China Finalizes Provisions on Promotion and Stand

China Finalizes Provisions on Cross-Border Data Transfer

Chinese authorities issued new regulations and guidance governing cross-border transfers of data and personal information, which will significantly reduce procedural and compliance burdens for many multinationals.

On March 22, 2024, the Cyberspace Administration of China issued the Provisions for the Promotion and Standardization of Cross-Border Data Flows (the "Provisions") and updated guidelines for security assessments and standard contracts  (collectively, the "Guidelines"), all effective immediately. 

The Provisions and the Guidelines clarify and relax requirements relating to cross-border data transfers. 

Exemptions From Additional Procedural Requirements for Cross-Border Data Transfers 

Previously, data handlers were required to pass an assessment, file a standard contract with authorities, or undergo personal information ("PI") protection certification if they transferred any PI abroad. Under the Provisions, a data handler is exempt from such requirements in these scenarios:

  • Re-export of PI imported from outside China, as long as the data handler does not introduce PI or "important data" from China during processing;
  • PI transfers for entering into or performing contracts with individuals;
  • Employee PI transfers for human resources management;
  • PI transfers to protect life and property in emergencies; 
  • Non-sensitive PI transfers by handlers that are not critical information infrastructure operators ("CIIOs") of less than 100,000 persons in the current year; 
  • Transfers of data not listed in a free trade pilot zone's Negative List by a registered handler; and
  • Data generated from international trade, cross-border transportation, academic cooperation, transnational manufacturing, and marketing, if the data does not contain PI or "important data" (data is not "important data" unless notified by relevant authorities or publicly released as "important data").

When Additional Procedural Requirements Apply 

Subject to exemptions, assessments are mandatory when: (i) CIIOs transfer PI or "important data"; or (ii) non-CIIOs transfer "important data" or PI (in the current year) of more than 1 million persons or transfer sensitive PI of more than 10,000 persons.

Subject to exemptions, Standard Contracts or Certifications are required when non-CIIOs: (i) transfer PI (in the current year) of more than 100,000 and less than 1 million persons; or (ii) transfer sensitive PI of less than 10,000 persons. 

Next Steps

Because the Provisions and the Guidelines significantly ease compliance burdens, companies should evaluate their cross-border transfers to determine what requirements they are required to meet going forward.

Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.