The Internet Surfing Service Business Venue Management Rules apply to commercial venues that provide internet surfing services to the public through computers connected to the internet. Internet surfing service businesses are required to record the users' authentic ID information, relevant surfing information, record back-ups, preserve such information for 60 days and provide the same to relevant governmental departments who make inquires according to the law.

Under the Provisions, mobile Internet application providers in accordance with the "background real name, the front voluntary" principle, the registered user based on cell phone numbers and other real identity information authentication, record user log information, and save 60 days (Art. 7).

China instituted a licensing system for online taxi companies which requires them to host user data and business data generated by it on Chinese servers for at least two years, and the information and data shall not be exported unless otherwise provided by laws and regulations.

The Regulation on Internet Information Services of the People's Republic of China requires that Internet Service Providers (ISPs) keep records of each service user’s time spent online, user account, IP address or domain name, phone number and other information for 60 days and provide that information to the authorized government authorities when required (Art. 14.).
In addition, the Decision on Strengthening Network Information Protection requires ISPs to cooperate with the government and provide technical support upon inquiry from the authorized government authorities (Art. 10).

The Personal Information Protection Law (PIPL) is China's comprehensive data protection law and governs personal information processing activities carried out by entities or individuals within China. The PIPL introduces several important concepts, such as personal information, sensitive personal information, and processing. It explicitly stipulates its exterritorial jurisdiction, and provides the traditional elements for data protection, such as principles of personal information processing, consent and non-consent grounds for processing, cross-border transfer mechanisms, and rights of data subjects.

The 2020 Specification provides that where personal biometric information must not be shared or transferred unless actually essential for business needs in which case the personal information subject must be separately informed of the purpose, types of biometrics involved, identification of the recipient and its data security capacity and the personal information subject consent must be explicitly obtained (9.2.i).

China has not joined any agreement with binding commitments on data flows.

Article 5.4.5. of the Guidelines for Personal Information Protection Within Public and Commercial Services Information Systems prohibit the transfer of personal data abroad without express consent of the data subject, government permission or explicit regulatory approval "absent express consent of the subject of the personal information, or explicit legal or regulatory permission, or absent the consent of the competent authorities". If these conditions are not fulfilled, "the administrator of personal information shall not transfer the personal information to any overseas receiver of personal information, including any individuals located overseas or any organizations and institutions registered overseas."

Although the Guidelines are a voluntary technical document, they might serve as a regulatory basis for judicial authorities and lawmakers.

The Personal Information Protection Law (Art. 40) provides that critical information infrastructure operators and personal information processors handling personal information must store personal information collected and produced within the borders of China. Where such information needs to be provided abroad, they shall pass a security assessment organized by the national cyberspace department. Also, according to Art. 38, the processors of personal information must apply one of the conditions to provide information outside of PRC: passing the security assessment organized by the national cyberspace department in accordance with Art. 40 of this Law; obtaining personal information protection certification from the relevant specialized institution according to the provisions issued by the national cyberspace department; concluding a contract stipulating both parties' rights and obligations with the overseas recipient in accordance with the standard contract formulated by the national cyberspace department; and meeting other conditions set forth by laws and administrative regulations and by the national cyberspace department.
Where a processor of personal information provides personal information outside the People's Republic of China, it is required to inform the individual of the name or names of the overseas recipient, the contact information, the purpose of processing, the manner of processing, the type of personal information, as well as the manner and procedure for the individual to exercise his or her rights under this Law with the overseas recipient, and obtain the individual's individual consent (Art. 39). Personal information processors shall not provide personal information stored in the People's Republic of China to foreign judicial or law enforcement agencies without the approval of the competent authorities of the People's Republic of China (Art. 41).

Art. 37 of the Cybersecurity Law requires "key information infrastructure" operators to store personal information and critical data within China. Personal information and critical data can be stored outside of China where there is a genuine need for business; in such case a "security assessment" needs to be conducted in accordance with procedures formulated by the Cyberspace Administration of China (CAC) in collaboration with other authorities.
Art. 4 of the Outbound Data Transfer Security Assessment Measures, promulgated by the CAC, outlines four situations where a security assessment is necessary before an outbound transfer can take place: 1) In cases where the transfer concerns “important data”, which is broadly defined as data that could endanger national security, economic operation, social stability, public health and safety; 2) In case the transfer concerns personal data by a critical information infrastructure operator or processor of personal information that processed data for 1 million or more individuals; 3) Also in the case of transfers concerning personal data by a personal information processor that has made outbound transfers of personal information of 100,000 individuals or sensitive personal information of 10,000 persons in the preceding year; 4) Lastly, the CAC may also require security assessment in other situations which are not further defined.
Art. 8 of the Measures covers the factors that the CAC will take into account when undertaking a security assessment. The assessment includes a wide range of aspects, for example:
- The risks that the transfer may entail for national security or public interests, among other policy objectives;
- Legitimacy, necessity and method of transfer;
- Whether the level of data protection in the recipient country meets the requirements of laws in China;
- Sensitivity of the data and risks of being tampered with abroad;
- Agreed safeguard measures between the data processor and data recipient;
- Any other matter that the CAC deems necessary.
In case of unfavourable outcomes, the data handler can ask the CAC for a re-assessment with a final decision. In case of a positive decision, the permission to transfer data abroad is valid for two years but if substantial changes in the risk factors arise, a new assessment might be needed.

Online maps are required to set up their server inside of the country (Art. 34 of Map Management Regulations) and must acquire an official certificate.

China's Telecommunications Regulations require all data collected inside China to be stored on Chinese servers. It is reported that as a result of this regulation, Hewlett Packard, Qualcomm, and Uber were required to divest more than 50% of their businesses in China to Chinese companies, to avoid fines.

Population health information needs to be stored and processed within China. In addition, storage is not allowed overseas (Art. 10).

China instituted a licensing system for online taxi companies which requires that the personal information and business data should be stored and used in mainland China and must not be transferred outside of China (Art. 27 of the Interim Measures for the Administration of Online Taxi Booking Business Operations and Services). Such information should be retained for two years, except when otherwise required by other laws and regulations. The Measurement also regulates that servers of the taxi companies should be set up in Mainland China, with a network security management system and technical measures for security protection in compliance with regulations (Art. 5.2).

The "Notice of the People's Bank of China on Protecting Personal Financial Information by Banking Financial Institutions" states that the processing of personal information collected by commercial banks must be stored, handled and analysed within the territory of China and such personal information is not allowed to be transferred overseas (paragraph 6).
The Personal Financial Information Protection Technical Specification (PFI Specification) regulates “any personal information collected, processed and stored by Financial Institutions during the provision of financial products and services" (PFI). The PFI specification requires that PFI collected or generated in mainland China is stored, processed and analysed within the territory. Further, under the PFI Specification, where there is a business need for cross-border transfer of personal financial information (PFI) and the financial institution obtains explicit consent to the transfer from the personal financial information subjects (i.e the persons under the PFI Specification providing the data), conducts a security assessment and then supervises the offshore recipient to ensure responsible processing, storage and deletion of PFI (Section 7.1.3).