China's data protection regulators have sharply intensified enforcement activity. Foreign-invested enterprises – including wholly foreign-owned enterprises (WFOE, the standard vehicle for international market entry) – are now facing scrutiny that was, until recently, directed primarily at large domestic platforms. Regulators are acting faster, fines are rising, and the window for voluntary compliance remediation is narrowing.
China's data protection legislative regime – anchored by the Personal Information Protection Law and the Data Security Law – imposes obligations on every organisation that collects, processes, or transfers personal data within or from China. Enforcement is led by the Guojia Hulianwang Xinxi Ban (Cyberspace Administration of China, "CAC"), with the Shichang Jianguan Zongju (State Administration for Market Regulation, "SAMR") playing a growing coordination role. Non-compliant organisations face fines, suspension of data processing activities, and – for repeat violations – criminal referral.
This alert explains what has changed, which organisations are in the enforcement crosshairs, and what actions are required without delay.
What changed – and when it took effect
Regulators under the State Council issued updated enforcement guidelines in early 2025. These guidelines clarify the obligations of every data controller and data processor operating in China. They also tighten the consent mechanism requirements that have, in practice, been inconsistently applied since the personal information protection legislation entered into force.
Three specific shifts define the current enforcement environment.
First, the CAC has moved from guidance-and-warning cycles to direct administrative penalties. Organisations that previously received informal notices now face formal investigations with statutory deadlines of 30 days to respond and produce records.
Second, cross-border data transfer rules are being applied with new rigour. Every outbound data transfer – including routine HR data flows from a China entity to a parent company abroad – must now satisfy one of three approved mechanisms: a standard contract filing. A security assessment (for transfers above defined volume thresholds). Alternatively, certification through an accredited body. Transfers that do not meet one of these mechanisms are unlawful, regardless of whether a corporate group has GDPR compliance in place at the European end.
Third, enforcement actions now target the contractual chain. Where a data controller has engaged a data processor without a compliant data processing agreement, both entities may be held liable. Regulators have signalled that they will pursue the processor as well as the controller in cases where the processor failed to flag non-compliant instructions.
For companies with operations in other high-scrutiny markets, our alert on data protection enforcement in the UAE identifies comparable pressure points in that jurisdiction.
Which organisations are affected – and the threshold criteria
Every organisation that processes personal data in China is subject to the legislative regime. In practice, the current enforcement wave is targeting three categories most actively.
Category 1 – Foreign-invested enterprises processing employee or customer data. Any WFOE, joint venture, or representative office that collects biometric data, health records, financial information, or location data falls within a heightened scrutiny tier. The threshold is not headcount – it is the sensitivity of the data category.
Category 2 – Organisations that transfer data outside China. This includes cloud services where data is stored on servers outside the mainland. Additionally. Any group reporting structure that sends HR, sales. Alternatively, operational data to a non-China parent. The CAC's enforcement posture treats the absence of a valid transfer mechanism as a standalone violation – separate from any underlying data quality issue.
Category 3 – Operators of online platforms or applications with Chinese users. Even a foreign operator whose platform is accessible to users in China may fall within scope. Regulators have asserted jurisdiction over entities with no physical presence in China where the platform processes personal data of Chinese individuals.
The compliance deadline for completing standard contract filings under the updated transfer rules passed in early 2025. Organisations that have not yet filed are already in breach. SAMR's coordination role means that data protection violations may also trigger separate market regulation inquiries.
To receive an expert assessment of your organisation's data protection exposure in China, contact us at info@ferrazwhitmore.com.
Immediate actions for international companies
Organisations operating in or transferring data from China should take the following steps without delay.
- Map your data flows. Identify every category of personal data collected in China and every jurisdiction to which it is transferred. The mapping must cover employee data, customer data, and operational data handled by third-party processors.
- Audit your consent mechanisms. Chinese data protection legislation requires a specific, informed, and separately obtained consent for each processing purpose. Bundled consent – a single checkbox covering multiple uses – does not satisfy the requirement. Review all collection interfaces and update them where consent is bundled or ambiguous.
- Formalise data processor agreements. Where your organisation acts as a data controller and engages local or international processors, written agreements must delineate obligations and liability. Processors must agree in writing to process data only on documented instructions.
- Select and complete a transfer mechanism. For each outbound data transfer, determine whether a standard contract filing, a CAC security assessment, or a certification pathway applies. Standard contract filings must be submitted to the CAC within ten business days of the contract taking effect.
- Designate a local compliance contact. Foreign organisations without a mainland establishment should appoint a representative or agent in China who can receive regulatory communications and respond within statutory deadlines.
International companies managing AI-driven data processing in China should also review their obligations under the AI legislative regime. Our analysis of AI law in China addresses algorithmic recommendation rules and the specific consent obligations they impose.
About Ferraz & Whitmore
Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. Our data protection practice covers compliance programme design, cross-border data transfer structuring, and regulatory response across Asian, European, and Middle Eastern jurisdictions. Working as a law firm in China-related matters, we support WFOEs, joint ventures, and foreign platforms in building defensible data governance structures aligned with Chinese data protection legislation. Our team combines Portuguese civil law expertise with English common law tradition. an advantage when cross-border data transfer disputes require parallel engagement across multiple legal systems. This includes proceedings before bodies such as CIETAC (China International Economic and Trade Arbitration Commission). Practitioners with experience advising lawyer-supported clients across high-growth markets, including China, can assess your current exposure and help prioritise remediation steps. For a preliminary review of your data protection posture in China, contact us at info@ferrazwhitmore.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.