top of page

Unlocking the Gates: China’s Recent Policy Shifts on Cross-Border Data Flow and its Implications

  • Blog post by Chi Zhang, Yaxiong Lei, Ruoxi Wang (University of St Andrews)

  • Research Article in Open Access available here


On March 22, 2024, China's Cyberspace Administration issued new rules aimed at facilitating and regulating cross-border data flow. This move is part of a series of ongoing efforts to address the ambiguity surrounding data governance regulations in China. The latest clarification provides much-needed guidance, particularly for foreign companies operating in the country.

The updated rules specify that data collected and generated in activities such as international trade and cross-border transportation will be exempt from declaration requirements if they do not contain personal information or "important data". Such exemption lifts a significant burden for foreign companies, streamlining their compliance processes and reducing regulatory uncertainty.

Previously, in effect, there were uncertainties regarding how multinational companies could reconfigure their information technology systems, which might necessitate seeking guidance from local People’s Republic of China (PRC) councils before carrying out a series of actions, such as exporting data initially collected in China or currently stored there, invest in local infrastructure, adapt their data management protocols, appointing dedicated staff to oversee compliance, among others.

The relaxation of this rule reflects a gradual evolution in data governance practices. Most of the rules and regulations pertaining to data governance have been developed since 2021, setting  key milestones, including the Personal Information Protection Law and the Data Security Law in 2021. In the early stages of regulation development, the legal ambiguity may have been intentional, possibly to provide flexibility for the Chinese government to intervene in cases deemed to pose national security concerns.

In this context, the Measures for Security Assessment of Cross-Border Data Transfers, published in 2022, mandated operators to report to their local cyber security administration and undergo security risk assessments. However, this requirement inevitably imposed significant bureaucratic burdens on both operators and local administrations.

On February 7th, Reuters reported that Shanghai plans to expedite approvals for foreign companies seeking to transfer their local data offshore: this move suggests that there is a substantial backlog of operators awaiting administrative clearance. And according to a Shanghai-based lawyer, less than 10% of the applications were approved. This backlog is not helping China's efforts to attract foreign investors, who have been deterred by bleak economic prospects, further compounded by concerns over the anti-espionage law.

Official media outlet Xinhua recognizes the necessity of optimizing and adjusting the data export system, acknowledging the role of cross-border data flows in global exchanges. Indeed, the unrealistically high barriers have proven unsustainable for Beijing in its pursuit to balance data security with economic growth. On March 27th, President Xi Jinping met with American business, strategic and academic communities to reassure them that China is fostering a "market-oriented, law-based, and world-class business environment". The abovementioned relaxation in data governance is evidently aligned with the message Xi aims to convey.

Despite these seemingly welcoming moves, one aspect that cannot be overlooked is that the motivations and decision-making processes behind these policy shifts remain opaque. Certain offenses, such as 'picking quarrels and provoking trouble' have long been criticized for granting the government excessive discretion. However, calls for reducing such discretion have seldom been seriously entertained. In conclusion, in the case of data governance, the convenient reduction of burdens for foreign companies operating in China may be temporary and strategically aimed at assuaging international concerns. Whether control over data will genuinely be relaxed remains to be seen in the longer run.


bottom of page