China’s New CBDT Regime: One Year On

09 Jun 2025
Privacy + Data Security
Client Alert

China rolled out its “new,” streamlined cross-border data transfer (CBDT) regime on March 22, 2024, with the issuance by the Cyberspace Administration of China (CAC) of the Provisions on Facilitating and Regulating Cross-Border Data Flows (《促进和规范数据跨境流动规定》, the CBDT Provisions). A year later, on March 21, 2025, CAC celebrated the regime’s first anniversary by publishing an article heralding its achievements so far in implementing the new CBDT regime. On April 9 and May 30, 2025, CAC also released two rounds of Q&A to address frequently asked questions regarding China’s CBDT regime.

The first 14 months of operation of the new regime saw CAC busy processing CBDT filings and further building the administrative and regulatory infrastructure to support implementation of the regime. In this alert, we offer our international clients our own take on developments in China’s CBDT regime so far and some predictions on what we might expect to see over the next year.

Recap of Key Requirements of CBDT Regime

We discussed the key elements of China’s CBDT regime and the impacts of the CBDT Provisions in our March 28, 2024 alert, “China’s Data Regulator Significantly Relaxes CBDT Regime.” By way of recap of some of the most important requirements of the CBDT Provisions:

  • Unless an exemption is applicable, a PI handler (akin to a “controller” under the EU General Data Protection Regulation) needing to transfer personal information (PI) or “important data” out of China must do one of the following:

    (i) pass a security assessment undertaken by CAC;

    (ii) file a standard contract for PI export (SCCs) with the provincial CAC branch; or

    (iii) pass a PI protection certification conducted by a specialized agency accredited by CAC,

    with the security assessment (i.e., mechanism (i)) mandatory for the transfer of important data or the transfer of PI meeting certain criteria.
  • The CBDT Provisions exempt from these requirements:
    • PI handlers whose PI exports do not exceed stipulated volume thresholds; and
    • transfers of PI for purposes of cross-border HR administration, cross-border contract performance, or emergency response.

      Transfers of PI in the fulfilment of a legal obligation are now also exempt under regulations that came into effect on January 1, 2025.
  • Regulators of designated free trade zones (FTZs) are permitted to promulgate special rules applying to data exports from those FTZs.
  • All transfers of important data must undergo a security assessment undertaken by CAC. The CBDT Provisions place the burden on relevant regulators to expressly designate (via published regulations or notices) what is deemed to be important data within their scope of authority before this requirement is triggered.

CBDT Filing Burden Significantly Relaxed

The liberalizations effected by the CBDT Provisions have allowed CAC to focus in on data handlers engaged in the export of either sensitive data or a high volume of data and spared many other companies from the CBDT filing regime. They have also allowed for a streamlined review process.

In its article, CAC reported that since March 2024:

  • the volume of security assessment and SCCs filing applications processed each month from March 2024 to March 2025 had dropped significantly, by approximately 60% and 50%, respectively, as compared to the old CBDT regime.
  • the average time for CAC to review a security assessment application has been reduced to less than 30 working days, which is significantly shorter than the statutory review period of 45 working days. These improvements are attributed to the relaxations under the CBDT Provisions and CAC’s implementation of various reforms to the filing system.

Other measures taken, or to be taken, to streamline the CBDT filing regime include:

  • Review of Security Assessments to Be Delegated to Provincial CACs? On a pilot basis, in Beijing, Shanghai, Tianjin, Jiangsu, Zhejiang, and Guangdong, CAC has delegated to its provincial branches the conduct of pre-reviews of security assessment applications. This pilot may portend a change in approach nationally where provincial CAC branches undertake a substantive review of applications rather than a mere pro forma review, as is the case now.
  • “Green Channel” for Security Assessment of Foreign-Invested Enterprises Established. Another significant reform is the establishment by CAC and the Ministry of Commerce of a “green channel” for the expedited processing of the security assessment applications of foreign-invested enterprises, including foreign-invested R&D centers. The green channel program has already been tested in Beijing on a pilot basis and implementing measures are anticipated to extend the program to other locations soon.

Local Negative Lists and Rules Issued and Geographical Applicability Broadened

As authorized by the CBDT Provisions, five FTZs—Tianjin, Beijing, Hainan, Shanghai, and Zhejiang—have issued local regulations and negative lists exempting designated categories of PI and other data from the CBDT filing regime, including designated data across 17 sectors, including automotive, pharmaceuticals, commercial, civil aviation, international shipping, reinsurance, deep sea, aerospace, seed, cross-border tourism, duty-free retail, cross-border B2B e-commerce, and payment clearing and settlement.

Notably, CAC rules also now provide that negative lists issued by one FTZ can be referenced by other FTZs, essentially broadening the geographical applicability of these negative lists to all FTZs. Furthermore, Beijing Municipality has implemented a pilot program that applies the Beijing FTZ negative list more broadly to companies registered anywhere in Beijing.

Issuance of Sectoral Guidelines on CBDT

CAC has collaborated with sectoral regulators to develop guidelines for CBDT in relevant industry sectors. Guidelines are already in place in the finance sector that exempt data exports across more than 40 scenarios from any regulatory filings and also expressly designate data exports in more than 60 other scenarios that, while not exempt from regulatory filings, are permitted for export.

More Clarity on the Scope and Permitted Transfer of Important Data

With the requirement under the CBDT Provisions that regulators formally designate important data, there has been an accelerated effort by regulators to publish lists of, and criteria for, identifying, important data in different sectors.

  • Applicable nationally, GB/T 43697-2024, Data Security Technology – Rules for Data Classification and Grading, a recommended national standard, outlines factors to be considered when identifying important data.
  • FTZs’ negative lists include guidelines on the scope of important data in the relevant sectors.
  • Regulators in sectors such as automotive, finance, and telecommunications have issued rules offering guidance on the criteria to be used in identifying important data.

In a Q&A, CAC has stressed that transfers of important data are not prohibited per se and that it will approve transfers that do not compromise China’s national security or public interests, noting that, as of March 2025, among the 44 security assessment applications involving the export of important data it had reviewed:

  • 37 applications had passed review (representing an approval ratio of 84.1%).
  • Among the 509 discrete items of important data covered by the 44 applications, 325 were approved for export (representing an approval ratio of 63.9%).

Concluding Comments

In the first 14 months since China’s CBDT regime became fully operational, CAC has focused on refining the regime through the various measures discussed above and on educating businesses via written guidance and seminars. We anticipate that the efforts of CAC and sectoral regulators to streamline and clarify the CBDT regime will continue over the coming months.

CAC has not (yet) issued any penalties for non-compliance with the CBDT regime, even though data handlers were not given any formal grace period to comply. However, it is not anticipated that CAC will continue to show this forbearance going forward. Fines for non-compliance with the Personal Information Protection Law and the Data Security Law might run up to RMB 50 million (approximately USD 7 million) or 5% of the previous year’s turnover, depending on the severity of the breach and we expect CAC will start to impose penalties for non-compliance in the coming months, focusing initially on data handlers that handle a large volume or particularly sensitive data.

As further explained in the Terms / Notices linked below, the information provided herein is not legal advice. Any information concerning the People’s Republic of China (PRC) is not an opinion on, determination on, or certification of the application of PRC law. We are not licensed to practice PRC law.

Contacts
65 69222066
852 25850808
65 69222050
86 (21) 23225243
86 (21) 23225220
About Morrison Foerster

We are Morrison Foerster — a global firm of exceptional credentials. Our clients include some of the largest financial institutions, investment banks, and Fortune 100, technology, and life sciences companies. Our lawyers are committed to achieving innovative and business-minded results for our clients, while preserving the differences that make us stronger.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Prior results do not guarantee a similar outcome.

© 2025 Morrison & Foerster LLP Client Alert www.mofo.com