Disclaimer: This guide is intended for informational purposes only and does not constitute legal advice. Chinafy is not a legal or corporate advisory entity. Given that legal obligations vary by business type and context, we recommend consulting with qualified legal counsel for advice specific to your organization. If needed, Chinafy can connect you with one of our experienced legal partners.

What is data localization?

Data localization, or data residency, refers to the practice of storing data within a specific country or region. In China, this means certain data categories (e.g., personal data, financial data, health data) must be stored on servers physically located within the country's borders.

In practice, this means for businesses operating within mainland China, any data collected, processed, and stored must remain within China’s geographical boundaries before any transfer overseas.

Why is data localization necessary in China?

Some of the reasons data localization has been deemed necessary by the government in China include:

Protecting the data privacy of Chinese residents

National strategic objectives like long-term economic and technological development

Strengthening law enforcement capabilities within mainland China by ensuring data remains accessible to domestic authorities

In general, China uses data localization policies to secure national information and assert control over its digital domain.

Data localization laws in China

The primary legal framework driving data localization in China is made of three pillars:

The Cybersecurity Law (CSL) (2017) governs how businesses operate networks and manage data in China.

The Data Security Law (DSL) (2021) regulates how data is processed, classified, and protected within and outside China.

The Personal Information Protection Law (PIPL), (2021) is similar to the EU’s GDPR, laying out the rules for personal data processing and cross-border data transfers.

Who has to follow China’s data localization laws?

China’s data laws apply to any business that collects, stores, uses, sells, or shares personal data from individuals in mainland China, regardless of whether they have a physical presence in China. This includes both data owners and data processors. The regulations are stricter if businesses are Critical Information Infrastructure Operators (CIIOs) or if they process "important" data.

Which types of data are subject to data localization requirements?

Specific requirements may vary by law or regulation, but here are some of the types of data generally subject to localization:

Personal data

Financial data

Health data

Intellectual property

Customer and e-Commerce data

Education data

Employee data

Critical infrastructure data

Government data

Vehicle data

Non-personal and non-sensitive data, data that is publicly available, stored abroad, or has been anonymized, or is part of international agreements/treaties or specific exemptions, are typically not subject to these requirements.

Potential exemptions for low-volume data exports

Recent CAC rules (the Provisions on Promoting and Regulating Cross-Border Data Flows, effective 22 March 2024) give certain businesses a lighter compliance path. If you are not classified as a Critical Information Infrastructure Operator (CIIO) and the cumulative amount of personal information you export from China since 1 January of the current year:

involves fewer than 100 000 individuals’ non-sensitive personal data, and

does not contain “important data” or any sensitive personal information,

then you may not need to conduct a CAC security assessment, file the Standard Contract, or obtain a certification. For sensitive personal information, the more stringent security assessment trigger still starts at 10,000 individuals. 

These thresholds are cumulative, sector-specific catalogues can raise or lower them, and regulators may adjust the numbers over time, so every business should map its data flows and confirm the latest position before relying on an exemption.

What do businesses need to do with their data in China?

The key requirements for data storage in China include:

Local storage: Store personal and important data collected in China on servers located within mainland China.

Server location: Store the specified data on servers physically located within China's territory.

Data security standards: Implement strict data security measures, including encryption, access controls, and regular security assessments. Report data breaches or leaks to authorities.

Data impact assessments: Conduct data impact assessments to evaluate potential risks associated with data collection and processing. (PIPL Article 55)

Government inspections: Prepare for regulatory inspections as authorities have the right to inspect businesses to ensure compliance.

Read more about cross-border data transfer

Chinafy collaborates with specialized partners, such as Lianwei Pancloud and MS Advisory, who can offer insight into specifics related to your company, regulatory trends and compliance considerations.

Get in touch with Chinafy today to better understand the next steps for your company’s website and data in China.