In recent years, China has steadily strengthened both the legal framework and enforcement for cross-border data transfers. In March 2024, the Cyberspace Administration of China (CAC) issued the Provisions on Promoting and Regulating the Cross-Border Data Flow (Cross-Border Provisions), which defined the applicable scenarios for compliant cross-border data transfer pathways, as well as the exemption scenarios. In September of the same year, the State Council promulgated the Regulation on the Administration of Network Data Security (Network Data Regulation), which came into force on January 1, 2025, and further specified data processors’ security management obligations and the regulatory requirements for cross-border data transfers.
In 2025, the CAC released three batches of Policy Q&As regarding the security administration of cross-border data transfers. These Q&As addressed a number of issues in practice, including the interpretation of exemptions for compliant cross-border data transfer pathways, the determination methodology for the necessity of cross-border data transfers, and the compliance requirements for the cross-border transfer of important data. Local cyberspace administration offices have also issued guidelines on cross-border data transfers, and multiple free trade zones, such as Beijing, Shanghai, Hainan and Chongqing, have all released administrative lists (negative lists) for cross-border data transfers.
In terms of law enforcement, a well-known multinational enterprise was investigated and penalized by the authorities. This was due to its failure to (a) implement an applicable pathway before transferring users’ personal information to its overseas headquarters, (b) fully inform users and obtain their separate consent prior to the cross-border transfer, and (c) implement security measures such as encryption and de-identification. The National Computer Virus Emergency Response Center announced that the non-compliance issues detected in the App inspections included a “failure to inform individuals of cross-border data transfer matters and obtain their separate consent when transferring personal information abroad”.
In January 2026, the Cyberspace Administration of Shanghai released a batch of typical cases regarding data compliance law enforcement, including two penalty cases of illegal cross-border data transfers. These cases are particularly notable from a corporate compliance perspective.
The first case involved a hotel management enterprise that conducted illegal cross-border data transfers of its users’ data. Given that its online hotel booking business involves cross-border data transfers, the enterprise applied for a security assessment of the cross-border data transfer with the CAC. After receiving the Assessment Result Notice from the CAC, which indicated that the necessity of the proposed cross-border data transfer was insufficient, the enterprise failed to make rectifications and continued to transfer personal information abroad in violation of law. The CAC determined that this behavior violated the provisions of the Personal Information Protection Law (PIPL) and the Network Data Regulation. It ordered the enterprise to make rectifications within a certain time period and imposed a fine, though the specific fine amount has not been disclosed.
The second case concerned a property management enterprise engaged in illegal cross-border data transfers of its users’ data. The enterprise’s App is mainly used to assist users in managing membership accounts, making reservations and completing check-in procedures. However, the enterprise transferred users’ accommodation information, including sensitive personal information such as financial account details, to overseas parties, without applying for a cross-border data transfer security assessment, entering into standard contracts or obtaining personal information protection certification. The cyberspace administration held that it violated the PIPL and the Network Data Regulation and ordered it to rectify the violations within a certain time period and issued an administrative warning, without imposing a monetary fine.
The core issue in the first case was that the enterprise ignored the assessment result. It had been notified that the cross-border data transfer was not deemed sufficiently necessary and thus failed the assessment, but the business persisted in the illegal cross-border data transfer. In the second case, the core issue was that the enterprise arbitrarily transferred personal information across borders without performing any statutory pathways at all for the cross-border data transfer.
With the further refinement and increasing enforcement of China’s cross-border data transfer regulatory framework, enterprises that engage in cross-border data transfers that have not fully fulfilled their compliance obligations are advised to complete compliance rectifications as soon as possible. It is recommended that enterprises take immediate action to sort out their cross-border data transfers, investigate and determine the types of and pathways applicable to transferred data, conduct in-depth analysis on the necessity and legality of such cross-border data transfers, ensure that the transfer activities have a clear legal basis, and promptly advance work such as personal information protection impact assessments.
Enterprises that have already completed cross-border data transfer compliance work may consider conducting self-inspections to check whether material changes have occurred in their cross-border data transfers. In the event of any new or altered cross-border data transfers, it is advisable that enterprises fulfill their statutory compliance obligations, identify potential compliance gaps, and carry out rectifications in a timely manner.
