China releases updated guidelines on data outbound security management

The Cyberspace Administration of China (CAC) has released a comprehensive set of guidelines aimed at clarifying and reinforcing the regulatory framework governing cross-border data transfers. These guidelines are part of ongoing efforts to implement China’s data outbound security management policies more effectively and support enterprises in navigating the complexities of international data flows.

At the core of the updated policy is a clear distinction between types of data subject to regulation. While general data that does not involve personal or sensitive information can flow freely across borders, important data and personal information at scale must undergo formal security assessments before export. This system, grounded in the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law, reflects China’s broader national strategy to ensure both security and openness in data governance.

To support implementation, the CAC has already enacted several regulatory instruments including the Measures for Security Assessment for Data Cross-Border Export, Measures for Standard Contract for Personal Information Cross-Border Export, and Regulations on Promoting and Regulating Cross-Border Data Flows. These provide detailed compliance pathways through security assessments, contractual frameworks, and certification systems.

A notable focus of the new guideline is the standardisation of negative lists across free trade pilot zones. These lists define the types of data restricted from export without further review. The CAC has emphasised consistency by requiring that all negative lists be approved at the provincial level and filed centrally with the national cybersecurity and data authorities. Already implemented in free trade zones such as Tianjin, Beijing, and Shanghai, these lists cover industries ranging from automotive and pharmaceuticals to civil aviation and reinsurance.

The guideline also provides clarity on how important data is defined and identified. Drawing from Article 62 of the Regulations on Network Data Security Management and national technical standards such as GB/T 43697-2024, important data is understood to include information that, if misused, could threaten national security, economic operations, or public safety. Despite the high threshold for scrutiny, data that qualifies as important can still be exported, provided it passes a security review.

As of March 2025, CAC data shows that out of 509 important data items submitted for export assessment, 325 (63.9%) were approved for transfer. This suggests a pragmatic application of the law, balancing national interests with corporate needs.

For multinational corporations, the CAC is introducing more convenient mechanisms. Group companies can now apply jointly for security assessments or submit unified filings for standard contracts if their data export scenarios are similar. Additionally, enterprises may pursue personal information protection certification, which—once obtained—can simplify cross-border data flows within international corporate groups.

The validity period for security assessment results has also been extended to three years, up from the previous two. If no significant changes occur in the data export scenario, companies may apply to extend this period without repeating the full assessment, a move intended to ease long-term compliance burdens.

Finally, the CAC reaffirmed its commitment to inclusive and transparent development of technical standards. Foreign-invested enterprises are encouraged to participate in standards formulation through the National Technical Committee for Cybersecurity Standardization. Equal participation rights are guaranteed, with all stakeholders able to contribute during the drafting, consultation, and finalisation stages.

Together, these guidelines signal China’s intention to foster secure, orderly, and business-friendly cross-border data flows, while ensuring that critical information remains protected in line with national priorities.