It is reported that China's Telecommunications Regulations require all data collected within the country to be stored on Chinese servers. However, the relevant article has not been found in the regulations. Moreover, it is reported that, as a result of this regulation, Hewlett-Packard, Qualcomm, and Uber had to divest more than 50% of their businesses in China to Chinese companies to avoid fines.

The Regulation on Internet Information Services of the People's Republic of China requires that Internet Service Providers (ISPs) keep records of each service user’s time spent online, user account, IP address or domain name, phone number and other information for 60 days and provide that information to the authorised government authorities when required (Art. 14).
In addition, the Decision on Strengthening Network Information Protection requires ISPs to cooperate with the government and provide technical support upon inquiry from the authorised government authorities (Art. 10).

Art. 37 of the Cybersecurity Law requires "key information infrastructure" operators to store personal information and critical data within China. Personal information and critical data can be stored outside of China where there is a genuine need for business; in such cases a "security assessment" needs to be conducted in accordance with procedures formulated by the Cyberspace Administration of China (CAC) in collabouration with other authorities.
Art. 4 of the Outbound Data Transfer Security Assessment Measures, promulgated by the CAC, outlines four situations where a security assessment is necessary before an outbound transfer can take place, which include:
1) Cases where the transfer concerns “important data”, which is broadly defined as data that could endanger national security, economic operation, social stability, public health and safety;
2) Cases the transfer concerns personal data by a critical information infrastructure operator or processor of personal information that processed data for 1 million or more individuals;
3) Cases of transfers concerning personal data by a personal information processor that has made outbound transfers of personal information of 100,000 individuals or sensitive personal information of 10,000 persons in the preceding year;
4) Any other situation where the CAC deems a security assessment necessary.
Art. 8 of the Measures covers the factors the CAC considers when undertaking a security assessment, including:
- The risks that the transfer may entail for national security or public interests, among other policy objectives;
- Legitimacy, necessity and method of transfer;
- Whether the level of data protection in the recipient country meets the requirements of laws in China;
- Sensitivity of the data and risks of being tampered with abroad;
- Agreed safeguard measures between the data processor and data recipient;
- Any other matter that the CAC deems necessary.
In case of unfavourable outcomes, the data handler can ask the CAC for a re-assessment and a final decision. In case of a positive decision, the permission to transfer data abroad is valid for two years, but if substantial changes in the risk factors arise, a new assessment might be needed.

Art. 31 of the Data Security Law provides that the security administration of the cross-border transfer of important data collected and generated by critical information infrastructure operators during their operation in China shall be subject to the provisions of the Cybersecurity Law of the People's Republic of China; the administrative measures for the cross-border transfer of important data collected and generated by other data processors during their operation in China shall be formulated by the national cyberspace administration authority in collabouration with relevant departments of the State Council. In addition, Art. 36 stipulates that the competent authority of China shall process the request for providing any data from a foreign judicial body and law enforcement body in accordance with relevant laws and the international treaty or agreement which China has concluded or acceded to, or under the principle of equality and mutual benefit. Any organization or individual within the territory of China shall not provide any foreign judicial body or law enforcement body with any data stored within the territory of the People's Republic of China without the approval of the competent authority of China.

According to Art. 27 of the Provisional Measures for Administration of Business Activities of Internet Lending Information Intermediaries, the lender and borrower information collected within China shall be stored, processed, and analysed in China. Unless otherwise provided by laws and regulations, online lending information intermediaries shall not provide information on domestic lenders and borrowers overseas.

According to Art. 24 of the Regulation on the Administration of Credit Investigation Industry, credit reporting agencies must organise, preserve, and process consumer or commercial data within China.

According to the Regulation on the Management of Human Genetic Resources, the export of human genetic resources information from China is prohibited unless explicitly approved in accordance with this Regulation. Under Arts. 7, 8, 9, and 10, the provision of human genetic resources to foreign entities must comply with ethical principles, undergo corresponding ethical reviews, and meet the technical standards established by the scientific administrative departments of the State Council. Such actions must not compromise public health, national security, or public interests. The sale of human genetic resources is strictly forbidden. Foreign organisations and individuals, as well as entities directly controlled by them, are prohibited from transferring China’s human genetic resources abroad.
Art. 28 stipulates that, in addition to a record filing, any provision of data to foreign parties or the permission for its use by foreign parties requires submission of a copy of the relevant data to the Office of Human Genetic Resource Administration within the Ministry of Science and Technology. A “security assessment” may also be required if the provision or use of such data could potentially affect China's public health, national security, or public interest. Art. 37 of the Implementation Rules details the categories of human genetic resources information that must undergo a national security review before being transferred or made accessible to foreign parties. Particular attention must be given to the export of genetic resources information, including that related to significant genetic families or populations from specific geographic regions, or exome sequencing and genome sequencing data involving more than 500 human subjects.

Art. 25 of the Law on Guarding State Secrets prohibits the export of carriers containing state secrets. According to Art. 17, such carriers include paper, optical, and electromagnetic media that bear state secrets. This law revises legislation of the same name from 1988, in which Art. 26 prohibited the cross-border transfer of any data containing state secrets.

According to Arts. 11 and 12 of the Provisions on Management of Automotive Data Security (Trial), important data must be stored domestically in compliance with legal requirements. If cross-border data transfer is necessary, security assessments must be conducted in coordination with the Cyberspace Administration of China and other relevant governmental authorities. Furthermore, the Management Provisions stipulate that vehicle data processors who provide important data to foreign entities must adhere strictly to the purpose, scope, method, type, and scale of data as specified in the security assessment. Data categorized as important includes video and image data captured outside of vehicles that contain facial information and personal information pertaining to 100,000 or more identified or identifiable vehicle owners, drivers, passengers, and individuals outside the vehicles.

According to the revised Art. 4 of the Rules for the Implementation of the Law of the People's Republic of China on Foreign-capital Enterprises, sectors in which the establishment of foreign-capital enterprise is forbidden or restricted are determined as per the state guidance for foreign investment orientation and guiding catalogue of industries for foreign development. According to Art. 5, an application for the establishment of foreign-funded enterprises will not be approved under one of the following circumstances: (a) detrimental to the sovereignty of China or the public interest of society; (b) endangering China's national security; (c) violation of Chinese laws and regulations; (d) does not meet the requirements of China's national economic development; (e) may cause environmental pollution; (f) may cause environmental pollution.

Telecom business activities in China are divided into Basic Telecom Services (BTS) and Value-added Telecom Services (VATS). BTS refers to the business of providing public network infrastructure, public data transmission and basic voice communications services. VATS refers to the telecom and information services provided through public network infrastructure. Both BTS and VATS operators require a license. VATS licenses are further divided into single-province licenses and cross-provincial licenses. A BTS licence is valid for five or ten years (depending on the type of telecom service involved), and a VATS licence is valid for five years. Telecom operators must meet the minimum registered capital requirements to be granted licences. For BTS operators, the minimum registered capital is RMB 100 million for single-province providers and RMB 1 billion for nationwide providers. For VATS operators, the minimum registered capital is RMB 1 million for single-province providers and RMB 10 million for nationwide providers. It is also reported that the licensing procedures are opaque and arbitrary. As a result, only a few dozen foreign-invested suppliers have secured VATS licenses, while there are thousands of licensed domestic suppliers.
Additionally, foreign companies must obtain VATS licenses only through a joint-venture company. In this regard, the European Chamber of Commerce in China has complained about the multiple value-added service licenses required, suggesting the approval of one single value-added service license that allows for the provision of multiple VATS.

According to Art. 11-13 of the Provisions on Administration of Foreign-Invested Telecommunications Enterprises, investors seeking to establish foreign-invested telecommunications enterprises—whether for basic telecommunications services or value-added services—must submit a project application report. This report should include the names and basic information of the joint venture parties, the total investment in the business, registered capital, each party's capital proportion, the type of business applied for, and the duration of the joint venture.
Additionally, under Art. 14 of the Provisions, the project proposal and feasibility study report must provide a business forecast, development plan, and an analysis of the return on investment. Furthermore, as stated in Art. 3 of the Implementing Rules of the Law of the People's Republic of China on Foreign Capital Enterprises, the establishment of foreign capital enterprises must contribute to the development of China's national economy and demonstrate the potential for significant economic benefits.

According to Art. 6 of the Interim Provisions of the People's Republic of China on the Management of International Networking of Computer Information Networks, computer information networks for direct international networking must use the international channels provided by the national public telecommunications network of the Ministry of Posts and Telecommunications. No unit or individual may establish or use other channels for international networking on their own. The public security authorities may issue a warning and impose a fine of up to RMB 15,000 (USD 2,200) on anyone who violates this provision. In addition, institutions or individuals are not allowed to use the international network to endanger national security, divulge state secrets, infringe upon national, social, and collective interests and the legitimate rights and interests of citizens, or engage in illegal and criminal activities. Institutions and individuals engaged in international networking services are required to file procedures in designated public security agencies within 30 days of the connection and accept the security supervision, inspection, and guidance of the public security authorities; for those who violate the measures, individuals and institutions can be fined in serious cases. The Provisions on Administrative Law Enforcement Procedures for Internet Information Content Management set out the procedural and administrative processes for the Cyberspace Administration of China to enforce the laws and regulations relating to Internet content.

All foreign companies starting a business in e-commerce activities, including through an e-commerce platform in China, must have a Chinese business license. To acquire a business license in China, foreigners must establish a Wholly Foreign Owned Entity (WFOE).

China has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.