Under Art. 55 of the Personal Information Protection Law, a personal information handler must conduct a personal information protection impact assessment prior to: processing sensitive personal information; using personal information in automated decision-making; engaging an entrusted party to process personal information on the personal information handler's behalf; providing personal information to another personal information handler; disclosing personal information to the public; transferring personal information outside of China; or any processing activity that will have a material impact on the personal rights and interests of an individual. The personal information protection impact assessment must specify: whether the purpose(s) and method(s) of processing are lawful, legitimate, and necessary; the impact of the processing on individuals' rights and interests, and the level of risk involved; and whether the protective measures undertaken are lawful, effective, and commensurate to the degree of such risk.

The 2020 Personal Information Security Specification provides that personal information controllers shall appoint a person and a department responsible for personal information (PI) protection. The person responsible for PI protection must have relevant management experience and personal information protection expertise, participate in important decisions on personal information processing activities, and report directly to the principal of the organization.

Art. 21 of the Cybersecurity Law requires network operators to appoint persons in charge of cybersecurity. Critical information infrastructure operators (CIIO) are also required to set up specialised security management bodies and persons responsible for security management. Further, CIIO's must conduct security background checks on those responsible persons and personnel in critical positions.

Art. 35 of the Data Security Law stipulates that where public security or national security authorities need to consult any data in order to safeguard national security or investigate a crime, the relevant organizations and individuals must provide such data. The same article stipulates that before getting access to the data held by private organizations, public security or national security authorities must go through strict approval formalities in advance.

The Counter-espionage Law of the People's Republic of China permits security authorities to inspect the baggage, electronic devices and facilities of individuals suspected of espionage and obliges logistics and telecommunications companies in China to provide “technical support” to fight espionage (Art. 41). It is reported that the Law’s broad definition of agents may offer an avenue to justify gathering data from foreign firms and their employees while they conduct business in China. This could reportedly give the Chinese authorities access to sensitive company data or trade secrets under the guise of preventing foreign cyber espionage.

According to Section 13 of the Guiding Opinions on Encouraging and Regulating the Development of Internet Rental Bicycles, companies offering internet-based bicycle rental services are required to establish domestic servers and store operational data collected within China.

Arts. 8 and 9 of the Online Publishing Service Management Rules mandate that the servers and storage equipment of online publishers must be situated within the borders of China.

Art. 40 of the Personal Information Protection Law provides that critical information infrastructure operators and personal information processors handling personal information must store personal information collected and produced within the borders of China. Where such information needs to be provided abroad, they shall pass a security assessment organised by the National Cyberspace Department. Also, according to Art. 38, the processors of personal information must apply one of the conditions to provide information outside of the PRC: passing the security assessment organised by the National Cyberspace Department; obtaining personal information protection certification from the relevant specialised institution according to the provisions issued by the national cyberspace department; concluding a contract stipulating both parties' rights and obligations with the overseas recipient following the standard contract formulated by the national cyberspace department; and meeting other conditions set forth by laws and administrative regulations and by the national cyberspace department.
Where a processor of personal information provides personal information outside the People's Republic of China, it is required to inform the individual of the name or names of the overseas recipient, the contact information, the purpose of processing, the manner of processing, the type of personal information, as well as the manner and procedure for the individual to exercise his or her rights under this Law with the overseas recipient, and obtain the individual's consent (Art. 39). Personal information processors shall not provide personal information stored in the People's Republic of China to foreign judicial or law enforcement agencies without the approval of the competent authorities of the People's Republic of China (Art. 41).

Art. 5.4.5. of the Guidelines for Personal Information Protection Within Public and Commercial Services Information Systems prohibit the transfer of personal data abroad without the express consent of the data subject, government permission or explicit regulatory approval "absent express consent of the subject of the personal information, or explicit legal or regulatory permission, or absent the consent of the competent authorities". If these conditions are not fulfilled, "the administrator of personal information shall not transfer the personal information to any overseas receiver of personal information, including any individuals located overseas or any organisations and institutions registered overseas." Although the Guidelines are a voluntary technical document, they might serve as a regulatory basis for judicial authorities and lawmakers.

Section 9.2.i of the 2020 Specification provides that where personal biometric information must not be shared or transferred unless actually essential for business needs, in which case the personal information subject must be separately informed of the purpose, types of biometrics involved, identification of the recipient and its data security capacity and the personal information subject consent must be explicitly obtained.

China instituted a licensing system for online taxi companies, which requires that personal information and business data should be stored and used in mainland China and must not be transferred outside of China (Art. 27 of the Interim Measures for the Administration of Online Taxi Booking Business Operations and Services). Such information should be retained for two years, except when otherwise required by other laws and regulations. The Measurement also states that taxi companies' servers should be set up in Mainland China, with a network security management system and technical measures for security protection in compliance with regulations (Art. 5.2).

China has not joined any agreement with binding commitments on data flows.

According to Art. 34 of Map Management Regulations, online maps are required to set up their server inside the country and acquire an official certificate.

The Personal Information Protection Law (PIPL) is China's comprehensive data protection law and governs personal information processing activities carried out by entities or individuals within China. The PIPL introduces several important concepts, such as personal information, sensitive personal information, and processing.

It is reported that China's Telecommunications Regulations require all data collected within the country to be stored on Chinese servers. However, the relevant article has not been found in the regulations. Moreover, it is reported that, as a result of this regulation, Hewlett-Packard, Qualcomm, and Uber had to divest more than 50% of their businesses in China to Chinese companies to avoid fines.