Pursuant to Art. 28 of the ¨Banking Financial Institutions Anti-Money Laundering and Counter-Terrorist Financing Management Measures¨, banking and financial institutions are prohibited from transmitting customer identification information and transaction data obtained in the course of fulfilling anti-money laundering and counter-terrorist financing obligations to entities outside the country, except where such transmission is authorised by applicable laws and administrative regulations.

It is reported that the government holds equity stakes in several telecommunications enterprises. In particular, state ownership represents 75.15% of shares in China Telecom, 70.42% in China Mobile, 51.7% in China Unicom, and 100% in China Broadnet.

It is reported that China does not mandate functional or accounting separation for operators with significant market power (SMP) in the telecom market.

Pursuant to Art. 7 of the Telecommunications Regulations, the State is required to implement a licensing regime for telecommunications enterprises in accordance with the categorisation of telecommunications services, which, as set out in the Appendix to the Regulations, includes basic telecommunications services. Art. 5.6 of the Administrative Measures on Telecommunications Business Permits further provides that the minimum registered capital for an operator conducting business within a single province, autonomous region, or centrally administered municipality is RMB 100 million (approx. USD 14.5 million), whereas operators providing services nationwide or across multiple such jurisdictions must have a minimum registered capital of RMB 1 billion (approx. USD 145 million). Under Art. 8 of the Telecommunications Regulations, basic telecommunications services are defined as the provision of public network infrastructure, public data transmission services, and basic voice communication services. It is reported that China’s restrictions on basic telecommunications services, including for example the imposition of very high capital requirements, have hindered foreign suppliers from entering the country’s basic telecommunications market.

Arts. 8 and 9 of the "Provisional Regulation of the People’s Republic of China for the Administration of International Networking of Computer Information Networks" require access entities to obtain a licence prior to engaging in either operational or non-operational activities involving international networking, which, under Art. 3, is defined as the connection of domestic computer information networks with foreign networks for the purpose of international information exchange. Art. 6 additionally mandates that any computer information network directly engaging in international networking must rely solely on the international inbound and outbound channels provided by the national public telecommunications network; no entity or individual is permitted to establish independent channels or to utilise any alternative channels for international connectivity.

China has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

The Ministry of Industry and Information Technology (MIIT) acts as the telecommunications authority in the country, and therefore, there is no independence from the government in its decision-making process.

The "Notice of the People's Bank of China on Protecting Personal Financial Information by Banking Financial Institutions" states that the processing of personal information collected by commercial banks must be stored, handled and analysed within the territory of China, and such personal information is not allowed to be transferred overseas (paragraph 6).
The Personal Financial Information Protection Technical Specification (PFI Specification) regulates “any personal information collected, processed and stored by Financial Institutions during the provision of financial products and services" (PFI). The PFI specification requires that PFI collected or generated in mainland China is stored, processed and analysed within the territory. Further, under the PFI Specification, where there is a business need for cross-border transfer of personal financial information (PFI) and the financial institution obtains explicit consent to the transfer from the personal financial information subjects (i.e. the persons under the PFI Specification providing the data), conducts a security assessment and then supervises the offshore recipient to ensure responsible processing, storage and deletion of PFI (Section 7.1.3).

According to Art. 24 of the ¨Regulation on the Administration of the Credit Investigation Industry¨, credit investigation institutions are required to organise, store, and process consumer and commercial data exclusively within the territory of the People’s Republic of China. Similarly, Art. 39 of the ¨Measures for the Administration of Credit Reporting Services¨ mandates that credit investigation agencies engaging in credit investigation activities within China must retain the credit information they collect within national borders.

According to Art. 10 of the "Measures for the Administration of Population Health Information (Trial)", population health information must not be stored on overseas servers. These measures apply to the processing of population health information by medical, health, and family planning services. In addition, Art. 30 of the "Administrative Measures on Standards, Security, and Services of National Healthcare Big Data" stipulates that health and medical data generated within the territory of China must be stored on a secure and reliable server within China. If it is necessary to provide this data overseas due to business requirements, it will be subject to a security assessment and review in accordance with relevant laws and regulations.

According to Art. 34 of Map Management Regulations, online maps are required to set up their server inside the country and acquire an official certificate.

According to Art. 27 of the Provisional Measures for Administration of Business Activities of Internet Lending Information Intermediaries, the lender and borrower information collected within China shall be stored, processed, and analysed in China. Unless otherwise provided by laws and regulations, online lending information intermediaries shall not provide information on domestic lenders and borrowers overseas.

China instituted a licensing system for online taxi companies, which requires that personal information and business data should be stored and used in mainland China and must not be transferred outside of China (Art. 27 of the Interim Measures for the Administration of Online Taxi Booking Business Operations and Services). Such information should be retained for two years, except when otherwise required by other laws and regulations. The Measurement also states that taxi companies' servers should be set up in Mainland China, with a network security management system and technical measures for security protection in compliance with regulations (Art. 5.2).

Art. 39 of the Cybersecurity Law requires that personal information and important data collected or generated by operators of critical information infrastructure within mainland China be stored domestically, and allows their transfer abroad only when genuinely necessary for business purposes and subject to a security assessment conducted in accordance with measures issued jointly by the national cybersecurity and informatization authority and relevant State Council departments, unless other laws provide otherwise. Art. 33 defines critical information infrastructure to include sectors such as public communications and information services, energy, transport, water, finance, public services, and e‑government, as well as any infrastructure whose damage, loss of function, or data leakage could seriously endanger national security, public welfare, or the public interest. Art. 7 of the Provisions on Promoting and Regulating the Cross-Border Flow of Data requires data handlers to apply for a data export security assessment when critical information infrastructure operators export personal information or important data, but Art. 5 exempts certain transfers of personal information, though not important data, where the transfer is genuinely necessary for the performance of a contract, for lawful cross-border human resources management, or for emergency protection of life, health, or property. Art. 10 obliges data handlers exporting personal information to provide notice, obtain separate consent, and conduct a personal information protection impact assessment, and Art. 11 further requires them to fulfil data security obligations and adopt technical and other necessary measures to ensure the security of exported data.

According to Art. 13 of the "Measures for the Management of Scientific Data," any scientific data generated within the framework of a project supported by Chinese public funds must be collected by the entity responsible for the research project and subsequently submitted to the relevant designated scientific data centre, as specified by the Ministry of Science and Technology, for archiving and processing. Art. 14 stipulates that when scientific data produced within the framework of a project funded by Chinese public funds is to be disseminated outside China for the purpose of producing an academic paper to be published in a foreign journal, the data must first be submitted to the Chinese research institute where the author is employed. The institute’s management must approve the data before the paper can be published. The Measures also impose general obligations applicable to all scientific data, irrespective of whether they are funded by the Chinese government. Specifically, Art. 26 states that if it is necessary to provide a foreign party with scientific data related to state secrets in the context of international collaboration, the transfer of such data is subject to approval by the relevant authorities and the signing of confidentiality agreements between the parties involved in the research.