Art. 37 of the Cybersecurity Law requires "key information infrastructure" operators to store personal information and critical data within China. Personal information and critical data can be stored outside of China where there is a genuine need for business; in such case a "security assessment" needs to be conducted in accordance with procedures formulated by the Cyberspace Administration of China (CAC) in collaboration with other authorities.
Art. 4 of the Outbound Data Transfer Security Assessment Measures, promulgated by the CAC, outlines four situations where a security assessment is necessary before an outbound transfer can take place: 1) In cases where the transfer concerns “important data”, which is broadly defined as data that could endanger national security, economic operation, social stability, public health and safety; 2) In case the transfer concerns personal data by a critical information infrastructure operator or processor of personal information that processed data for 1 million or more individuals; 3) Also in the case of transfers concerning personal data by a personal information processor that has made outbound transfers of personal information of 100,000 individuals or sensitive personal information of 10,000 persons in the preceding year; 4) Lastly, the CAC may also require security assessment in other situations which are not further defined.
Art. 8 of the Measures covers the factors that the CAC will take into account when undertaking a security assessment. The assessment includes a wide range of aspects, for example:
- The risks that the transfer may entail for national security or public interests, among other policy objectives;
- Legitimacy, necessity and method of transfer;
- Whether the level of data protection in the recipient country meets the requirements of laws in China;
- Sensitivity of the data and risks of being tampered with abroad;
- Agreed safeguard measures between the data processor and data recipient;
- Any other matter that the CAC deems necessary.
In case of unfavourable outcomes, the data handler can ask the CAC for a re-assessment with a final decision. In case of a positive decision, the permission to transfer data abroad is valid for two years but if substantial changes in the risk factors arise, a new assessment might be needed.

Online maps are required to set up their server inside of the country (Art. 34 of Map Management Regulations) and must acquire an official certificate.

China's Telecommunications Regulations require all data collected inside China to be stored on Chinese servers. It is reported that as a result of this regulation, Hewlett Packard, Qualcomm, and Uber were required to divest more than 50% of their businesses in China to Chinese companies, to avoid fines.

Population health information needs to be stored and processed within China. In addition, storage is not allowed overseas (Art. 10).

China instituted a licensing system for online taxi companies which requires that the personal information and business data should be stored and used in mainland China and must not be transferred outside of China (Art. 27 of the Interim Measures for the Administration of Online Taxi Booking Business Operations and Services). Such information should be retained for two years, except when otherwise required by other laws and regulations. The Measurement also regulates that servers of the taxi companies should be set up in Mainland China, with a network security management system and technical measures for security protection in compliance with regulations (Art. 5.2).

The "Notice of the People's Bank of China on Protecting Personal Financial Information by Banking Financial Institutions" states that the processing of personal information collected by commercial banks must be stored, handled and analysed within the territory of China and such personal information is not allowed to be transferred overseas (paragraph 6).
The Personal Financial Information Protection Technical Specification (PFI Specification) regulates “any personal information collected, processed and stored by Financial Institutions during the provision of financial products and services" (PFI). The PFI specification requires that PFI collected or generated in mainland China is stored, processed and analysed within the territory. Further, under the PFI Specification, where there is a business need for cross-border transfer of personal financial information (PFI) and the financial institution obtains explicit consent to the transfer from the personal financial information subjects (i.e the persons under the PFI Specification providing the data), conducts a security assessment and then supervises the offshore recipient to ensure responsible processing, storage and deletion of PFI (Section 7.1.3).

The Ministry of Industry and Information Technology (MIIT) acts as the telecommunications authority in the country and therefore there is no independence from the government in its decision-making process.

The Personal Information Protection Law (Art. 40) provides that critical information infrastructure operators and personal information processors handling personal information must store personal information collected and produced within the borders of China. Where such information needs to be provided abroad, they shall pass a security assessment organized by the State cybersecurity and information department.

China has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

Telecoms business activities in China are divided into Basic Telecom Services (“BTS”) and Value-added Telecom Services (“VATS”). BTS refers to the business of providing public network infrastructure, public data transmission and basic voice communications services. VATS refers to the telecoms and information services provided through public network infrastructure. Both BTS and VATS operators require a license and VATS licenses are further divided into single province licenses and cross-provincial licenses. A BTS licence is valid for either five or ten years (depending on the type of telecom service involved) and a VATS licence is valid for five years. Telecoms operators must also meet the minimum registered capital requirements in order to be granted licences. For BTS operators, the minimum registered capital is RMB 100 million for single province providers and RMB 1 billion for nationwide providers. For VATS operators, the minimum registered capital is RMB 1 million for single province providers and RMB 10 million for nationwide providers. China also maintains restrictions on VATS services and these restrictions include opaque and arbitrary licensing procedures, foreign equity caps and the unjustified moratoria on the issuance of new licenses. As a result, only a few dozen foreign-invested suppliers have secured licenses to provide value-added telecommunications services, while there are thousands of licensed domestic suppliers.
Additionally, foreign companies must obtain VATS licenses only through a joint-venture company. In this regard, the European Chamber of Commerce in China has complained about the multiple value added services licenses required, suggesting the approval of one single value added service license that allows for the provision of multiple VATS.

Foreign-invested enterprises using their own network platform to provide network services for other parties should apply to the Ministry of Industry and Information Technology value-added telecommunications business license; enterprises using their own network platform directly engaged in the sale of goods, should be filed with the telecommunications management department.

China Telecom Corporation Limited (China Telecom), the incumbent, is a wholly State-owned enterprise (SOE) providing basic, mobile and value added telecommunication services.

It is reported that China does not mandate functional or accounting separation for operators with significant market power (SMP) in the telecom market.

According to Art. 6 of the Provisions on Administration of Foreign-Invested Telecommunications Enterprises, for foreign-funded telecommunications enterprises operating value-added telecommunications services (including online database storing and searching; electronic data exchange; online data processing and transactions processing; domestic multiparty communication services; IP-VPN; ISP; ICP and video teleconferencing), the proportion of foreign investors' capital contribution in the enterprise shall not exceed 50% in the end. An exception applies to e-commerce, for which 100% foreign equity and ownership is allowed. Furthermore, the proportion of capital contribution between Chinese investors and foreign investors in foreign-invested telecommunications enterprises in different periods shall be determined by the industry and information technology department of the State Council in accordance with relevant regulations.
In addition, according to Art. 5, if the enterprise is engaged in the value-added telecom business within a province, autonomous region, or municipality directly under the Central Government, it shall have a registered capital of not less than 1 million yuan (Approx. USD 137,000). However, if an enterprise is engaged in value-added telecom businesses nationwide or beyond a single province, autonomous region or municipality directly under the Central Government, it shall have a registered capital of not less than 10 million (Approx. USD 1,370,000).
According to Art. 2, a foreign-invested telecommunications enterprise refers to an enterprise operating telecommunications business jointly invested and established by foreign investors and Chinese investors in the form of Sino-foreign joint ventures in accordance with the law within the territory of the People's Republic of China.

According to Art. 6 of the Provisions on Administration of Foreign-Invested Telecommunications Enterprises, the capital contribution ratio of foreign investors in foreign-funded telecommunications enterprises operating basic telecommunications services (excluding wireless paging services) shall not exceed 49% in the end. However, in practice, all telecommunication companies are Chinese. In addition, the proportion of capital contribution between Chinese investors and foreign investors in foreign-invested telecommunications enterprises in different periods shall be determined by the industry and information technology department of the State Council in accordance with relevant regulations.
In addition, according to Art. 5, if the enterprise is engaged in the basic telecom business within a province, autonomous region, or municipality directly under the Central Government, it shall have a registered capital of not less than 100 million yuan (Approx. USD 14,000,000). However, if the enterprise is engaged in the basic telecom business nationwide or beyond a single province, autonomous region, or municipality directly under the Central Government, it shall have a registered capital of not less than 1 billion yuan (Approx. USD 140,000,000).
Under the Special Management Measures for Foreign Investment Access (Negative List) 2020, authorities must treat foreign investors with the same degree of accommodation as domestic investors unless set out otherwise in the negative list. While no caps have been set out in the negative list with regard to basic telecommunication services, the negative list provides that the basic telecommunication business must be controlled by the Chinese party.