China: People's Bank of China adopted Measures for the Administration of Data Security in the Business Field including cross-border data transfer regulations

On 1 May 2025, the People's Bank of China adopted the Measures for the Administration of Data Security in the Business Field, formalising data security obligations for financial institutions and other authorised entities operating under its jurisdiction. The Measures specify that entities processing data have to adhere to state Internet information department provisions when transferring data overseas. The Measures specify that entities are required to conduct and submit a security assessment for data export and prohibit intentional data splitting to avoid conducting security assessments. Furthermore, entities must also maintain records of the scale and scope of data exported abroad, as well as related self-assessment reports and security assessment declarations for the validity period. Finally, the entities are prohibited from sharing data stored in China with International Organizations and Foreign Financial Regulatory Departments without the approval of PBC and other relevant competent departments.