Navigating Trends in China’s Data Compliance Regime

Posted by Written by Qian Zhou Reading Time: 8 minutes

Alongside China’s digital transformation, the country’s data compliance regulatory environment has matured rapidly, evolving from foundational legislation to strict and consistent enforcement. For foreign-invested enterprises operating in China, establishing a data governance framework that is compliant, efficient, and globally coordinated has been inseparable from ensuring business continuity and long-term competitiveness.

In a landmark move that sent ripples across the international business community, Chinese regulators publicly penalized French luxury brand Dior for unlawful cross-border data transfers, marking the first time a foreign company has been formally sanctioned under China’s Personal Information Protection Law (PIPL).

The September 2025 announcement followed a data breach earlier this year and revealed Dior’s failure to obtain regulatory approval, inform users, or implement adequate security safeguards before exporting personal information to its headquarters in France. While no financial penalty was disclosed, the case serves as a clear signal: China’s data compliance regime is entering a new era of assertive enforcement.

Find Business Support
We help protect businesses against cybersecurity, data compliance, and business continuity risks in Asia.

This development underlines the urgency for foreign-invested enterprises (FIEs) to reassess their data governance strategies. As China continues to refine its regulatory framework, introducing mandatory compliance audits, expanding enforcement mechanisms, and refining cross-border data transfer rules, companies must move beyond reactive compliance and build systems that are resilient, scalable, and aligned with both local and global standards.

In this article, we provide a structured overview of China’s evolving data compliance landscape and examine the key legislative developments and enforcement trends.

Supporting regulations and guidelines are becoming more robust

China’s data governance framework has evolved rapidly beyond its three foundational laws – the Cybersecurity Law (CSL), Data Security Law (DSL), and Personal Information Protection Law (PIPL) – with a growing body of supporting regulations, national standards, and official guidelines that clarify and operationalize compliance obligations for businesses.

For example, the cross-border data transfer (CBDT) mechanisms that are highly relevant to FIEs have become more structured and diversified. The release of the Measures for Security Assessment of Data Export, Standard Contract Measures for Personal Information Export, and Certification Guidelines for Personal Information Protection has clarified the three main pathways for lawful outbound data transfers. These instruments are further complemented by ongoing Q&A, manuals, and guideline publications from the Cyberspace Administration of China (CAC), which provide practical guidance and case-based interpretations to help enterprises navigate the approval and filing processes.

Compliance audits are another area where abstract requirements are becoming concrete. While Article 54 of the PIPL established audit obligations, practical details only emerged recently. In February 2025, the CAC issued the Measures for the Administration of Compliance Audits on Personal Information Protection, effective May 1, along with guidelines specifying the scope of review. Then, in May 2025, the National Information Security Standardization Technical Committee (TC260) released standardized audit procedures and guidance on selecting external auditors. Together, these measures transform compliance audits into structured, enforceable practices with clear expectations.

Sector-specific regulations are also emerging to address industry-specific risks. Regulatory authorities have issued tailored compliance requirements for sectors such as finance, healthcare, and automotive. These rules often include stricter data localization mandates, enhanced security protocols, and reporting obligations for data breaches or transfers involving “important data.”

Find Business Support
Our advisory is tailored to regulatory compliance, risk mitigation, and strengthened IT security solutions, throughout China, ASEAN, and South Asia.

Despite the overall robustness, the pace and scope of rulemaking have varied across regions and industries, resulting in a fragmented landscape. Acknowledging these inconsistencies, regulators have begun efforts to harmonize the system. A key milestone is the Regulations on Network Data Security Management, issued in September 2024 and effective January 1, 2025. This regulation consolidates and aligns overlapping provisions of the CSL, DSL, and PIPL, providing clearer definitions, unified enforcement mechanisms, and a more integrated compliance structure, marking a shift toward greater consistency and predictability in China’s data governance regime.

Overall, China’s data compliance legal architecture is maturing into a more actionable and increasingly coherent system. While the regulatory environment remains dynamic, the direction is clear: China is building a multi-layered governance model that emphasizes accountability, transparency, and risk mitigation. For foreign enterprises, this means shifting from ad hoc compliance to strategic, system-wide governance that aligns with both local mandates and global standards.

Cross-border data governance shifts toward flexibility and lawful enablement

China’s regulatory approach to cross-border data flows is transitioning from blanket control toward a more refined and enterprise-aware model. This shift reflects a growing emphasis on proportional enforcement and practical accommodation of business needs, especially for FIEs.

In the early stages of implementation, some local regulators adopted overly rigid practices, such as blanket requirements for security assessments or broad interpretations of “important data,” which created uncertainty and discouraged legitimate data transfers. These practices not only raised compliance costs but also became a friction point in China’s business environment.

Since 2023, regulators, including the CAC and the Ministry of Commerce (MOFCOM), have actively engaged with foreign businesses through consultation meetings, seeking feedback on issues like data localization, outbound transfer procedures, and compliance burdens. These dialogues have informed a more pragmatic regulatory posture, with authorities now emphasizing that “secure and controllable” does not mean “prohibited”. The policy goal is to mitigate risks, such as national security threats and personal data misuse, while enabling lawful and necessary data flows that support commercial operations, research collaboration, and internal management.

This shift is clearly reflected in the Regulations to Promote and Standardize Cross-Border Data Flows released in March 2024, which formalize a more balanced and transparent framework. Pilot Free Trade Zones have gone further by adopting negative list models, allowing transfers by default unless explicitly restricted.

Several foreign enterprises have completed security assessments or standard contract filings, providing reference cases that enhance industry confidence and demonstrate the feasibility of compliant data transfers under the evolving regime.

Enforcement authorities get more coordinated and specialized

Another trend in China’s data compliance regime is that the country continues to strengthen its collaborative enforcement model for data governance, characterized by a multi-agency framework that combines strategic oversight, sectoral expertise, and criminal enforcement. This system – led by the CAC, supported by industry regulators, and backed by the Ministry of Public Security (MPS) – is evolving toward greater precision and specialization:

  • The CAC remains the central authority, overseeing personal information protection, cross-border data transfers, and the implementation of key compliance mechanisms such as security assessments, standard contracts, and certification.
  • The Ministry of Industry and Information Technology (MIIT) plays a critical role in supervising data security within specific industries, particularly telecom, internet services, and industrial platforms.
  • The MPS serves as the enforcement backbone for criminal violations, targeting illegal data transactions, personal information abuse, and black-market data operations. Its role is increasingly important in tracing data breaches and prosecuting offenders under criminal law.
  • The newly established National Data Administration (NDA) is tasked with building the data element market, overseeing data classification and grading, and regulating public data transactions. Its enforcement scope includes compliance with data trading and public data operations.
  • Other agencies, such as the State Administration for Market Regulation (SAMR), focus on consumer protection and unfair data-driven practices, including exploitative algorithms, misleading app behavior, and misuse of user profiling. Meanwhile, the China Cybersecurity Review and Certification and Market Regulation Big Data Center (CCRC) is responsible for establishing a data compliance qualification system, covering both personnel and enterprise qualifications.
  • Sector-specific regulators in finance, healthcare, and transportation are also stepping up enforcement around sensitive industry data, privacy protection, and cross-border transfers.

This coordinated enforcement system reflects a broader trend: China is moving toward granular, risk-based, and sector-sensitive data governance, with clearer responsibilities and more professionalized enforcement teams. For foreign enterprises, this means navigating a landscape where compliance expectations are increasingly tailored to industry context and operational risk, requiring not only legal awareness but also strategic coordination across internal functions.

China’s Data Compliance Authorities
Agency Core responsibilities 2025 enforcement focus
CAC Central regulator for data security and personal information protection; leads implementation of outbound data transfer mechanisms (security assessments, standard contracts, certifications) – Cross-border data compliance (security assessments, standard contracts, certifications)
– Personal information protection (compliance audits, user rights, sensitive data handling)
– Identification of important data and inter-agency coordination
MIIT Oversees data security in industrial, telecom, and internet sectors; focuses on secure data collection, transmission, and storage – Industrial internet data, telecom user data, and app-based personal data collection
– Data security systems, log retention, and technical safeguards in telecom and internet enterprises
MPS Investigates and prosecutes data-related crimes, including illegal data trading and personal information abuse – Criminal offenses involving personal data
– Black-market data trading, breach tracing, and criminal enforcement- Whether the enterprise has obtained consent for processing personal information. (We see this as a sign that the MPS is beginning to actively check for compliance.)
NDA Develops the data element market; oversees data classification, grading, and data transaction compliance – Implementation of data classification and grading systems
– Compliance in public data operations and data trading
SAMR Protects consumer rights and addresses unfair data-driven practices – App user rights (e.g., auto-renewals, algorithmic discrimination, profiling abuse)
– Unfair competition and consumer fraud in enterprise data use
CCRC Introduces qualification programs for both entities and individuals. – Qualification frameworks to ensure data compliance

– Certifications for cybersecurity-related products, services, systems, and personnel
Sectoral regulators Enforces data compliance within specific industries – Identification and protection of industry-specific important data
– Cross-border transfers, privacy protection, and incident response

Enforcement grows tougher and case-driven

Find Business Support
Our services cover data protection regulations, including advisory for China data privacy laws, ASEAN data governance, and cross-border data compliance to help businesses meet legal requirements and mitigate risks.

China’s data compliance enforcement is entering a more mature and assertive phase, where rules are no longer theoretical – they are being actively applied, tested, and refined through real-world cases and coordinated regulatory actions. Authorities are shifting from symbolic oversight to substantive enforcement, with a clear focus on high-risk scenarios and sector-specific vulnerabilities.

For example, for CBDT, regulators have started penalizing failures to submit, misrepresent, or fulfill contractual obligations, such as the Dior case mentioned in the earlier section. Similarly, personal information protection is moving beyond formalistic privacy policies toward functional accountability. Joint inspections and audits, often triggered by user complaints, are targeting vague disclosures, ineffective consent mechanisms, and poor responsiveness to data subject requests. The protection of important and core data is also gaining traction, with enforcement now examining whether companies have established internal data catalogs, implemented encryption and access controls, and restricted outbound transfers.

Incident response is another area of heightened scrutiny. The newly released Management Measures for National Cybersecurity Incident Reporting have put forward strict requirements for the incident response time and response mechanism of enterprises. Companies are expected to report breaches promptly, notify affected individuals, and demonstrate effective containment and remediation. Delays or omissions in reporting are increasingly met with penalties, reflecting a regulatory emphasis on transparency and accountability. Finally, compliance audits and internal governance are evolving from checkbox exercises to performance-based evaluations. Regulators now assess not just the existence of policies, but their implementation quality, staff training, and executive responsibility.

The release of typical cases, such as the Guangzhou Internet Court’s ruling against a multinational hotel group for unlawful data transfers and inadequate user rights handling, illustrates how judicial enforcement is reinforcing administrative oversight and setting precedents for future compliance expectations.

Together, these trends show that enforcement under China’s data compliance regime is becoming more detailed and responsive to real-world risks. As China advances its national data compliance system, enforcement will become more precise, more actionable, and better aligned with balancing compliance costs and regulatory requirements. For foreign enterprises, this means building systems that can withstand scrutiny, adapt to evolving standards, and earn regulatory trust.

Key takeaways: From passive compliance to proactive governance

For many FIEs, data compliance in China has long been viewed as a defensive exercise – meeting minimum requirements to avoid penalties. However, the maturing enforcement environment and rising expectations from regulators, partners, and consumers mean that “passive compliance” is no longer sufficient. The next frontier is “proactive governance,” where compliance is embedded into corporate strategy and becomes a driver of trust, efficiency, and competitive advantage.

This shift requires companies to go beyond paperwork and checklists. Leading practices include building cross-functional governance structures, integrating compliance into product design and customer experience, and leveraging compliance technology to enhance monitoring and reporting.

Ultimately, treating data compliance as a strategic asset rather than a regulatory burden allows enterprises to differentiate themselves in the market. In a business environment where reputation, transparency, and security are paramount, firms that embrace proactive governance will be better positioned to win stakeholder trust, attract high-value partnerships, and achieve sustainable growth in China.

Cybersecurity & Compliance Advisory

With support from our in-house legal, HR, finance, and IT specialists, Dezan Shira & Associates helps clients strengthen defenses, prepare for audits, and build privacy programs that transform data compliance from a risk into a competitive advantage. Get in touch with our local experts to schedule a consultation: China@dezshira.com.

About Us

China Briefing is one of five regional Asia Briefing publications. It is supported by Dezan Shira & Associates, a pan-Asia, multi-disciplinary professional services firm that assists foreign investors throughout Asia, including through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Haikou, Zhongshan, Shenzhen, and Hong Kong in China. Dezan Shira & Associates also maintains offices or has alliance partners assisting foreign investors in Vietnam, Indonesia, Singapore, India, Malaysia, Mongolia, Dubai (UAE), Japan, South Korea, Nepal, The Philippines, Sri Lanka, Thailand, Italy, Germany, Bangladesh, Australia, United States, and United Kingdom and Ireland.

For a complimentary subscription to China Briefing’s content products, please click here. For support with establishing a business in China or for assistance in analyzing and entering markets, please contact the firm at china@dezshira.com or visit our website at www.dezshira.com.