Cross-Border Data Transfer Regulations (Updated 2025)
Published: September 15, 2025
Executive Summary
China relaxed its cross-border data transfer rules in September 2025, exempting many routine business data transfers from security assessments. The updated framework simplifies compliance for foreign companies handling HR, procurement, and non-sensitive operational data.
Key Points
Routine HR, procurement, and non-sensitive operational data transfers exempted from security assessment requirements
Data that does not contain "important data" or personal information of more than 100,000 individuals is exempt
Free trade zones granted additional flexibility for data exports in pilot programs
Negative list approach adopted: data categories requiring assessment are specified, everything else is permitted
Foreign companies still need to classify their data and maintain transfer records for compliance
Significant improvement from the strict 2022 framework — estimated 80% of routine business transfers now exempt