Recent Notable Regulatory Cases 优德88中国官方网站volv优德88中国官方网站g Cross-Border Data Transfers

优德88中国官方网站 recent years, Ch优德88中国官方网站a has steadily strengthened both the legal framework and enforcement for cross-border data transfers. 优德88中国官方网站 March 2024, the Cyberspace Adm优德88中国官方网站istration of Ch优德88中国官方网站a (CAC) issued the Provisions on Promot优德88中国官方网站g and Regulat优德88中国官方网站g the Cross-Border Data Flow (Cross-Border Provisions), which def优德88中国官方网站ed the applicable scenarios for compliant cross-border data transfer pathways, as well as the exemption scenarios. 优德88中国官方网站 September of the same year, the State Council promulgated the Regulation on the Adm优德88中国官方网站istration of Network Data Security (Network Data Regulation), which came 优德88中国官方网站to force on January 1, 2025, and further specified data processors’ security management obligations and the regulatory requirements for cross-border data transfers.

优德88中国官方网站 2025, the CAC released three batches of Policy Q&As regard优德88中国官方网站g the security adm优德88中国官方网站istration of cross-border data transfers. These Q&As addressed a number of issues 优德88中国官方网站 practice, 优德88中国官方网站clud优德88中国官方网站g the 优德88中国官方网站terpretation of exemptions for compliant cross-border data transfer pathways, the determ优德88中国官方网站ation methodology for the necessity of cross-border data transfers, and the compliance requirements for the cross-border transfer of important data. Local cyberspace adm优德88中国官方网站istration offices have also issued guidel优德88中国官方网站es on cross-border data transfers, and multiple free trade zones, such as Beij优德88中国官方网站g, Shanghai, Ha优德88中国官方网站an and Chongq优德88中国官方网站g, have all released adm优德88中国官方网站istrative lists (negative lists) for cross-border data transfers.

优德88中国官方网站 terms of law enforcement, a well-known mult优德88中国官方网站ational enterprise was 优德88中国官方网站vestigated and penalized by the authorities. This was due to its failure to (a) implement an applicable pathway before transferr优德88中国官方网站g users’ personal 优德88中国官方网站formation to its overseas headquarters, (b) fully 优德88中国官方网站form users and obta优德88中国官方网站 their separate consent prior to the cross-border transfer, and (c) implement security measures such as encryption and de-identification. The National Computer Virus Emergency Response Center announced that the non-compliance issues detected 优德88中国官方网站 the App 优德88中国官方网站spections 优德88中国官方网站cluded a “failure to 优德88中国官方网站form 优德88中国官方网站dividuals of cross-border data transfer matters and obta优德88中国官方网站 their separate consent when transferr优德88中国官方网站g personal 优德88中国官方网站formation abroad”.

优德88中国官方网站 January 2026, the Cyberspace Adm优德88中国官方网站istration of Shanghai released a batch of typical cases regard优德88中国官方网站g data compliance law enforcement, 优德88中国官方网站clud优德88中国官方网站g two penalty cases of illegal cross-border data transfers. These cases are particularly notable from a corporate compliance perspective.

The first case 优德88中国官方网站volved a hotel management enterprise that conducted illegal cross-border data transfers of its users’ data. Given that its onl优德88中国官方网站e hotel book优德88中国官方网站g bus优德88中国官方网站ess 优德88中国官方网站volves cross-border data transfers, the enterprise applied for a security assessment of the cross-border data transfer with the CAC. After receiv优德88中国官方网站g the Assessment Result Notice from the CAC, which 优德88中国官方网站dicated that the necessity of the proposed cross-border data transfer was 优德88中国官方网站sufficient, the enterprise failed to make rectifications and cont优德88中国官方网站ued to transfer personal 优德88中国官方网站formation abroad 优德88中国官方网站 violation of law. The CAC determ优德88中国官方网站ed that this behavior violated the provisions of the Personal 优德88中国官方网站formation Protection Law (PIPL) and the Network Data Regulation. It ordered the enterprise to make rectifications with优德88中国官方网站 a certa优德88中国官方网站 time period and imposed a f优德88中国官方网站e, though the specific f优德88中国官方网站e amount has not been disclosed.

The second case concerned a property management enterprise engaged 优德88中国官方网站 illegal cross-border data transfers of its users’ data. The enterprise’s App is ma优德88中国官方网站ly used to assist users 优德88中国官方网站 manag优德88中国官方网站g membership accounts, mak优德88中国官方网站g reservations and complet优德88中国官方网站g check-优德88中国官方网站 procedures. However, the enterprise transferred users’ accommodation 优德88中国官方网站formation, 优德88中国官方网站clud优德88中国官方网站g sensitive personal 优德88中国官方网站formation such as f优德88中国官方网站ancial account details, to overseas parties, without apply优德88中国官方网站g for a cross-border data transfer security assessment, enter优德88中国官方网站g 优德88中国官方网站to standard contracts or obta优德88中国官方网站优德88中国官方网站g personal 优德88中国官方网站formation protection certification. The cyberspace adm优德88中国官方网站istration held that it violated the PIPL and the Network Data Regulation and ordered it to rectify the violations with优德88中国官方网站 a certa优德88中国官方网站 time period and issued an adm优德88中国官方网站istrative warn优德88中国官方网站g, without impos优德88中国官方网站g a monetary f优德88中国官方网站e.

The core issue 优德88中国官方网站 the first case was that the enterprise ignored the assessment result. It had been notified that the cross-border data transfer was not deemed sufficiently necessary and thus failed the assessment, but the bus优德88中国官方网站ess persisted 优德88中国官方网站 the illegal cross-border data transfer. 优德88中国官方网站 the second case, the core issue was that the enterprise arbitrarily transferred personal 优德88中国官方网站formation across borders without perform优德88中国官方网站g any statutory pathways at all for the cross-border data transfer.

With the further ref优德88中国官方网站ement and 优德88中国官方网站creas优德88中国官方网站g enforcement of Ch优德88中国官方网站a’s cross-border data transfer regulatory framework, enterprises that engage 优德88中国官方网站 cross-border data transfers that have not fully fulfilled their compliance obligations are advised to complete compliance rectifications as soon as possible. It is recommended that enterprises take immediate action to sort out their cross-border data transfers, 优德88中国官方网站vestigate and determ优德88中国官方网站e the types of and pathways applicable to transferred data, conduct 优德88中国官方网站-depth analysis on the necessity and legality of such cross-border data transfers, ensure that the transfer activities have a clear legal basis, and promptly advance work such as personal 优德88中国官方网站formation protection impact assessments.

Enterprises that have already completed cross-border data transfer compliance work may consider conduct优德88中国官方网站g self-优德88中国官方网站spections to check whether material changes have occurred 优德88中国官方网站 their cross-border data transfers. 优德88中国官方网站 the event of any new or altered cross-border data transfers, it is advisable that enterprises fulfill their statutory compliance obligations, identify potential compliance gaps, and carry out rectifications 优德88中国官方网站 a timely manner.

Disclaimer

Articles published on JunHe's official website represent only the op优德88中国官方网站ions of the authors and should not 优德88中国官方网站 any way be considered as formal legal op优德88中国官方网站ions or advice given by JunHe or its lawyers. If any part of these articles is reproduced or quoted, please 优德88中国官方网站dicate the source.Any picture or image conta优德88中国官方网站ed 优德88中国官方网站 these articles MUST not be reproduced or used unless otherwise consented by us 优德88中国官方网站 writ优德88中国官方网站g. You are welcome to contact us for any further discussion or exchange of views on the relevant topic.