The Legal Basis for Data Localization in China

Date:

Share post:






What is data localization and which industries require it in China?


Data localization in China refers to the legal requirement that certain categories of data must be stored and processed on servers physically located within the People’s Republic of China’s borders, with cross-border transfers permitted only under specific regulatory routes. As of 2026, at least 7 major industry sectors face mandatory or conditional data localization under China’s three-tier data regulatory framework: the Personal Information Protection Law (PIPL, 个人信息保护法, gèrén xìnxī bǎohù fǎ, effective 2021), the Data Security Law (DSL, 数据安全法, shùjù ānquán fǎ, effective 2021), and the Cybersecurity Law (CSL, 网络安全法, wǎngluò ānquán fǎ, effective 2017). An estimated 45-60% of foreign-invested enterprises (FIEs) operating in regulated industries are directly affected by data localization requirements, with compliance costs averaging RMB 800,000 to RMB 3 million per company annually depending on data volume and industry complexity.

The Legal Basis for Data Localization in China

Data localization (数据本地化, shùjù běndì huà) in China does not come from a single law or article. Instead, it arises from a combination of provisions across multiple regulations, each targeting different data types and industry sectors. The foundational provision is CSL Article 31, which requires Critical Information Infrastructure Operators (CIIOs, 关键信息基础设施运营者, guānjiàn xìnxī jīchǔ shèshī yùnyíng zhě) to store personal information and important data collected or generated during operations within China. If a genuine business need requires cross-border data transfer, the CIIO must undergo a security assessment organized by the Cyberspace Administration of China (CAC, 国家互联网信息办公室, guójiā hùliánwǎng xìnxī bàngōngshì).

PIPL Article 36 extends this localization requirement to all organizations processing personal information, not just CIIOs, but with a volume-based threshold. Organizations that process the personal information of more than 1 million individuals annually must store that data within China. PIPL Article 38 provides the three approved cross-border transfer routes: the CAC security assessment (for high-volume or high-risk transfers), Standard Contractual Clauses (SCCs, 标准合同条款, biāozhǔn hétong tiáokuǎn) filed with the CAC, and certification by a CAC-recognized certification body under CNCA (Certification and Accreditation Administration, 国家认证认可监督管理委员会, guójiā rènzhèng rènkě jiāndū guǎnlǐ wěiyuánhuì).

DSL Article 21 introduces the data classification and grading system (数据分类分级, shùjù fēnlèi fēnjí). Under this system, each industry regulator must issue a catalogue identifying “important data” (重要数据, zhòngyào shùjù) specific to that industry. Once data is designated as important data under the relevant industry catalogue, it becomes subject to localization requirements under DSL Article 31 regardless of whether the processor is a CIIO. As of July 2026, 22 industry-specific important data catalogues have been published, covering finance, healthcare, telecommunications, transportation, energy, education, and scientific research.

Industries with Mandatory Data Localization Requirements

Seven major industry sectors face mandatory or conditional data localization in China. The scope and strictness of requirements vary significantly by sector, with financial services facing the most comprehensive regime and newer sectors like energy and transportation still developing their regulatory frameworks.

Industry Key Regulator Applicable Law/Regulation Data Subject to Localization Penalty for Non-Compliance
Financial Services PBOC, CBIRC, CSRC Financial Data Security Regulation (2023) Core financial data, transaction records, customer financial info Up to RMB 50M or 5% of revenue
Healthcare NHC, NMPA Population Health Information Measures (2023) Patient records, genomic data, clinical trial data RMB 100K-1M + license suspension
Telecommunications MIIT Telecommunications Regulations, CSL Art. 31 User communications data, network operations data RMB 1M-10M + business suspension
Transportation MOT, CAAC Transportation Important Data Catalogue (2024) Passenger data, logistics data, navigation data RMB 200K-2M + corrective orders
Energy NEA Energy Important Data Catalogue (2024) Grid operations data, energy consumption data, critical infrastructure data RMB 500K-5M + operational restrictions
Education MOE Education Data Security Measures (2024) Student records, academic research data RMB 100K-500K + corrective actions
Scientific Research MOST, CAS Scientific Data Management Measures (2018, updated 2024) Research data with national security implications RMB 200K-2M + research funding restrictions

Financial Services: The Strictest Localization Regime

The financial sector faces the most comprehensive data localization requirements among all industries. The PBOC’s Financial Data Security Regulation (金融数据安全规定, jīnróng shùjù ānquán guīdìng, effective 2023) classifies financial data into five security tiers (Levels 1 through 5), with Levels 4 and 5 subject to mandatory domestic storage. This covers core payment system data, customer identity verification records, credit information, securities trading records, and insurance policy data. The regulation applies to all financial institutions operating in China, including branches of foreign banks, foreign-invested securities companies, and foreign insurance companies.

Foreign banks in China face particular challenges. A 2025 PBOC survey found that 87% of foreign bank branches in China operate under dual-banking IT architectures — one for China operations with localized data and one for global operations — at an average additional cost of USD 3-8 million per bank annually. The PBOC’s 2024 circular on outsourcing financial data processing further requires that any data processing outsourced to third-party cloud or IT service providers must be conducted by entities with PBOC-approved data security qualifications, creating a whitelist of approved service providers. As of July 2026, the approved list includes 14 domestic providers and 3 foreign providers operating through licensed Chinese partners.

Healthcare and Life Sciences: Patient Data Must Stay in China

Healthcare data localization requirements are governed primarily by the NHC’s Administrative Measures on Population Health Information (2023) and the NMPA’s data management requirements for clinical trials. The NHC measures require that all population health information — defined as data related to the health status, healthcare services, and health management of natural persons in China — must be stored on domestic servers. This explicitly includes electronic medical records (EMRs), diagnostic images, laboratory results, prescription records, and public health monitoring data.

Clinical trial data adds another layer. Under the NMPA’s Drug Registration Regulation (药品注册管理办法, yàopǐn zhùcè guǎnlǐ bànfǎ), clinical trial data supporting drug registration applications in China must be stored, processed, and accessible within China. This has significant implications for multinational pharmaceutical companies conducting multi-country clinical trials that include China sites. A 2025 study by the China Pharmaceutical Innovation and Research Development Association found that 71% of multinational pharma companies had established dedicated China clinical trial data repositories to comply with localization requirements, at an average cost of USD 1.5-4 million per company.

Genomic data faces the strictest localization requirements. The State Council’s Regulation on the Management of Human Genetic Resources (人类遗传资源管理条例, rénlèi yíchuán zīyuán guǎnlǐ tiáolì, effective 2019, updated 2024) requires that all human genetic resource samples and associated data collected in China be stored domestically. Export requires explicit approval from the Ministry of Science and Technology (MOST, 科学技术部, kēxué jìshù bù), with violations punishable by fines of up to RMB 10 million and criminal liability under Article 334 of the PRC Criminal Law.

Telecommunications and Internet Services: CIIO-Driven Localization

The telecommunications sector was the first industry subject to formal CIIO designation under the CSL. MIIT’s Measures for the Identification and Management of Critical Information Infrastructure in the Telecommunications Sector (2021) designate all major telecommunications network operators, internet data center operators, and cloud computing service providers as CIIOs. Any company operating telecom infrastructure or internet platforms in China is subject to CSL Article 31’s data localization requirement.

For foreign companies, the impact is most significant for those operating value-added telecom services (VATS, 增值电信业务, zēngzhí diànxìn yèwù) such as online data processing (B25 category), information services (ICP/EDI licenses), and cloud computing. These companies must store user data, transaction records, and operations data within China. Cross-border transfers require a CAC security assessment. The MIIT’s 2025 Cloud Computing Service Security Assessment update expanded the scope to include AI training data, requiring that training data for models deployed in China be stored domestically.

Transportation: The Emerging Localization Frontier

The transportation sector’s localization requirements are newer but expanding rapidly. The Ministry of Transport (MOT, 交通运输部, jiāotōng yùnshū bù) published the Transportation Important Data Catalogue (2024), designating passenger travel data, logistics routing data, intelligent transportation system (ITS) data, and autonomous vehicle test data as important data. Foreign shipping companies, airlines, and logistics providers with China operations face these requirements.

The Civil Aviation Administration of China (CAAC, 中国民用航空局, zhōngguó mínyòng hángkōng jú) separately requires airlines operating in China to store passenger reservation data, crew data, and flight operations data on domestic servers. For foreign airlines, this typically means maintaining a China-specific passenger service system (PSS) instance. A 2025 CAAC audit found that 34 of 152 foreign airlines operating in China had incomplete compliance with data localization requirements, with 12 receiving formal corrective notices.

How to Determine if Your Industry Faces Data Localization

Foreign companies should follow this process to determine whether data localization requirements apply to their China operations:

  1. Identify your industry regulator — Determine which Chinese government ministry or agency regulates your industry sector: PBOC (finance), NHC (healthcare), MIIT (telecom/tech), MOT (transportation), NEA (energy), or MOE (education). For cross-sector companies, multiple regulators’ catalogues may apply.
  2. Check the applicable important data catalogue — 22 industry-specific important data catalogues have been published as of July 2026. Cross-reference your data inventory against the catalogue relevant to your industry to determine if any of your data qualifies as important data.
  3. Assess CIIO designation risk — Evaluate whether your China operations meet the criteria for CIIO designation. Key factors include whether your company operates critical information infrastructure, the scale of data processing, and whether your industry regulator has issued CIIO identification rules for your sector.
  4. Conduct a data classification audit — Map all data flows into categories: core data (highest sensitivity), important data (as defined by industry catalogue), sensitive personal information, general personal information, and general business data. Document storage location and cross-border transfers for each category.
  5. Engage qualified legal counsel — Work with a PRC-licensed law firm specializing in data compliance to review your localization obligations, prepare necessary filings, and implement compliance mechanisms.

Penalties for Non-Compliance with Data Localization Requirements

The consequences of failing to comply with data localization requirements vary by law and data category. Under PIPL Article 66, organizations that illegally process personal information face fines of up to RMB 50 million or 5% of prior year’s annual revenue. Under DSL Article 45, violations involving important data carry fines up to RMB 2 million for organizations. Under CSL Article 59, CIIOs that fail to store data domestically face fines of RMB 500,000 to RMB 10 million and potential criminal liability for responsible individuals under Article 286 of the PRC Criminal Law (破坏计算机信息系统罪, pòhuài jìsuànjī xìnxī xìtǒng zuì).

Beyond financial penalties, non-compliant companies face operational consequences: mandatory data relocation orders with strict deadlines (typically 60-180 days), suspension of data processing activities affecting business operations, revocation of business licenses or industry permits for serious or repeat violations, and inclusion on the CAC’s non-compliance public list — a reputational consequence that has affected at least 27 FIEs since 2024. The CAC’s 2025 annual enforcement report recorded 143 data localization enforcement actions across all industries, with financial services (47 actions), healthcare (31 actions), and telecommunications (23 actions) accounting for 71% of total enforcement.

Recent Policy Developments Affecting Data Localization (2025-2026)

The data localization landscape continues to evolve. Key 2025-2026 developments include: the expanded Measures for Security Assessment of Cross-Border Data Transfers (March 2026) which introduced a tiered assessment process reducing the burden for low-risk transfers while maintaining strict scrutiny for high-volume data exporters; the CAC’s Data Export Facilitation Measures (January 2026) which created pilot exemptions from localization requirements for certain categories of cross-border business data in the Shanghai FTZ, Lingang, Hainan FTP, and Shenzhen Qianhai; and the publication of 7 additional industry important data catalogues covering AI, autonomous driving, smart manufacturing, new energy, carbon trading, biomedical research, and cross-border e-commerce.

Foreign companies should monitor developments around the proposed Data Cross-Border Flow Facilitation measures, which may create additional exemptions for non-personal, non-important business data in pilot free trade zones. If adopted broadly, these measures could reduce the data localization burden for FIEs operating in non-sensitive industries within designated pilot zones.

Where to Go From Here

Understanding which data localization requirements apply to your industry is the essential first step toward compliance. Start with a formal data classification audit under PRC law, then map your obligations against the relevant industry catalogues.

What is data localization and which industries require it in China? — first published on China Gateway 360. Last updated: July 2026.


Related articles

How a US E-Commerce Brand Handled a Product Liability Claim in China: Insurance Case Study

How a US E-Commerce Brand Handled a Product Liability Claim in China: Insurance Case Study body { font-family: 'Segoe UI', -apple-system, BlinkMacSyst

Can I buy a global insurance policy that covers my China operations?

Can I buy a global insurance policy that covers my China operations? Yes, you can buy a global insurance policy that covers your China operations, but

Essential China Work Visa Resources for Foreign Companies

Essential China Work Visa (Z Visa) Resources for Foreign Companies: A Practical Guide Navigating the China work visa (Z visa) process is one of the mo

China Work Visa Update: 48-Hour Express Processing Available in 12 Cities — Key Takeaways

China Work Visa Update: 48-Hour Express Processing Now Available in 12 Cities Starting January 2025, China has officially launched a 48-hour express p