数据出境合规实务50问（2025版）

Questions(2024Edition) PREAMBLE With the booming development of the digital economy, data has become animportant factor of production and a key driver of development.Cross-borderdataflowis essentialas astrategicleveragefor global economic development, technologicalinnovation and international trade. However, cross-border data flow presents challengesand controversies in terms of data security and privacy protection.Many countries havetherefore intensified the regulation and standardization of cross-border data flow. On July 7, 2022, Cyberspace Administration of China (CAC) releasedtheMeasures for the Security Assessment of Cross-Border Data Transfer( effective onSeptember 1, 2022). With other previously released laws and regulations, itestablishedaninitialregulatory framework foroutboundcross-border data transfer compliance.However,ambiguities in the rules and regulationsresulted in initial uncertainty formanyenterprises.On September 28,2023,CAC released the Regulations onRegulating and Promoting Cross-Border Data Flow (Draft).Itsparked extensivediscussionsin various sectors regarding the selection of appropriateoutboundcross-border data transfercompliance measures. On March 22, 2024, after six months of reviewing and considering externalfeedback, CACofficially announcedthe Regulations on Promoting and RegulatingCross-Border Data Flow(the Regulations on Cross-Border Data Flow)whichbecameeffective immediately.The Regulationson Cross-Border Data Flowrefinedthe regulatory framework for outbounddatatransfer, further easing therequirementsfor data transfer andnarrowing the scope of security assessmentforcross-border datatransfer.These latest regulatory update showed CAC’sintention to facilitate andpromotecross-border dataflow, by reducingthe cost of compliance and promotingthegrowth of trade andthedigital economy, while balancingdata security and nationalinterests. Asthe Regulationson Cross-Border Data Flowwill impact enterprises’who mayneed totransferdata outside the Chinese mainland, the data and cyber security team fromGlobal LawOffice, in conjunction with University of International Business andEconomics Research Center for Digital Economy and Legal Innovation, NIO HoldingsLtd., Qi An Xin Technology Group Inc., Beijing OgilvyoneMarketingCo.Ltd., andHangzhou Youzan Technology Co., Ltd.,have collaborated toreleasethisguidelinetohelpanswercommonquestions on cross-border data transfer inaFAQ format. Thisguideline,is divided into two parts: the first part introduces the legal and regulatoryframework of cross-border data transfer in the Chinese mainland, addresses therelevantconcepts, andproposesprecautions.The second partanalyzes commoncross-borderdata transferscenarios, data typesandthe process ofoutbound cross-border datatransfer security assessmentsand submission, as well as risk assessmentsand countermeasures. In the era of rapidgrowth indigital economy, compliance management of cross-border data transferwill become an essential capability for enterprises. We hope thatthe release of this article.will provideauseful reference for enterpriseswho need tomove and share data between countries and regions. Finally,wewould like to thank all the participating organizations and personnelfor the hard work, especially the strong support of Wolters Kluwer, and everyone fortheir valuable input and advice. Meng, Maggie (Jie) CONTENTS PREAMBLE..............................................................................................1 PART 1 FUNDAMENTALS.....................................................................1 I. What are the Legal and Regulatory Requirements Governing Cross-Border DataTransfer in China?..........................................................................................................2II. What Activities Constitute Cross-Border Data Transfer?.......................................11III. How to Identify Overseas Recipient of Outbound Cross-Border Data Transfer?.12IV. What are the Three Routes for China’s Current Outbound Cross-Border DataTransfer System? How Can One Determine Which Route toSelect?.........................13V. Under What Scenarios can Data be Transferred outside the Chinese mainland withoutFollowing the Three Routes of Outbound Cross-Border Data Transfer?....................17VI.Which Scenarios Fall under the Category of“Laws and AdministrativeRegulations Provide Otherwise, and Assessment/Approval Shall be Submitted inAccordance with Their Provisions”?.........................................................................23VII.Which Scenarios Fall under the Category of“Laws and AdministrativeRegulations Provide Otherwise, and Assessment/Approval Shall be Submitted inAccordance with Their Provisions”?.........................................................................24VIII. What is the Procedure of Outbound Cross-Border Data Transfer SecurityAssessment?....................................................................................................