On 19 November 2024, the Cyberspace Administration of China (CAC) issued guidelines for compliance with regulations on cross-border data transfers. These guidelines are based on Article 37 of the Cybersecurity Law, Article 31 of the Data Security Law, and Article 38 of the Personal Information Protection Law. The CAC noted that these regulations aim to balance data security with business needs and produced these guidelines to aid compliance. Article 37 of the Cybersecurity Law stipulates that personal information and sensitive data collected by operators of critical information infrastructure during domestic operations must be stored within China. If a cross-border data transfer is necessary for business purposes, a security assessment must be conducted. Article 31 of the Data Security Law emphasises the protection and classification of important data across industries and organizations, with the National Data Security Coordination Mechanism defining what is classified as important data. Article 38 of the Personal Information Protection Law governs personal information, including sensitive personal information. It states that cross-border transfers are permitted if the businesses pass the security assessment defined in the Cybersecurity Law, obtain a personal information protection certification through a professional institution approved by the CAC, or sign a standard contract provided by the CAC with the overseas recipient.
Original source