On April 13, 2026, Premier Li Qiang signed State Council Decree No. 835, promulgating the Regulations of the People's Republic of China on Countering Improper Extraterritorial Application of Foreign Laws. The 20-article instrument took effect the moment it was published, with no transition window. For the tech-policy world, the headline is not the diplomatic posturing about "hegemonism" — it is Article 8(4), which lets Beijing prohibit Chinese organizations and individuals from providing data or personal information to foreign entities it places on a new "Malicious Entity List."
What Decree 835 actually does
The regulation knits together three tools China had previously scattered across lower-level rules: an identification mechanism for declaring a foreign measure improper, prohibition orders (禁执令) barring anyone from complying with that measure, and a Malicious Entity List for foreign organizations and individuals that "promote or participate in" implementing it. Listing can trigger entry bans, asset freezes, transaction prohibitions — and, per Article 8(4), a cutoff of data and personal-information flows.
The structural shift matters. As Morrison Foerster notes, China's earlier countermeasures lived in ministry-level instruments — the 2021 MOFCOM Blocking Rules and the 2020 Unreliable Entity List — whereas Decree 835 is a State Council administrative regulation, a higher tier of authority that binds more agencies and carries the threat of criminal liability for violations. This is the first time the Malicious Entity List and prohibition orders have been codified at this level.
The data-transfer escalation
China did not invent a data bar on April 13. Data Security Law Article 36 and PIPL Article 41 already prohibit handing China-stored data to foreign judicial or law enforcement bodies without approval from "the competent authorities of the People's Republic of China." Article 41 is explicit: "Without the approval of the competent authorities of the People's Republic of China, no organization or individual shall provide data stored in the territory of the People's Republic of China for any foreign judicial or law enforcement authority."
What Decree 835 adds is a second, entity-targeted layer. The existing DSL/PIPL bar is request-based — it governs what happens when a foreign court or regulator demands data. Article 8(4) is status-based: once an entity is listed, the data tap can be turned off entirely, regardless of any specific request. For a multinational responding to a U.S. subpoena, a CLOUD Act order, or an EU regulatory probe, the calculus changes from "can I get Beijing's sign-off on this transfer?" to "is my counterparty, parent, or the requesting authority itself one designation away from being cut off?"
The case Beijing is making
The strongest version of China's argument deserves a fair hearing. The Ministry of Justice frames the regulation as a defensive response to foreign extraterritorial reach that genuinely does overshoot — U.S. secondary sanctions that punish non-U.S. firms for lawful trade, and discovery orders that compel production of data sitting on foreign soil. The principle that a sovereign should not be conscripted into a foreign court's evidence-gathering without a treaty channel is not a Chinese invention. The EU's own GDPR Article 48 (2018) restricts transfers made in response to a foreign court or tribunal order unless that order rests on an international agreement such as a mutual legal assistance treaty. Seen this way, Decree 835 is China asserting a data-sovereignty norm that Brussels asserts too.
That parity argument is real, and Western commentators who treat any Chinese data rule as uniquely sinister are being lazy. Cross-border law enforcement access is a genuine collision of sovereign legal orders, and MLAT-style channels exist precisely because unilateral demands are corrosive.
Where proportionality breaks down
The problem is not the principle; it is the design. GDPR Article 48 is a rule of general application with a known exception (international agreements) and an independent judiciary to police it. Decree 835 is a discretionary blacklist. The triggering conduct — to "promote" an improper foreign measure — is undefined and elastic. Designation runs through executive bodies, the exemption process is opaque, and the regulation took effect with zero grace period, leaving compliance teams to reverse-engineer their exposure overnight.
That discretion is the innovation cost. When data access becomes a countermeasure rather than a stable legal entitlement, the predictability that data-driven businesses depend on evaporates. A cloud provider, a payments firm, or a research lab operating in China can no longer treat lawful data flows as a given; they must price in the risk that a geopolitical dispute, two layers removed from their own conduct, severs access to records, payroll, and operational systems. That is a far heavier blow than a visa ban, and it accelerates the fragmentation of the global data economy into walled jurisdictions — the opposite of the interoperable internet that lets startups scale across borders.
The deeper risk is reciprocity spirals. If Beijing weaponizes data access against blacklisted entities, Washington and Brussels face pressure to respond in kind, and multinationals get caught in genuinely irreconcilable compliance binds: comply with one jurisdiction's order and violate another's prohibition. There is no clever legal posture that resolves a direct conflict of mandatory laws.
The proportionate path
China is entitled to object to extraterritorial overreach — but a rule that advances data sovereignty should look like GDPR Article 48, not a discretionary blacklist. Published designation criteria, a transparent and time-bound exemption process, and a revival of functioning MLAT channels would let Beijing defend its sovereignty without holding the data economy hostage to executive whim. Decree 835, as written, chooses leverage over predictability. For the open internet and the firms that build on it, that is the expensive choice.