employees in the Chinese branch will inevitably involve the transfer of personal information related to employees/customers/suppliers etc., abroad. Since the outbound transfer of personal information in the context of cross-border collaborative work cannot be interpreted as necessary for "cross-border human resources management," the "exemptions" in the new data export rule cannot apply.

Even under the B2C context, an individual purchases a piece of clothing from a foreign company at an offline shop in China. The company, through its Chinese branch, intends to transfer some personal information of its Chinese members to its overseas headquarters for analysis and to decide on advertising strategies. In this scenario, the individual is one party to the clothing purchase contract, and the company's Chinese branch is the other party. Regardless of whether the individual consumer is aware that their personal information will be transferred abroad for analysis, the data processing activity per se cannot be considered "necessary for the performance of the clothing purchase contract," since both the purchase and the delivery of the clothing occur within China. Therefore, the "exemptions" in the regulations cannot apply either.