News

Home – News

stock, trading, monitor, business, finance, exchange, investment, market, trade, data, graph, economy, financial, currency, chart, information, technology, profit, forex, rate, foreign exchange, analysis, statistic, funds, digital, sell, earning, display, blue, accounting, index, management, black and white, monochrome, stock, stock, stock, trading, trading, trading, trading, trading, business, business, business, finance, finance, finance, finance, investment, investment, market, data, data, data, graph, economy, economy, economy, financial, technology, forex

China Releases Official Q&A Clarifying Cross-Border Data Transfer Compliance (October 2025)

01/18/2026

China’s Cyberspace Administration of China (CAC) published an official “Data Export Security Management Policy Q&A (October 2025)” to address common compliance questions businesses have raised when handling cross-border data transfers. Rather than introducing a new standalone regime, the Q&A helps organizations interpret and apply existing rules more consistently—especially around exemptions, what counts as an “outbound” transfer, and when a new security assessment may be required.

Several takeaways are particularly practical for day-to-day operations:

Exemptions are not limited to a fixed list. The Q&A explains that the “etc.” language in contract-performance scenarios (such as cross-border shopping, payments, travel bookings, visa services, exams, and similar services) can cover additional comparable situations, as long as the transfer is genuinely necessary to conclude or perform a contract where the individual is a party, and the personal information provided overseas stays within a minimum-necessary scope.
“Outbound transfer” is about where access happens, not only where servers sit. If data is stored in China but can be queried, retrieved, or exported by an overseas entity from outside China, that can be treated as a cross-border data transfer. By contrast, if overseas staff access the data while physically in China and the data is not transmitted abroad, it is generally not treated as an outbound transfer.
Volume thresholds still matter over the calendar year. Even if an organization initially relies on a lighter compliance route (for example, filing a standard contract), it should monitor cumulative outbound volumes from January 1 of the same year. If volumes later reach the threshold that triggers a security assessment, the organization is expected to follow the security assessment procedure.
“Important data” triggers tighter timelines. If an organization is informed that it handles important data—or its data is publicly designated as important—continuing relevant outbound transfers typically requires applying for a security assessment within a defined time window.
Changes to systems do not automatically mean re-assessment. The Q&A indicates that routine system upgrades or replacements do not necessarily require re-submitting a security assessment, unless they change key risk factors (such as the purpose, scope, method of transfer, retention period, or other conditions that materially affect data security).

For compliance teams, the Q&A is useful as a checklist: it signals how regulators expect organizations to interpret exemptions narrowly, document necessity, and keep transfer volumes, recipients, and technical access pathways under ongoing review.

Source:
https://www.cac.gov.cn/2025-10/31/c_1763633376984070.htm