One Key Take-Away from FAQ on Cross-Border Data Transfers
By Matthew Ding
Background
On 30 May 2025, the Cyberspace Administration of China (CAC) released a new FAQ regarding the management of cross-border data transfers. This long-awaited clarification provides significant relief to enterprises navigating the complex regime of data export compliance under China's Data Security Law and associated regulations.
Key Clarification: No Immediate Obligation Without Sector-Specific Standards or Notification
One of the most notable take-aways is the CAC's confirmation that companies are not required to classify and report "important data"—a prerequisite for data export security assessments—unless their industry authority has either (1) issued classification and identification rules or (2) explicitly notified them to begin this process.
Therefore, as long as such standards or notifications have not yet been issued, companies will not be considered non-compliant and should not be punished for not having taken the additional measures required for the export of "important" data. This removes a longstanding concern for businesses operating in industries where regulatory clarity is still pending.
Reprieve: 2-Month Window Upon Future Notification or Rule Issuance
If and when the relevant authorities publish industry-specific data classification standards later or notify companies to begin identification and reporting, companies will be granted a two-month period to identify the relevant important data and submit a cross-border data security assessment application. This provides a workable compliance runway for organizations newly brought under the scope of "important data" rules.
Conclusion
This FAQ provides practical relief and regulatory certainty for many companies engaged in international data flows. Most importantly, businesses may continue cross-border data transfers without fear of retrospective punishment, as long as the current legal requirements have not yet been triggered.
Businesses are advised to monitor updates from their industry regulators and be ready to act within the 2-month compliance period once specific rules are published or notifications are received.
R&P's data privacy team advises and supports clients to ensure compliance with China's complex data privacy regulatory framework. We are closely monitoring regulatory developments across sectors. If you would like a clearer understanding of whether your business could be impacted, or need support planning for future compliance, please reach out the author at [email protected] or your trusted contact at R&P.