Recently, the State Internet Information Office released a question and answer on data exit security management policies. The State Internet Information Office said that the Cyber Security Law, the Data Security Law and the Personal Information Protection Law clearly stipulate data exit activities at the legal level. The relevant regulations are not applicable to all data, but are limited to important data and personal information. For important data that needs to be exported, the law has made institutional arrangements. If the data export security assessment determines that it will not harm national security and public interests, it can be exported. For the export of personal information, the law provides various channels such as data export security assessment, personal information protection certification, and personal information export standard contracts. It is reported that as of March 2025, the State Internet Information Office has completed 298 data exit security assessment projects, of which 44 declaration projects involve important data, and 7 projects fail the assessment, with a failure rate of 15.9%; 44 declared projects involve 509 important data items, of which 325 are approved for export after evaluation, accounting for 63.9% of the total number of declared data items. The State Internet Information Office and the National Data Administration have successively completed the filing of the negative list of outbound data in Tianjin, Beijing, Hainan, Shanghai, Zhejiang and other pilot free trade zones (ports), and played a role in promoting the cross-border flow of data in 17 fields, including automobile, medicine, retail, civil aviation, reinsurance, Shenzhen marine industry, and seed industry. The State Internet Information Office, together with relevant departments, is guiding their respective trade pilot zones to develop negative lists of data outbound in combination with their respective industrial development characteristics. With the release and implementation of more negative lists, the areas covered will become wider and wider. Article 6 of the Personal Information Protection Law stipulates that "the processing of personal information shall have a clear and reasonable purpose, and shall be directly related to the processing purpose, adopting the method that minimizes the impact on personal rights and interests. The collection of personal information shall be limited to the minimum scope to achieve the processing purpose, and excessive collection of personal information shall not be allowed; Article 19 stipulates that "unless otherwise provided by laws and administrative regulations, the retention period of personal information shall be the shortest time necessary to achieve the processing purpose". In this regard, the State Internet Information Office said that, according to the above legal provisions, the considerations for judging "necessity" include four aspects: directly related to the purpose of processing, having the smallest impact on personal rights and interests, being limited to the minimum scope for achieving the purpose of processing, and the minimum time necessary for the storage period to achieve the purpose of processing. In accordance with the legal provisions, the State Internet Information Office will fully consider the business scenarios and actual needs of the data processor's declaration items in carrying out the security assessment of data exit, and assess the necessity of personal information exit. The key points of the assessment mainly include the necessity of the outbound activity itself, the necessity of involving the scale of natural persons, and the necessity of the scope of outbound personal information data items. Data outbound involves many industries. The State Internet Information Office, together with relevant industry authorities, will gradually refine and clarify the business scenarios of data outbound in specific industries and the necessary scope of personal information outbound, so as to provide more detailed policy guidance for enterprises and institutions to outbound data. What is important data? The State Internet Information Office said that, according to Article 62 of the Regulations on the Administration of Network Data Security, important data refers to data in specific fields, groups, regions or areas that have reached a certain precision and scale, and may directly endanger national security, economic operation, social stability, public health and safety once they are tampered with, damaged, disclosed or illegally obtained or used. For important data that needs to be exported, the law has made institutional arrangements. If the data export security assessment determines that it will not harm national security and public interests, it can be exported. (New Society)