Securiti launches Gencore AI, a holistic solution to build Safe Enterprise AI with proprietary data - easily

View

China’s Renewed Cross-Border Data Transfer Regime

Contributors

Aman Rehan

Data Privacy Analyst

Muhammad Faisal Sattar

Data Privacy Legal Manager at Securiti

FIP, CIPT, CIPM, CIPP/Asia

Listen to the content

Introduction

China, being one of the most populous countries in the world, is considered a highly attractive data source. However, its cross-border data transfer (CBDT) regime was considered to be strict and rigid, facing criticisms regarding compliance burdens. On 22 March 2024, the Cyberspace Administration of China (CAC) enacted the Regulations on Promoting and Regulating Cross-Border Data Flows (the Regulations). The main aim of the provisions is to introduce relaxations from the previous CBDT regime. More notably, according to a circular published by the State Council entitled “Action Plan for Solidly Promoting High-Level Opening Up and Attracting and Utilizing Foreign Investment More Aggressively,” the Chinese government is working toward greater foreign investment. The proposed measures included support for data flows between foreign companies and their overseas headquarters, in particular with respect to research, development, production and sales.

The CAC has also issued the second edition of guidelines for filing standard contracts and for filing applications for security assessment with the CAC, and a press release entitled “Answers to Reporters’ Questions” containing additional explanation of the new rules. These rules supersede any previous provisions related to the CBDT regime in China to the extent of any inconsistency.

China’s Existing Cross-Border Data Transfer Regime

As mentioned in Article 1 of the Regulations, the Regulations are formulated to implement the CBDT system in China, comprised of the following three compliance requirements for entities:

  • Data export security assessment.
  • Personal information export standard contractual clauses (SCCs).
  • Personal information protection certification (certification).

Another layer of complexity to the CBDT regime arises due to different requirements for the following:

  1. Critical information infrastructure operators (CIIO) and non-critical information infrastructure operators (non-CII). CIIOs are defined by Chinese laws and regulations and include service providers in industries such as communication, energy, transport, water, finance, public services, E-government services, and national defense.
  2. Processing important data and different volume thresholds of processing of personal information..

To provide further context to the Regulations, it is important to first delve into the overarching CBDT regime in China. It is comprised of the following three laws and ancillary regulations:

  1. Chinese Personal Information Protection Law (PIPL).
  2. Data Security Law (DSL).
  3. Cybersecurity Law (CSL).

The following are some important definitions with regard to the CBDT regime:

  1. Important Data: refers to data that, if tampered with, may endanger national security, economic operations, social stability, and public health and safety. Examples: Geographic data, infrastructure data, energy sources related data, network and network security data, statistical analysis data, military and defense-related data, cutting-edge technology, industry data. Catalogs of important data will be formulated for each industry.
  2. Critical information infrastructure: refers to infrastructure and facilities that, once compromised, may seriously endanger national security, national economy and people's livelihood, and public interests. These include industries and fields such as energy, transportation, and national defense.
  3. Personal information (PI): refers to information related to an identified or identifiable natural person recorded electronically or by other means, but it does not include anonymized information. Additionally, the term “processing” includes personal information collection, storage, use, processing, transmission, provision, disclosure, and deletion, among other things.
  4. Sensitive personal information (SPI): is PI that, once leaked or illegally used, may harm the personal dignity of a natural person or endanger his personal safety or property. SPI includes information such as biometrics, religious belief, specific identity, medical health status, financial accounts, and the person's whereabouts, as well as the personal information of a minor under the age of 14 years. The processing of sensitive personal information can only occur when there is a specific purpose and when it is of necessity, under the circumstances where strict protective measures are taken.

Analysis of the Relaxations Introduced by the Regulations

The following table provides a comparative analysis of the relaxations introduced by the new CBDT regime.

CBDT Requirement Old Regime New Regime Insight
Exemptions No Volume related exemptions: organizations exporting any amount of PI were required to fulfill one of the prescribed data transfer  mechanisms. Volume Exemptions:

No export mechanism required for a PI handler that, since January 1 of the current year, has exported PI of less than 100,000 individuals, given that such data do not contain any SPI.

Category exemptions (explained in more detail below):

(i) signing or performing contracts for cross-border shopping, transportation, bank account opening, payment, hotel booking, visa application, and exam services.

(ii) cross-border HR management according to applicable labor rules or collective employment contracts.

(iii) Emergency for protecting life and assets.

The exemption from compliance with the various regulatory filing and related requirements of the CBDT regime for companies that export only small volumes of PI is particularly welcome.

Even with category exemptions, organizations are still required to fulfill pre-transfer requirements as prescribed under PIPL.

The category exemptions allow for ease of compliance with certain categories of data processing, such as routine performance of the contracts specified.

The HR management exemption will be very helpful in many day-to-day scenarios for MNCs.

It should be noted that the exemptions exclude prospective employees/job applicants, and there is significant ambiguity regarding whether sensitive employee data, such as bank account information or health data, can be transferred abroad without triggering the CBDT legal mechanisms. This may be further clarified in subsequent guidelines issued by the CAC.

Security Assessment Export of PI by a CIIO. Export of PI by a CIIO. No change.
Export of PI by a PI handler that, since January 1 of the previous year, has already exported

(i) PI of 100,000 or more individuals or

(ii) sensitive PI of 10,000 or more individuals

Export of PI by a PI handler that, since January 1 of the current year, has already exported

(i) PI of more than one million individuals or

(ii) sensitive PI of more than 10,000 individuals

This is a welcome change for companies that export only small volumes of PI.

It is important to note that these relaxed thresholds only apply to data handlers who are not classified as critical infrastructure information (CII) operators. The CII designation will be determined by regulators, therefore, a data handler can assume it is not a CII operator unless notified otherwise.

Export of important data Export of important data that has clearly been identified as important data pursuant to published rules or notice of the relevant sectoral or regional regulator. Clarity is provided regarding the classification of data as important data as it is expressly stated that data (other than PI) that has not yet clearly been identified as important data may be exported without complying with the CBDT regime. It is still important for data exporters to closely monitor the fast-evolving landscape relevant to important data.

Companies are still mandated by the CBDT regime to take certain self-regulating compliance steps by performing data mapping and identifying and reporting important data in accordance with relevant regulations. As of today, the identification of important data and its formulation into a catalog are still at the preliminary stage. The implementation of the Regulations will assist in improving important data management systems.

Validity up to 2 years. Validity up to 3 years. The procedural burden for companies has been reduced by the increased validity period.
SCCs / Certification A PI handler may opt for  SCCs filing or the certification mechanism when a security assessment is not triggered. Export of PI by a PI handler that, since January 1 of the current year, has already exported:

(i) PI of between 100,000 and one million individuals; or

(ii) sensitive PI of less than 10,000 individuals

A PI handler meeting this criterion may opt to comply with either the SCCs filing or the certification mechanism

The threshold for opting for SCCs or the  certification requirement has been specified and reduced. This will make compliance easier for organizations.

Despite the relaxed requirements noted above, the CBDT Regulations emphasize data compliance, including the pre-transfer requirements in accordance with applicable laws and regulations:

  1. notifying the data subjects;
  2. obtaining separate consent;
  3. Conducting data transfer impact assessment; and
  4. ensuring data security, in accordance with applicable laws and regulations.

Therefore, routine data compliance remains unchanged.

Negative Lists None A Free Trade Zone (FTZ) may formulate its own negative list of data that is subject to data export mechanisms upon completing certain approval and filing procedures. This will promote greater economic activity within the specified free trade zones and ease compliance for companies due to no filing or application formality with the CAC.

The FTZs in Tianjin, Beijing and Shanghai have already introduced regulations that stipulate relaxed compliance requirements for CBDT. Organizations should stay vigilant on any subsequent negative lists being published by relevant FTZs.

 

​Detailed Understanding of Exemptions from CBDT Mechanisms

The Regulations provide six cases for an exemption from CBDT mechanisms (security assessment for cross-border transfer of data, to conclude a standard contract for outbound transfer of personal information, or to perform a personal information protection certification) to apply:

  1. ​Where data (excluding personal information or important data) is exported, which is collected or generated during activities like international trading, cross-border transportation, academic cooperation, cross-border production and manufacturing, marketing, and promotion, etc., or
  2. Where PI is collected overseas, transferred to and processed in China, and is again exported without adding personal information or important data generated in China during the data processing, or
  3. Where PI must be exported to conclude and perform a contract for an individual as a party, such as cross-border shopping, mail, remittance, payment, account opening, as well as air ticket and hotel reservations, visa applications, exam services, etc., or
  4. Where it is necessary to export PI of internal employees to implement human resources management, and this happens in accordance with the labor rules and regulations and the collective contracts signed according to law, or
  5. Where it is necessary to export PI to protect the life, health, or property of natural persons in case of an emergency, or
  6. ​Where a data processor (non-CIIO) exports personal information abroad (excluding sensitive personal information) of less than 100,000 individuals as of 1 January of the current year.

An important clarification is provided in Article 4 of the Regulations: personal information originally collected and generated outside of China, and then transferred into China for processing is exempted from a security assessment, as well as the signing and filing of a standard contract, provided that no domestic personal information or important data is introduced during the processing.

​Cross-border data flow subject to standard contract or certification​

Where a data processor (non-CIIO) transfers PI abroad of 100,000 individuals or more but less than 1 million individuals or SPI of less than 10,000 individuals as of 1 January of the current year, the transferor and transferee must either:

  1. conclude and file SCCs for outbound transfer of personal information with the CAC, or
  2. complete a personal information protection certification and apply at the designated website and with the qualified certification institute.

Additionally, a PIPIA and other documentation need to be submitted to the CAC. The process may have to be repeated or modified in case of any change in data processing activities or circumstances for the CBDT. The certification is valid for three years and renewable upon the fulfillment of the supervision requirements.

Negative Lists - FTZs

The FTZs may prescribe local preferential policies for companies within their respective jurisdictions. Therefore, they may develop their own negative lists for data transfer, setting out data that are subject to the cross-border security assessment, conclusion and filing of SCCs for outbound transfer of personal information, or personal information protection certification. If data is not mentioned in the negative list, it can be freely exported without any filing or application formality with CAC.

​Identification of important data​

The Regulations obligate data processors to identify and report their “important data” in case the data has been notified or identified by the relevant regulations. Thus, in the absence of regulations defining important data, a data processor need not conduct a security assessment for the cross-border data transfer. The DSL provides that all regions and departments shall determine the specific catalog of important data for their respective regions and departments and relevant industries and fields. More specifically, Article 21 of the DSL provides that the government of China will establish a hierarchical data classification management and data protection system focused on the importance of different types of data to the national economy, national security, and public interest.

​Updated security assessment guide and standard contract guide​

According to the updated security assessment guide and standard contract guide, an official website ​is provided as an official online channel for SCC filing and security assessments. Of specific interest to foreign entities is the clarification that the processing of personal information of domestic natural persons by overseas entities is also a cross-border transfer of PI. This may be the case where overseas entities collect personal information from China either for the purpose of provision of products or services to domestic natural persons or when they analyze and evaluate the activities of domestic natural persons. Therefore, overseas entities must establish a special agency or designate a representative in China according to Article 53 of the PIPL to fulfill the personal information protection compliance requirements under Chinese laws and regulations.

Organizational Compliance for CBDT

It is widely acknowledged that with the introduction of the Regulations, the CBDT regime in China has been significantly relaxed. However, this does not constitute a complete relaxation from CBDT mechanisms even if a CBDT activity falls within an exempted scenario or outside the stipulated volume thresholds for PI or SPI transfer.  The following are key compliance considerations for organizations:

In case exemptions apply:

Ensure the following pre-transfer requirements:

  1. Obtain separate, informed, and explicit consent of the individual whose personal information is being transferred.
  2. Carry out a Personal Information Protection Impact Assessment before they can initiate the process of transferring personal information out of China. This should include legitimacy, the necessity of the purpose, scope, impact on individuals’ rights and interests, security risks, and security measures.
  3. Adequately inform the users whose personal information is to be transferred about the potential transfer with information regarding the name of the overseas recipient, contact information, purpose and method of processing, type of personal information and how they can exercise their data rights against the recipient.

It is also important to ensure documentation to show compliance incase of any enforcement actions against non-compliance imposed by Chinese authorities.

In case any of the CBDT mechanisms apply:

  1. Ensure the above pre-transfer requirements are fulfilled.
  2. Review and update existing privacy notices, consent policies, labor contracts, employee handbooks and data protection policy documents.
  3. If the organization is located in the FTZ, the negative list should be monitored to avail exemptions.
  4. Ensure routine efforts with regard to data protection and data security.
  5. Conduct regular compliance training for employees to ensure risk prevention awareness.

For ease of compliance, please refer to the decision tree below:

China CBT Regulations

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share


More Stories that May Interest You

Videos

View More

Mitigating OWASP Top 10 for LLM Applications 2025

Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...

View More

DSPM vs. CSPM – What’s the Difference?

While the cloud has offered the world immense growth opportunities, it has also introduced unprecedented challenges and risks. Solutions like Cloud Security Posture Management...

View More

Top 6 DSPM Use Cases

With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...

View More

Colorado Privacy Act (CPA)

What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...

View More

Securiti for Copilot in SaaS

Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...

View More

Top 10 Considerations for Safely Using Unstructured Data with GenAI

A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....

View More

Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes

As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...

View More

Navigating CPRA: Key Insights for Businesses

What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...

View More

Navigating the Shift: Transitioning to PCI DSS v4.0

What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...

View More

Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)

AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...

Spotlight Talks

Spotlight 47:42

Cybersecurity – Where Leaders are Buying, Building, and Partnering

Rehan Jalil
Watch Now View
Spotlight 46:02

Building Safe Enterprise AI: A Practical Roadmap

Watch Now View
Spotlight 13:32

Ensuring Solid Governance Is Like Squeezing Jello

Watch Now View
Spotlight 40:46

Securing Embedded AI: Accelerate SaaS AI Copilot Adoption Safely

Watch Now View
Spotlight 10:05

Unstructured Data: Analytics Goldmine or a Governance Minefield?

Viral Kamdar
Watch Now View
Spotlight 21:30

Companies Cannot Grow If CISOs Don’t Allow Experimentation

Watch Now View
Spotlight 2:48

Unlocking Gen AI For Enterprise With Rehan Jalil

Rehan Jalil
Watch Now View
Spotlight 13:35

The Better Organized We’re from the Beginning, the Easier it is to Use Data

Watch Now View
Spotlight 13:11

Securing GenAI: From SaaS Copilots to Enterprise Applications

Rehan Jalil
Watch Now View
Spotlight 47:02

Navigating Emerging Technologies: AI for Security/Security for AI

Rehan Jalil
Watch Now View

Latest

View More

Accelerating Safe Enterprise AI with Gencore Sync & Databricks

We are delighted to announce new capabilities in Gencore AI to support Databricks' Mosaic AI and Delta Tables! This support enables organizations to selectively...

View More

Building Safe, Enterprise-grade AI with Securiti’s Gencore AI and NVIDIA NIM

Businesses are rapidly adopting generative AI (GenAI) to boost efficiency, productivity, innovation, customer service, and growth. However, IT & AI executives—particularly in highly regulated...

Key Differences from DLP & CNAPP View More

Why DSPM is Critical: Key Differences from DLP & CNAPP

Learn about the critical differences between DSPM vs DLP vs CNAPP and why a unified, data-centric approach is an optimal solution for robust data...

DSPM Trends View More

DSPM in 2025: Key Trends Transforming Data Security

DSPM trends in 2025 provides a quick glance at the challenges, risks, and best practices that can help security leaders evolve their data security...

The Future of Privacy View More

The Future of Privacy: Top Emerging Privacy Trends in 2025

Download the whitepaper to gain insights into the top emerging privacy trends in 2025. Analyze trends and embed necessary measures to stay ahead.

View More

Personalization vs. Privacy: Data Privacy Challenges in Retail

Download the whitepaper to learn about the regulatory landscape and enforcement actions in the retail industry, data privacy challenges, practical recommendations, and how Securiti...

Nigeria's DPA View More

Navigating Nigeria’s DPA: A Step-by-Step Compliance Roadmap

Download the infographic to learn how Nigeria's Data Protection Act (DPA) mapping impacts your organization and compliance strategy.

Decoding Data Retention Requirements Across US State Privacy Laws View More

Decoding Data Retention Requirements Across US State Privacy Laws

Download the infographic to explore data retention requirements across US state privacy laws. Understand key retention requirements and noncompliance penalties.

Gencore AI and Amazon Bedrock View More

Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock

Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...

DSPM Vendor Due Diligence View More

DSPM Vendor Due Diligence

DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...

What's
New