Privacy & Information Security Law Blog

On April 9, 2025, the Cyberspace Administration of China (“CAC”) published a Q&A related to administrative policies on the security of cross-border transfers. Below is a list of certain of the questions published by the CAC each with a summary of the response from the CAC.

How can consistency of the criteria for the negative lists in different Pilot Free Trade Zones (“Pilot FTZs”) be ensured?

Pursuant to the Provisions on Facilitating and Regulating Cross-border Data Flow (the “Provisions”), the Pilot FTZs may each formulate their own negative list under the framework of the data classification and categorization protection. If a Pilot FTZ has issued a negative list, other Pilot FTZs in the same industry can adopt the issued negative list to avoid duplication. Currently, the negative list has covered 17 industries including automobile, drug, retail, civil aviation, re-insurance, deep sea field and seed industry

How should the necessity of cross-border transfers be understood and determined?

Pursuant to Articles 6 and 19 of the Personal Information Protection Law, the considerations for determining “necessity” include whether the processing of personal information:

• is directly related to the purpose of the processing;
• has minimal impact on individuals rights;
• is limited to the minimum scope necessary to achieve the purpose; and
• the retention period is limited to the shortest time necessary to achieve the purpose.

Therefore, an assessment on the necessity of a cross-border transfer must focus on the necessity of the cross-border transfer itself, the number of individuals impacted, and the necessity of the scope of data elements of the transfer. The CAC and the relevant competent industrial authorities intend to jointly refine and clarify the business scenarios of cross-border transfers in specific industries and provide more detailed guidelines in the future.

Can important data be transferred outside of China?

Yes, important data can be transferred outside of China if a security assessment determines that the transfer will not harm national security or public interest. As of March 2025, the CAC had completed 298 applications for security assessment on cross-border transfers, of which 44 applications involved important data and seven applications failed, which means the failure rate is only 15.9%. In these 44 applications, there are total 509 important data elements, among which 325 elements were approved for transfer and the pass rate is 64.9%.

Are there any more convenient channels for cross-border transfers between group companies?

If the scenarios for the cross-border transfers for multiple Chinese subsidiaries belonging to one group company are similar, it is permitted for the group company, as the applicant, to submit one consolidated application for security assessment or one consolidated filing of the standard contract (“SC”) for cross-border transfers.

Alternatively, if either of the Chinese affiliate and the oversea recipient obtains the certification for cross-border transfer, the relevant entities can carry out the data transfer activities within the certified scope. If a group company obtains such certification, it is permitted to transfer data within the group without concluding separate SCs with the affiliates in each country/region.

Is there a specific process for extending the validity period of cross-border data transfer related security assessment results?

The Provisions extend the validity period of the assessment results from two years to three years. Upon expiration of the validity period, if the data handler continues to carry out cross-border activities without any circumstances requiring re-application for a security assessment, it may apply to the local cyberspace administration authority for an extension 60 business days before the expiration of the validity period. The validity period of the security assessment results can then be extended for another three years. The CAC intends to revise and issue relevant policies related to the extension procedure to make conditions for cross-border transfers more convenient.