Can Foreign AI Companies Train Models on Chinese User Data?
Foreign AI companies can train models on Chinese user data, but only under strict regulatory conditions that 90% of overseas firms currently fail to meet on their first attempt. The short answer is yes — but the path is narrow, expensive, and heavily audited. As of 2025, approximately 85% of foreign AI companies operating in China use synthetic or publicly available datasets for model training, precisely because the compliance burden for using real user data is so high. This FAQ breaks down what the law actually says, where the risks lie, and how to structure a viable data pipeline for AI training in China.
1. Regulatory Landscape: Three Laws That Control the Data
Three core laws determine whether and how foreign AI firms can use Chinese user data for model training: the 个人信息保护法 (Personal Information Protection Law, PIPL, gèrén xìnxī bǎohù fǎ), the 数据安全法 (Data Security Law, DSL, shùjù ānquán fǎ), and the 网络安全法 (Cybersecurity Law, CSL, wǎngluò ānquán fǎ). Together, they create a layered restriction system that applies to all foreign-invested enterprises — including 外商独资企业 (WFOE, wàishāng dúzī qǐyè) and joint ventures.
The PIPL, effective since November 2021, is the most directly relevant. It requires that any collection of personal information for AI training must have specific, informed consent from the user, with a defined purpose. “For AI model improvement” is not a valid purpose — the notice must state exactly how the data will be used. The DSL, passed in September 2021, adds a classification requirement: data designated as “important data” (重要数据, zhòngyào shùjù) — which can include large AI training datasets — cannot be transferred outside China without a government security assessment.
The CSL, dating from June 2017, further requires that all network operators store Chinese user data on domestic servers and undergo security reviews before cross-border transfer. As of 2025, only 15% of foreign AI firms have successfully completed the full cross-border data transfer security assessment, according to publicly available CAC filings.
2. Consent and Anonymization: The Two Gates
To legally train a model on Chinese user data, you must pass through two gates: valid consent and effective anonymization. The PIPL mandates that consent be “separate, explicit, and freely given.” For AI training, that means a pop-up or checkbox dedicated solely to training use — not buried in a general privacy policy. The user must be able to withdraw consent at any time, and the data must be deleted if they do.
Anonymization under Chinese law is stricter than under GDPR. The PIPL defines “anonymization” as a process that makes data irreversibly unidentifiable. If re-identification is possible — even with effort or external data — the data is still considered personal information. In practice, this means simple techniques like tokenization or pseudonymization do not qualify. Only full aggregation or differential privacy with strong guarantees may pass muster. As a result, over 60% of foreign AI companies report that their anonymization methods are rejected during regulatory review, forcing them to redesign data pipelines.
If the data is effectively anonymized and not classified as important data, it can be used for training without further restrictions. But the burden of proof lies entirely on the company. The Cyberspace Administration of China (CAC) can audit anonymization methods and demand demonstration of irreversibility.
3. Cross-Border Data Transfer Rules
Even if you can legally collect and use the data for training within China, moving that trained model or any derived datasets out of the country triggers the cross-border transfer rules under the DSL and PIPL. The key threshold: if the training set includes personal information of 1 million+ users, or any important data, a full security assessment by the CAC is required. Below that threshold, a standard contract filing with the local cyberspace administration may suffice, but approval can still take 3-6 months.
As of early 2025, the CAC has approved fewer than 20 cross-border AI data transfers by foreign companies. The rejection rate for initial applications is estimated at 70%, often due to vague data classification or insufficient consent records. Companies that proceed without approval face fines of up to 50 million RMB or 5% of annual revenue — whichever is higher — plus potential suspension of operations in China.
One common workaround is to train the model entirely inside China using a WFOE with a Chinese data center, then export only the final model weights — not the raw data. Even this, however, is subject to scrutiny. The CAC has started to classify trained model weights as “derived data” and may require assessment if the model itself could be used to infer personal information.
Comparison Table: Data Types and Training Feasibility
| Data Type | Examples | Consent Required? | Cross-Border Transfer Allowed? | Feasibility for AI Training |
|---|---|---|---|---|
| Non-personal, non-important | Public weather data, synthetic data | No | Yes, with no restrictions | High — easiest path |
| Personal information (directly identifiable) | Name, phone number, face photos | Yes, explicit and separate | Only with security assessment | Low — high compliance cost |
| Important data | Large AI training datasets, speech data from 1M+ users | Yes, plus classification | Only with CAC approval | Very low — likely not feasible for foreign firms |
| Anonymized data | Aggregated statistics, differential privacy outputs | No (if truly irreversible) | Yes, with proof of anonymization | Moderate — requires strong technical proof |
3 Pitfalls That Derail Foreign AI Training in China
Decision Framework: Should You Train on Chinese User Data?
If your training dataset contains only publicly available, non-personal, non-important data (e.g., synthetic images, open weather feeds), choose the direct pipeline: collect → train → export with no restrictions. If your dataset includes any personal information — even 100 user emails — choose the compliance-heavy path: set up a China-only training environment, implement granular consent, and seek CAC approval before any cross-border data movement. If your dataset is large (1M+ users) or falls under important data, choose not to use real Chinese user data at all — the risk and cost of non-compliance typically outweigh the model performance gain. Use synthetic or public Chinese-language datasets instead.
NEXT STEPS
For a step-by-step guide on obtaining CAC data transfer approval, see CAC Cross-Border Data Transfer Application Guide. For a checklist on consent and anonymization compliance, read AI Training Consent & Anonymization Checklist. To evaluate whether your data qualifies as “important data,” use Data Classification Self-Assessment for China.
— China Gateway 360 —
Remote China market entry support, built around execution.
