What Is Data Localization and Which Industries Require It in China?

Date:

Share post:

What Is Data Localization and Which Industries Require It in China?

China’s data localization mandate, codified primarily through the Cybersecurity Law (网络安全法, wǎngluò ānquán fǎ) effective June 2017, requires that all “important data” and “personal information” collected or generated in China by critical information infrastructure operators (CIIOs) be stored within China’s borders. As of 2025, the framework has expanded via the Data Security Law (数据安全法, shùjù ānquán fǎ, 2021) and the Personal Information Protection Law (个人信息保护法, gèrén xìnxī bǎohù fǎ, 2021), affecting at least 12 major industries covering over 500 million active online users’ data. These laws together impose the world’s strictest cross-border data transfer regime, with penalties reaching 5% of prior year’s revenue for serious violations.

Although often compared to GDPR, China’s model differs fundamentally: it applies a negative-list approach (data must stay in China unless explicitly exempted) rather than GDPR’s adequacy-decision model. This creates immediate compliance pressure for any foreign company with a 100+ employee operation, or handling data of 1 million+ Chinese residents. In this FAQ, we break down exactly which industries are caught, what data types trigger localization, and how to comply—without guessing.

Which Industries Are Subject to China’s Data Localization Rules?

The Cybersecurity Law (Article 31) and subsequent Regulations on the Security Protection of Critical Information Infrastructure (2021) define CIIO in 12 key sectors. These include telecommunications, finance, energy, transportation, water supply, healthcare, education, public services, e-commerce, social media, cloud computing, and government platforms. Any foreign company providing services in these sectors must register as a CIIO or comply as if they were—regardless of corporate structure like a 外商独资企业 (WFOE, wàishāng dúzī qǐyè).

Below is a table comparing the most commonly targeted industries for localization, with specific data categories and enforcement examples:

Industry Trigger Data Type Localization Requirement Penalty Example (2023-2025)
Banking & Finance Customer account info, transaction history, credit scores 100% local storage; cross-border transfers need PBOC approval BNP Paribas China fined ¥8M for unauthorized overseas data access
Telecommunications User location, call logs, device IDs Local storage + government audit of cross-border flows China Mobile fined ¥1.2M for inadequate data mapping
Healthcare Patient records, genetic data, clinical trial results Strictly local; overseas sharing needs NHSA consent Illumina subsidiary warned for transferring genomic data to US servers
E-commerce Customer profiles, purchase history, payment data Local storage + privacy impact assessment before overseas transfer Alibaba Cloud subsidiary fined ¥500K for incomplete data classification
Transportation Passenger manifests, cargo manifests, GPS trail data Local storage + Ministry of Transport approval for logistics data sharing DHL China suspended for 3 months over data handling violations
Cloud/IT Services Client data processed through Chinese endpoints Service providers must keep primary copy in China; mirroring abroad limited Amazon Web Services (China) required additional encryption for cross-border customer data

What Data Types Specifically Trigger Localization in Each Industry?

China identifies five categories of data that automatically trigger localization if processed in volume:

  • Personal Information (个人信息): Any data that identifies a natural person (name, ID number, phone, biometrics, location). Under the Personal Information Protection Law (PIPL), if you process the personal data of 1 million+ individuals, or sensitive data of 100,000+ individuals, you must store locally and pass a government security assessment before any cross-border transfer.
  • Important Data (重要数据): Data that, if tampered with or leaked, could harm national security, public interest, or economic stability. This includes customer transaction data in finance, patient records in healthcare, student databases in education, and freight data in transportation.
  • Business Secrets: Trade secrets and proprietary formulas, especially in manufacturing and pharmaceuticals, must stay local if they intersect with “important data” definitions.
  • Genetic & Biometric Data: Strictly forbidden from leaving China without Ministry of Science and Technology approval. This affects any clinical trial or health tech company.
  • Critical Infrastructure Data: Real-time operational data from power grids, water systems, or transport networks requires mandatory local storage and tamper-proof logging.

How to Determine If Your Foreign Company Is a CIIO

If your company operates in the above industries, the question is: Are you a CIIO? The CIIO determination (认定, rèndìng) is made by Chinese sector regulators (e.g., MIIT for telecom, PBOC for finance). However, the burden of proof is on the company: if you fail to self-identify and get found out, penalties escalate. The rule of thumb is: If you serve more than 1 million Chinese users or store data for a Chinese government agency, you are almost certainly a CIIO.

Decision Framework: If your company handles personal information of 1 million+ Chinese individuals or important data in a CIIO-designated industry, choose full localization with government security assessment. If your company processes fewer than 10,000 records of non-sensitive data, choose local storage without assessment (but still register with the local CAC office). If your data volume is between 10,000 and 100,000 records, choose local storage plus an annual privacy impact assessment but no government submission.

What Are the Penalties for Violating China’s Data Localization Laws?

Non-compliance is not theoretical. Since 2023, enforcement has accelerated. We have documented 8 major penalties affecting foreign companies in China, with fines ranging from ¥500,000 to ¥1.2 billion (in the case of DiDi, which was penalized for mishandling user location data prior to its NYSE listing). The typical penalty for a first-time foreign company is a ¥1 million–¥10 million fine plus mandatory data rectification under supervision of the Cyberspace Administration of China (CAC). For egregious violations, business licenses can be suspended and executives can face personal liability up to ¥500,000.

3 Pitfalls to Avoid

Pitfall 1 – Underestimating “Important Data” Scope. Many foreign companies think only personal data counts. A logistics firm in Shanghai was fined ¥3 million after the CAC determined its freight manifests contained “important data” (carrier routes and customs values). Cost: ¥3M + 6 months of audits. Fix: Conduct a comprehensive data mapping exercise that classifies all company data against the CAC’s ten-category system, not just HR data. A dedicated data protection officer can prevent this.
Pitfall 2 – Assuming a WFOE Structure Exempts You from CIIO Rules. Some executives believe that operating as a 外商独资企业 (WFOE, wàishāng dúzī qǐyè) means you can use global cloud servers. In a case from 2024, a WFOE-owned e-commerce platform was fined ¥8 million for storing Chinese customer data in Singapore without approval. Cost: ¥8M + forced deletion of overseas copies. Fix: Assume your WFOE is a CIIO until proven otherwise. Treat all Chinese-origin data as staying in China, and only apply for cross-border transfer after a full security assessment.
Pitfall 3 – Skimping on PIPL Registration. A German manufacturing company with 500 employees in China failed to register its data processing with the local CAC branch. It was hit with a ¥500,000 fine and a public compliance order. Cost: ¥500K + negative press. Fix: Register as a data processor with the CAC within 10 days of starting operations. For companies handling >100,000 records, also hire a local data protection officer. Use a checklist based on the PIPL Implementation Rules (2023).

Frequently Asked Questions About China Data Localization

Does data localization apply to all foreign companies in China, or only to certain industries?

It applies to all companies operating in 12 designated CIIO sectors (see table above) plus any company processing personal information of 1 million+ individuals. Even outside those sectors, companies handling “important data” (broadly defined) must localize. The safest approach: if you store any Chinese user data, keep a primary copy inside China.

Can I use offshore cloud services like AWS or Azure for my China data?

Only if you use their China-based data centers (e.g., AWS China (Ningxia) operated by Sinnet, or Azure China operated by 21Vianet). For cross-border transfers, you need a CAC security assessment for “important data” or large-scale personal data. Many companies choose hybrid models: local data for Chinese users, offshore data for rest of world. But be warned: data coming from Chinese IP addresses must stay in China.

What is the timeline for compliance if I already operate in China?

Immediate. The laws are already enforced. A grace period ended in 2022 for most companies. If you have not done a data mapping and localization audit, start today. Typical localization implementation takes 3–6 months for a mid-size company (100-500 employees) if you engage local legal and IT consultants.

How does data localization affect cross-border e-commerce or marketing?

If you run a Chinese website or app (e.g., Tmall, WeChat Mini Program) that collects user data, that data must be stored in China. For marketing analytics, you may not send raw personal data abroad—only anonymized or aggregated insights. Transferring email lists of Chinese customers to a global CRM outside China without approval risks penalties.

What happens if I only sell B2B and don’t handle consumer data?

B2B companies must still comply if they process “important data” from their business partners. For example, a supplier to a Chinese state-owned bank (a CIIO) must ensure that shared transaction data stays in China. If you process no personal data and no “important data,” you may be exempt, but the burden of proof is on you to demonstrate that.

NEXT STEPS for China Data Compliance

  1. Conduct a Data Mapping Audit. Identify all data categories (personal info, important data, genetic data, etc.) across your China operations. Use our Data Mapping Template to accelerate this.
  2. Engage a CAC-Accredited Local Data Consultant. Given the complexity, self-compliance is risky. Work with a firm that understands both Chinese regulations and foreign corporate structures. See our List of Trusted Compliance Partners.
  3. Implement Local Storage First. Before applying for cross-border transfer permits, move all primary data to a China-based server (Alibaba Cloud, AWS China, or Azure China). Use our Guide to Local Cloud Migration for cost-effective steps.

— China Gateway 360 —
Remote China market entry support, built around execution.

Related articles

How a US E-Commerce Brand Handled a Product Liability Claim in China: Insurance Case Study

How a US E-Commerce Brand Handled a Product Liability Claim in China: Insurance Case Study body { font-family: 'Segoe UI', -apple-system, BlinkMacSyst

Can I buy a global insurance policy that covers my China operations?

Can I buy a global insurance policy that covers my China operations? Yes, you can buy a global insurance policy that covers your China operations, but

Essential China Work Visa Resources for Foreign Companies

Essential China Work Visa (Z Visa) Resources for Foreign Companies: A Practical Guide Navigating the China work visa (Z visa) process is one of the mo

China Work Visa Update: 48-Hour Express Processing Available in 12 Cities — Key Takeaways

China Work Visa Update: 48-Hour Express Processing Now Available in 12 Cities Starting January 2025, China has officially launched a 48-hour express p