Art. 36 of the Data Security Law stipulates that the competent authority of China shall process the request for providing any data from a foreign judicial body and law enforcement body in accordance with relevant laws and the international treaty or agreement which China has concluded or acceded to, or under the principle of equality and mutual benefit. Any organization or individual within the territory of China shall not provide any foreign judicial body or law enforcement body with any data stored within the territory of the People's Republic of China without the approval of the competent authority of China.

According to Arts. 11 and 12 of the Provisions on Management of Automotive Data Security (Trial), important data must be stored domestically in compliance with legal requirements. If cross-border data transfer is necessary, security assessments must be conducted in coordination with the Cyberspace Administration of China and other relevant governmental authorities. In addition, the Management Provisions stipulate that vehicle data processors who provide important data to foreign entities must adhere strictly to the purpose, scope, method, type, and scale of data as specified in the security assessment. Data categorized as important includes video and image data captured outside of vehicles that contain facial information and personal information pertaining to 100,000 or more identified or identifiable vehicle owners, drivers, passengers, and individuals outside the vehicles.
Under Section 16 of the "Notice on Strengthening Internet of Vehicle (IoV) Cybersecurity and Data Security," manufacturers of Intelligent Connected Vehicles and operators of IoV service platforms are required to conduct a security assessment for cross-border data transfers if they intend to provide important data abroad.

Under Art. 21 of the "Measures for Data Security Management in the Fields of Industry and Information Technology," key data and core data generated and collected by data handlers in the fields of industry and information technology within the territory of China must be stored in China. Should the data need to be transferred abroad, a data cross-border transfer security assessment must be conducted in accordance with relevant laws and regulations. Without the approval of the Ministry of Industry and Information Technology, data handlers in the fields of industry and information technology are prohibited from providing foreign industrial, telecommunication, and radio law enforcement agencies with data in these fields that is stored within the territory of China.

Section 4.2 of "Data Security Requirements for Academic and Technological Service Platforms" stipulates that, when operators of academic and scientific service platforms undertake data storage activities, they must adhere to the requirement that any non-public academic or scientific data collected or generated within the national territory shall be stored domestically.

Art. 10 of the Measures for the Administration of Electronic Banking Business stipulates that Chinese-funded banking financial institutions must ensure that their electronic banking operation systems and business processing servers are established within the territory of the People’s Republic of China, whereas foreign-funded financial institutions may deploy such systems either domestically or abroad, provided that, when located outside China, they maintain facilities within the country capable of recording and preserving transaction data, satisfying on-site inspection requirements of financial regulators, and enabling compliance with judicial investigations in the event of legal disputes.

Art. 26 of the "Administrative Measures for the Online Payment Business of Non-Banking Payment Institutions" requires payment institutions to maintain secure and standardised online payment processing systems and their backup systems within the territory of China, supported by contingency plans to ensure operational continuity. It further provides that services for domestic transactions must be processed through these domestic systems and that the settlement of funds must also occur within China.

Arts. 8 and 9 of the Online Publishing Service Management Rules mandate that the servers and storage equipment of online publishers must be situated within the borders of China.

According to Section 13 of the Guiding Opinions on Encouraging and Regulating the Development of Internet Rental Bicycles, companies offering internet-based bicycle rental services are required to establish domestic servers and store operational data collected within China.

Art. 13 of the "Interim Measures for Data Security Management of Accounting Firms" mandates that audit working papers produced by accounting firms must be stored within the territory of the People's Republic of China, in accordance with relevant regulations. Encryption devices are required to be installed domestically, managed and maintained by local teams, with encryption keys likewise retained within national borders. Pursuant to Art. 19, any transfer of audit working papers abroad must receive prior approval, and accounting firms are obliged to establish a tiered review mechanism governing such exports, alongside implementing comprehensive responsibilities for data security management and control. In addition, in accordance with Art. 14, accounting firms must establish a data backup system to ensure the continued access, retrieval, and use of relevant audit working papers in the event of disruption or restriction to audit-related application systems due to external technical factors.

Section 9.2.i of the "Amendment to the Information Security Technology – Personal Information Security Specification" provides that where personal biometric information must not be shared or transferred unless actually essential for business needs, in which case the personal information subject must be separately informed of the purpose, types of biometrics involved, identification of the recipient and its data security capacity and the personal information subject consent must be explicitly obtained.

Under Art. 40 of the Personal Information Protection Law (PIPL), personal information handlers who process personal data exceeding the thresholds stipulated by regulatory authorities, as well as operators of critical information infrastructure, are required to store the personal information they collect and generate within the territory of China. If it is genuinely necessary for a personal information handler to transfer personal information abroad, specific regulatory requirements must be satisfied. In accordance with Art. 38 of the PIPL and Arts. 7 and 8 of the Provisions on Promoting and Regulating the Cross-Border Flow of Data, personal information handlers seeking to provide or transfer personal data outside of China must meet one of the following conditions:
1. Obtain approval through a security assessment conducted by the Cyberspace Administration of China (CAC), applicable if any of the following criteria are met: the handler is a critical information infrastructure operator; the handler (not classified as a critical information infrastructure operator) has, since 1 January of the current year, cumulatively provided the personal information of 1,000,000 individuals or sensitive personal information of 10,000 individuals to overseas recipients; the handler seeks to transfer personal information classified as important data or otherwise containing important data outside China.
2. Satisfy requirements through either of the following mechanisms: enter into the standard contract formulated by the CAC with the overseas data recipient; or obtain personal information protection certification from professional institutions in accordance with CAC rules. This applies when the handler is not a critical information infrastructure operator; or intends to transfer non-sensitive personal information of more than 100,000 but less than 1,000,000 individuals, or sensitive personal information of fewer than 10,000 individuals, on a cumulative basis, since 1 January of the current year.
Notwithstanding the above requirements, the outbound transfer of personal information, excluding important data, is exempt from these provisions under Arts. 3, 4, and 5 of the Provisions if the transfer arises from the following circumstances:
- International trade, cross-border transportation, academic collaboration, transnational manufacturing, marketing, or similar activities that do not involve personal or important data.
- Exporting personal information collected or generated outside China and then processed in China, provided no domestic personal information collected within China is included.
- Transfers necessary for the performance of contracts involving the data subject, such as cross-border shopping, payments, travel bookings, visa applications, or similar services.
- Employee-related data transfers for implementing human resources management under employment policies or collective labour agreements.
- Transfers required to protect the life, health, or property security of individuals in emergencies.
- Transfers involving non-sensitive personal information of fewer than 100,000 individuals on a cumulative basis by handlers who are not critical information infrastructure operators since 1 January of the current year.
Additionally, Arts. 38, 39, 41, 53, and 55 of the PIPL impose further obligations on personal information handlers seeking to transfer personal data outside China, including:
- Demonstrating a legitimate business or operational need for the cross-border transfer.
- Implementing measures to ensure that overseas recipients process the data in compliance with the protection standards set out in the PIPL.
- Providing adequate prior notification to individuals and obtaining their explicit consent.
- Securing approval from the relevant Chinese authorities for transfers to foreign judicial or law enforcement agencies.
- Establishing local representatives or agencies within China for overseas recipients who do not have a local entity and are classified as personal information handlers outside Mainland China.
- Conducting a personal information protection impact assessment before initiating a cross-border transfer.

Art. 5.4.5. of the Guidelines for Personal Information Protection Within Public and Commercial Services Information Systems prohibit the transfer of personal data abroad without the express consent of the data subject, government permission or explicit regulatory approval "absent express consent of the subject of the personal information, or explicit legal or regulatory permission, or absent the consent of the competent authorities". If these conditions are not fulfilled, "the administrator of personal information shall not transfer the personal information to any overseas receiver of personal information, including any individuals located overseas or any organisations and institutions registered overseas." Although the Guidelines are a voluntary technical document, they might serve as a regulatory basis for judicial authorities and lawmakers.

China has not joined any agreement with binding commitments to open transfers of data across borders. Art. 12.15 of the Regional Comprehensive Economic Partnership (RCEP) recognises that each party may maintain its own regulatory requirements governing cross‑border transfers of information by electronic means and stipulates that such transfers shall not be restricted when undertaken for the conduct of business by a covered person; however, the article simultaneously allows parties to adopt or maintain any measures they themselves deem necessary to achieve a legitimate public policy objective, as well as any measures necessary to protect essential security interests, with the parties expressly affirming that the determination of such necessity lies solely with the implementing party and that such measures shall not be subject to dispute. It is reported that this formulation enables China to preserve its domestic data‑control regime under the rubric of national security without risking inter‑state disputes, and that the relative weakness of Chapter 12 renders its provisions largely ineffectual in facilitating the liberalisation of cross‑border data flows, particularly because the clause entrusting necessity assessments to the implementing party effectively permits any measure to be characterised as legitimate at that party’s discretion.

The Personal Information Protection Law provides a comprehensive regime of data protection in China.

Art. 6 of the "Administrative Provisions on Foreign‑funded Telecommunications Enterprises" stipulates that, unless otherwise prescribed by the State, the aggregate equity held by foreign investor(s) in a foreign‑funded telecommunications enterprise engaged in basic telecommunications services, excluding radio paging services, may not ultimately exceed 49%, and the "Classification Catalogue of Telecommunications Services" identifies all categories of basic telecommunications services that fall within the scope of this restriction.