Outbound Data Transfer from China: Implications for National Security and Foreign Businesses

With the rapid growth of the digital economy and the increasing demand for global data governance in recent years, China is emerging as a major data power, expected to hold nearly one-third of the world's data by 2025. In this context, outbound data transfers are becoming more and more prevalent, intensifying concerns over national security, attiring the government and policymakers’ attention. In fact, while data transfers are an essential component of global trade and digital integration, they also present significant security concerns, particularly in the realm of China’s Holistic View of National Security. In the last decades, China has intensified its efforts to regulate outbound data flows, balancing economic progress and innovation with national security imperatives. This dissertation explores the implications of outbound data transfers on China’s national security, emphasizing compliance strategies for foreign businesses operating within the Chinese regulatory framework. The research is structured around three key research questions: whether and to what extent cross-border data transfer (CBDT) may pose threats to China’s national security, and what compliance measures foreign businesses should adopt for conducting lawful outbound data transfers. The study begins with a focus on China’s evolving national security conception and provides an in-depth analysis of the Chinese current legal framework in this respect. Next, it illustrates the perception of outbound data transfers as a potential risk to national security, particularly concerning data sovereignty, cybersecurity and espionage. This research includes the classification of data under the Chinese classification framework, distinguishing between personal information, important data and critical data, while addressing the complexities surrounding data categorization. Subsequent chapters focus on the regulatory implications for foreign companies, with an analysis of the Regulations on Promoting and Regulating Cross-Border Data Flows (2024) and the more flexible regulatory environment in Free Trade Pilot Zones and Special Administrative Regions. The final chapter presents a detailed examination of China’s three-pronged regulatory approach to outbound data flows, namely security assessment, standard contract, and personal information protection certification, offering practical compliance guidelines for foreign entities. By providing a comprehensive analysis of China’s Cybersecurity Law (CSL), Data Security Law (DSL), Personal Information Protection Law (PIPL), and relevant regulations, this dissertation provides a state-of-the-art overview of the Chinese context of Cross-Border Data Flows, delivering a critical assessment of China’s evolving framework. It serves as a practical guide for foreign businesses seeking to navigate the complexities of Chinese data regulations while ensuring compliance and operational viability.