China’s Cyberspace Administration released updated cross‑border data transfer rules and application guidance in early 2025 to clarify security assessments under the Data Security Law and PIPL. Security assessments are now required only when transferring “important data,” sensitive personal info for over 10,000 individuals, or personal info of over one million people. Validity of approved assessments has been extended to three years. Exemptions apply in FTZs with negative data lists. As of March 2025, CAC reviewed 298 assessments, approving about 84 percent, including many for important data.
