China has established a rather unique cross-border data transfer regulatory regime in the year of 2022 and 2023 after the key law – the Personal Information Protection Law became effective in 2021. Such regulatory regime consists of three formalities, i.e. the security assessment for cross-border data transfer; the standard contact filing for the export of personal information and the personal information protection certification.

In the year of 2024, this regulatory regime has further evolved significantly:

1. The Cyberspace Administration of China ("CAC") together with the Hong Kong and Macao government authorities issued the Guidelines on the Implementation of the Standard Contract for the Cross-Border Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (the "New GBA Rules") respectively (in December 2023 and September 2024). The New GBA Rules are intended to facilitate cross-border personal information flows within the Guangdong-Hong Kong-Macao Greater Bay Area.
2. On March 22, 2024, CAC issued the long-waited Provisions on Facilitating and Standardizing Cross-Border Data Flow (“New CBDT Rules”), which took effect from the same date. The New CBDT Rules significantly relaxed cross-border transfer of data outside of China by adjusting the thresholds triggering the applicable regulatory formalities and introducing various exemptions from the regulatory formalities.
3. Pursuant to the New CBDT Rules, authorities in various free trade zones (“FTZ”) in China have been empowered to issue their respective negative lists to further ease the cross-border data transfer activities within the national framework of data classification and grading. Hence, following the release of the New CBDT Rules, FTZs in Tianjing and Beijing released their respective negative lists in May and August 2024.

In addition, nearly three years after the initial draft was issued, the Regulations on Administration of Network Data Security (“Network Data Security Regulations”) were finalized and released on 20 August 2024 and became effective on 1 January 2025. The Network Data Security Regulations provide more detailed and certain additional requirements concerning network data protection.