Reviewing China’s Data Security and Important Data Regime
By Kenneth Zhou, Ziquan Gao and Yuxin Zhao
As China’s data security framework matures, enforcement is catching up fast. Attorneys Kenneth Zhou, Ziquan Gao and Yuxin Zhao of JunHe LLP — an AmCham China member firm — provide an overview of the key regulatory developments in 2025 that multinationals operating in China need to know as they plan for the year ahead.
Depositphotos.com
Amendments to the Cybersecurity Law
Since its implementation on 1 June 2017, the Cybersecurity Law (CSL) has served as the foundation of China’s cybersecurity regime. On October 28, 2025, the Standing Committee of the 14th National People’s Congress adopted the Decision on Amending the Cybersecurity Law, which took effect on January 1, 2026.
The Amendments reflect the realities of a rapidly changing technological landscape. A new article dedicated to artificial intelligence governance recognizes the importance of foundational research and core algorithmic capabilities, promotes AI-related infrastructure development, and elevates training data to a key regulatory concern. Regulators have already begun implementing supervisory mechanisms for AI technologies, including algorithmic security assessments, filing requirements for generative AI models, and mandatory labelling of AI-generated content.
Broader changes align the CSL more closely with the Data Security Law (DSL) and the Personal Information Protection Law (PIPL), reinforce cybersecurity responsibilities for Critical Information Infrastructure Operators (CIIOs) — including stricter procurement oversight and supply chain security — and significantly raise the penalty ceiling, with maximum fines reaching RMB 10 million for business entities. Perhaps most notably, the revised law expands the extraterritorial reach of the CSL: liability now attaches to any activity that endangers China’s cybersecurity, a lower bar than the previous standard and one that foreign entities should not underestimate.
Outbound Data Transfer
In May 2025, the Cyberspace Administration of China (CAC) published Q&As aimed at helping data handlers navigate cross-border data transfers more efficiently. The guidance offers some practical relief. On the identification and filing of Important Data, the CAC confirmed that where no sector-specific standards or filing rules have been issued and the handler has not been formally notified by competent authorities, a failure to identify or file Important Data will not, on that basis alone, trigger administrative penalties.
On cross-border transfers, the CAC clarified that Important Data collected or generated in China must pass a CAC-organized data export security assessment before being sent overseas. That said, handlers who have not been notified and whose data has not been publicly designated as Important Data are generally not required to apply for a security assessment on that basis — and the transfer will not be treated as an illegal export of Important Data.
Regulations on Network Data Security
The Regulations on the Administration of Network Data Security, which took effect on 1 January 2025, operationalize key obligations under the CSL, DSL, and PIPL. Their reach is broad: they apply to data processing activities within the PRC as well as to certain offshore activities that harm (or may harm) PRC national security, the public interest, or the lawful rights and interests of PRC individuals.
The practical compliance burden is substantial. Handlers must maintain incident response plans, document the purpose, method, and scope of any sharing or entrusted processing of personal information or Important Data through formal contracts (with records retained for at least three years), and conduct mandatory risk self-assessments before sharing Important Data with third parties. Handlers who process the personal information of more than 10 million individuals in China are also drawn into additional compliance obligations similar to those imposed on Important Data handlers — a threshold that a wide range of consumer-facing businesses may quietly exceed.
“These developments paint a clear picture: China’s data security framework is maturing fast, and enforcement is following. Proactive legal assessments and timely policy adjustments will be essential for maintaining alignment with China’s developing data regulations.”
Notable Developments
Several further developments round out the 2025 picture. In the industrial sector, three new standards establish a full-chain framework for the identification, protection, and risk assessment of Important Data across 20 industries. For M&A transactions, Important Data handlers undergoing mergers or dissolution must now report disposal plans to competent authorities, and data compliance due diligence has become an indispensable part of deal preparation. On cross-border financial data, China’s central bank and several regulators jointly issued guidance cataloguing 108 common financial business scenarios to streamline compliance reviews. On cybersecurity incident reporting, new rules require network operators to classify incidents by severity and report major incidents to the CAC — in some cases within one hour.
Enforcement in Focus
The most telling signal of 2025 may be the enforcement record. Cross-border data regulation is no longer a theoretical concern.
In May 2025, French fashion brand Dior suffered a data breach affecting users in mainland China. China’s public security bureau launched an administrative investigation and found that Dior (Shanghai) had transferred personal information to its headquarters in France without completing the applicable cross-border transfer compliance mechanism, had failed to provide adequate notice to individuals, and had not implemented adequate security safeguards, including encryption. Administrative penalties followed — making this China’s first publicly reported penalty for the unlawful cross-border transfer of personal information, and a case widely cited as a model enforcement matter.
In a separate matter in Guiyang in September 2025, local CAC offices investigated a company over suspected abnormal cross-border data transmission. Authorities found that the company had enabled a cloud data synchronization function on equipment connected to the public internet via a public IP address, creating unauthorized outbound data flows — a basic but costly oversight. An administrative warning was issued and rectification ordered.
Taken together, these developments paint a clear picture: China’s data security framework is maturing fast, and enforcement is following. Multinationals should focus on three priorities. First, prepare for regulatory scrutiny in the event of any leakage of a large volume of personal information, including by identifying and closing basic security gaps. Second, exercise caution around Important Data — particularly in dealings with government agencies or state-owned enterprises — and monitor Important Data catalogues as they are issued. Third, reassess whether existing cross-border data transfer arrangements comply with current requirements, including whether a CAC security assessment or standard contract filing is now required.
Proactive legal assessments and timely policy adjustments will be essential for maintaining alignment with China’s developing data regulations.
For more information, visit www.junhe.com or WeChat account “君合法律评论”.
This article is from the AmCham China Quarterly Magazine (Issue 1, 2026). To access the entire publication for free, sign up on our member portal here.