Arts. 8 and 9 of the Online Publishing Service Management Rules mandate that the servers and storage equipment of online publishers must be situated within the borders of China.

The Ministry of Industry and Information Technology (MIIT) acts as the telecommunications authority in the country, and therefore, there is no independence from the government in its decision-making process.

Art. 40 of the Personal Information Protection Law provides that critical information infrastructure operators and personal information processors handling personal information must store personal information collected and produced within the borders of China. Where such information needs to be provided abroad, they shall pass a security assessment organised by the National Cyberspace Department. Also, according to Art. 38, the processors of personal information must apply one of the conditions to provide information outside of the PRC: passing the security assessment organised by the National Cyberspace Department; obtaining personal information protection certification from the relevant specialised institution according to the provisions issued by the national cyberspace department; concluding a contract stipulating both parties' rights and obligations with the overseas recipient following the standard contract formulated by the national cyberspace department; and meeting other conditions set forth by laws and administrative regulations and by the national cyberspace department.
Where a processor of personal information provides personal information outside the People's Republic of China, it is required to inform the individual of the name or names of the overseas recipient, the contact information, the purpose of processing, the manner of processing, the type of personal information, as well as the manner and procedure for the individual to exercise his or her rights under this Law with the overseas recipient, and obtain the individual's consent (Art. 39). Personal information processors shall not provide personal information stored in the People's Republic of China to foreign judicial or law enforcement agencies without the approval of the competent authorities of the People's Republic of China (Art. 41).

The "Notice of the People's Bank of China on Protecting Personal Financial Information by Banking Financial Institutions" states that the processing of personal information collected by commercial banks must be stored, handled and analysed within the territory of China, and such personal information is not allowed to be transferred overseas (paragraph 6).
The Personal Financial Information Protection Technical Specification (PFI Specification) regulates “any personal information collected, processed and stored by Financial Institutions during the provision of financial products and services" (PFI). The PFI specification requires that PFI collected or generated in mainland China is stored, processed and analysed within the territory. Further, under the PFI Specification, where there is a business need for cross-border transfer of personal financial information (PFI) and the financial institution obtains explicit consent to the transfer from the personal financial information subjects (i.e. the persons under the PFI Specification providing the data), conducts a security assessment and then supervises the offshore recipient to ensure responsible processing, storage and deletion of PFI (Section 7.1.3).

Art. 5.4.5. of the Guidelines for Personal Information Protection Within Public and Commercial Services Information Systems prohibit the transfer of personal data abroad without the express consent of the data subject, government permission or explicit regulatory approval "absent express consent of the subject of the personal information, or explicit legal or regulatory permission, or absent the consent of the competent authorities". If these conditions are not fulfilled, "the administrator of personal information shall not transfer the personal information to any overseas receiver of personal information, including any individuals located overseas or any organisations and institutions registered overseas." Although the Guidelines are a voluntary technical document, they might serve as a regulatory basis for judicial authorities and lawmakers.

Population health information needs to be stored and processed within China. In addition, storage is not allowed overseas (Art. 10).

China instituted a licensing system for online taxi companies, which requires that personal information and business data should be stored and used in mainland China and must not be transferred outside of China (Art. 27 of the Interim Measures for the Administration of Online Taxi Booking Business Operations and Services). Such information should be retained for two years, except when otherwise required by other laws and regulations. The Measurement also states that taxi companies' servers should be set up in Mainland China, with a network security management system and technical measures for security protection in compliance with regulations (Art. 5.2).

According to Art. 34 of Map Management Regulations, online maps are required to set up their server inside the country and acquire an official certificate.

It is reported that China's Telecommunications Regulations require all data collected within the country to be stored on Chinese servers. However, the relevant article has not been found in the regulations. Moreover, it is reported that, as a result of this regulation, Hewlett-Packard, Qualcomm, and Uber had to divest more than 50% of their businesses in China to Chinese companies to avoid fines.

Art. 37 of the Cybersecurity Law requires "key information infrastructure" operators to store personal information and critical data within China. Personal information and critical data can be stored outside of China where there is a genuine need for business; in such cases a "security assessment" needs to be conducted in accordance with procedures formulated by the Cyberspace Administration of China (CAC) in collabouration with other authorities.
Art. 4 of the Outbound Data Transfer Security Assessment Measures, promulgated by the CAC, outlines four situations where a security assessment is necessary before an outbound transfer can take place, which include:
1) Cases where the transfer concerns “important data”, which is broadly defined as data that could endanger national security, economic operation, social stability, public health and safety;
2) Cases the transfer concerns personal data by a critical information infrastructure operator or processor of personal information that processed data for 1 million or more individuals;
3) Cases of transfers concerning personal data by a personal information processor that has made outbound transfers of personal information of 100,000 individuals or sensitive personal information of 10,000 persons in the preceding year;
4) Any other situation where the CAC deems a security assessment necessary.
Art. 8 of the Measures covers the factors the CAC considers when undertaking a security assessment, including:
- The risks that the transfer may entail for national security or public interests, among other policy objectives;
- Legitimacy, necessity and method of transfer;
- Whether the level of data protection in the recipient country meets the requirements of laws in China;
- Sensitivity of the data and risks of being tampered with abroad;
- Agreed safeguard measures between the data processor and data recipient;
- Any other matter that the CAC deems necessary.
In case of unfavourable outcomes, the data handler can ask the CAC for a re-assessment and a final decision. In case of a positive decision, the permission to transfer data abroad is valid for two years, but if substantial changes in the risk factors arise, a new assessment might be needed.

Art. 31 of the Data Security Law provides that the security administration of the cross-border transfer of important data collected and generated by critical information infrastructure operators during their operation in China shall be subject to the provisions of the Cybersecurity Law of the People's Republic of China; the administrative measures for the cross-border transfer of important data collected and generated by other data processors during their operation in China shall be formulated by the national cyberspace administration authority in collabouration with relevant departments of the State Council. In addition, Art. 36 stipulates that the competent authority of China shall process the request for providing any data from a foreign judicial body and law enforcement body in accordance with relevant laws and the international treaty or agreement which China has concluded or acceded to, or under the principle of equality and mutual benefit. Any organization or individual within the territory of China shall not provide any foreign judicial body or law enforcement body with any data stored within the territory of the People's Republic of China without the approval of the competent authority of China.

According to Art. 27 of the Provisional Measures for Administration of Business Activities of Internet Lending Information Intermediaries, the lender and borrower information collected within China shall be stored, processed, and analysed in China. Unless otherwise provided by laws and regulations, online lending information intermediaries shall not provide information on domestic lenders and borrowers overseas.

According to Art. 24 of the Regulation on the Administration of Credit Investigation Industry, credit reporting agencies must organise, preserve, and process consumer or commercial data within China.

According to the Regulation on the Management of Human Genetic Resources, the export of human genetic resources information from China is prohibited unless explicitly approved in accordance with this Regulation. Under Arts. 7, 8, 9, and 10, the provision of human genetic resources to foreign entities must comply with ethical principles, undergo corresponding ethical reviews, and meet the technical standards established by the scientific administrative departments of the State Council. Such actions must not compromise public health, national security, or public interests. The sale of human genetic resources is strictly forbidden. Foreign organisations and individuals, as well as entities directly controlled by them, are prohibited from transferring China’s human genetic resources abroad.
Art. 28 stipulates that, in addition to a record filing, any provision of data to foreign parties or the permission for its use by foreign parties requires submission of a copy of the relevant data to the Office of Human Genetic Resource Administration within the Ministry of Science and Technology. A “security assessment” may also be required if the provision or use of such data could potentially affect China's public health, national security, or public interest. Art. 37 of the Implementation Rules details the categories of human genetic resources information that must undergo a national security review before being transferred or made accessible to foreign parties. Particular attention must be given to the export of genetic resources information, including that related to significant genetic families or populations from specific geographic regions, or exome sequencing and genome sequencing data involving more than 500 human subjects.

Art. 25 of the Law on Guarding State Secrets prohibits the export of carriers containing state secrets. According to Art. 17, such carriers include paper, optical, and electromagnetic media that bear state secrets. This law revises legislation of the same name from 1988, in which Art. 26 prohibited the cross-border transfer of any data containing state secrets.