2. Continued relaxations for cross-border data transfer in FTZs

The Provisions on Promoting and Regulating Cross-border Data Flows promulgated on 22 March 2024 (CBDT Regulation) authorised China’s free trade zones (FTZs) to formulate and adopt local preferential policies for cross-border data transfer, offering additional flexibilities beyond the national framework.

In 2024, Shanghai, Beijing, and Tianjin FTZs issued their respective negative list/whitelist ahead of other regions. Please see our previous client alert  for more information. Building on that effort, Shanghai FTZ issued a negative list of CBDT in February 2025, covering areas of reinsurance, international shipping, and commerce, such as retail, catering, and accommodation.

In the recent months of 2025, the FTZs in Hainan, Zhejiang, Guangxi, and Jiangsu have also released their CBDT negative list tailored to the local strategic industries. For example, e-commerce in Zhejiang; ocean, agriculture, and tourism sectors in Hainan; the health care industry in Jiangsu; and geographic information and cross-border e-commerce in Guangxi.

It is interesting to note that, with the encouragement of the central CAC, negative lists released by one FTZ may be referenced by companies in other FTZs. For example, a reinsurance company registered in the Guangxi FTZ can refer to the CBDT list released by the Shanghai FTZ when transferring reinsurance data abroad, in order to leverage the preferential policies available in other FTZs. This interoperability between various FTZs significantly expands the exemptions and reduces compliance burdens for businesses.

3. Important data guidelines in the industrial field

The concept of “important data” was first introduced under the PRC Cybersecurity Law and later elaborated in the PRC Data Security Law. Companies processing important data must comply with stricter protection requirements, such as conducting regular risk assessments and undergoing a CAC-led security assessment for CBDTs. However, due to the lack of a clear definition, identifying important data has become a challenge for many business entities. While the laws and regulations at the national level only provide some general descriptions, regulators in certain industries are attempting to provide more practical guidance by issuing industrial guidelines and rules.

On 25 December 2024, the PRC Ministry of Industry and Information Technology (MIIT) released the Important Data Identification Guidelines in the Industrial Field, which took effect on 1 April 2025. According to these guidelines, the following would be identified as important data:

• Sensitive industry data: Data processed by companies in sensitive industries, such as steel, nonferrous metals, and petrochemicals, would fall within the scope.
• High-technology data: Data pertaining to high-tech fields are more likely to be identified as important data, such as design data of high-end medical device production, integrated circuits, electronic components, key software, and similar areas.
• Personal data: In line with the Regulations for Network Data Security Management, personal data of more than 10 million individuals or sensitive personal data of more than 100,000 individuals is classified as important data.

Some local bureaus of MIIT have launched a pilot project for the identification of important data. Key business entities in the region are requested to classify and grade their data, conduct self-evaluation, and submit a list of important data to the local MIIT. The local MIIT will review the submitted list, informing them of the final important data list.

4. Version 3 of the Security Assessment Guidelines for CBDT

There are three mechanisms to implement cross-border data transfers in China: (i) CAC-led security assessment; (ii) Chinese SCC; and (iii) certification by qualified third parties. On 27 June 2025, the CAC released the third version of the Security Assessment Guidelines for cross-border data transfers, updating previous versions issued on 31 August 2022 and 22 March 2024, respectively.

Under the CBDT Regulation, the approval of a security assessment is valid for three years and can be extended by application. However, the CBDT Regulation does not provide detailed guidance on how to extend the approval. Version 3 clarifies the conditions for extending the approved security assessment. Companies can apply for the extension if all of the following conditions are met:

• There must be no changes to the purpose of the CBDT or the scope of personal data transferred abroad;
• There must be no changes to the data exporter in China or the overseas data recipient;
• If transferring personal data, the volume transferred over the next three years must not increase by more than 20% compared to the volume approved for the previous three years;
• If transferring important data, the data size transferred over the next three years must not increase by more than 20% compared to that of the previous three years; and
• The company must have strictly followed the approved assessment when conducting the CBDT, with no major data breaches or incidents in the past three years.

5. CBDT Guidelines for Automotive Data

On 13 June 2025, the MIIT, CAC, Ministry of Transport, and other regulatory bodies jointly published the draft CBDT Guidelines for Automotive Data, seeking public comments.

Once finalised, these guidelines will apply to a broad range of stakeholders in the automotive sector, including automakers, parts and software suppliers, telecom operators, autonomous driving service providers, platform companies, dealers, maintenance service providers, and even travel agents, among others.

In addition to general exemption scenarios under the CBDT Regulation (e.g., HR management, contract performance, and similar activities), the draft introduces sector-specific exemptions. Subject to certain conditions, China’s CBDT legal mechanism can be exempted for data transfers outside China if the transfer is for purposes such as patching security vulnerabilities, handling security incidents, fixing automotive product defects, or conducting product recalls.

The draft also provides examples of important data in the automotive context, such as source codes in product development scenarios, algorithms for autonomous driving, and vehicle identification numbers in networked operations. These examples provide the much-needed clarity for businesses to identify important data.

6. Recent enforcement trends by Chinese regulators

In the first eight months of 2025, Chinese regulators have been active in launching compliance investigations and enforcement campaigns focusing on apps, AI compliance, and the filing of algorithms and large language models (LLMs).

In May, the Central CAC launched a special campaign against the misuse of AI technology. The main violations identified include the failure to file the LLM and algorithm; infringement of privacy and IP rights; failure to implement security measures; and failure to conduct security assessments. Following the Central CAC, the Shanghai CAC launched a similar campaign in June, with 15 large online platforms participating and updating their respective AI compliance mechanisms.

MIIT continues to monitor apps compliance. In April, MIIT published the first non-compliant apps list of 2025, focusing on apps related to medical health, entertainment, games, sports, and fitness. The main non-compliances include the collection of personal data beyond the scope of the privacy notice; failure to disclose the SDK information; and frequent and excessive requests for authorisation, among others. Operators of non-compliant apps have been requested to take corrective actions immediately.

Failure to comply could result in severe consequences. Chinese regulators can impose fines on both business entities and senior management, remove apps from app stores, suspend services, or even revoke business licences. Companies must take necessary compliance steps to reduce the enforcement risks.

Compliance suggestions

The continued evolution of China’s data and privacy regime presents both opportunities and challenges for business entities. Multinational companies operating in China are advised to consider the following steps to ensure compliance:

1. Review personal data processing status and appropriate audit procedures. With the Audit Measures now in effect, regulators may begin enforcement later this year or early next year. Companies must develop audit plans and conduct the compliance audit promptly.
2. Companies based in FTZs must monitor the local negative lists and leverage the special relaxation policies to reduce the compliance burden for cross-border data transfer.
3. Entities engaged in sensitive or high-tech industries must closely monitor the guidelines and policies issued by industrial regulators, carry out data classification and grading, and take a proactive approach in identifying and managing important data.
4. Continuously optimise data processing practices, update privacy documentation, and address compliance gaps in response to new regulatory and enforcement developments in China.

Our China data and privacy team has significant hands-on experience in advising on complex and high-stakes data compliance matters. Please feel free to reach out to us if you would like to discuss any aspect further.

In-depth 2025-228