Cross-border data transfer (CBDT / 数据出境) from mainland China is governed by an intersecting framework — PIPL for personal information, DSL for general data and Important Data, and the Cybersecurity Law / MLPS for system-classified protection.
The framework has been actively iterated since PIPL’s 2021 effective date, with material 2023 and 2024 revisions to thresholds and mechanism scope. The summary below describes the structural framework — specific thresholds and procedural details should be confirmed against current CAC guidance before operational reliance.
The three-mechanism structure (personal information)
PIPL provides three mechanisms for cross-border personal-information transfer:
1. CAC Security Assessment
The strictest mechanism. Mandatory for:
- CII operators transferring any personal information cross-border
- Transfers of personal information of more than a threshold number of individuals (threshold revised periodically — historically 1 million; current threshold should be confirmed against current CAC guidance)
- Transfers of sensitive personal information above a threshold (current threshold should be confirmed)
- Transfers of Important Data under DSL
The Security Assessment is a regulatory-approval process administered by CAC and provincial cyberspace authorities. The assessment evaluates:
- Necessity and proportionality of the transfer
- The data exporter’s data-protection capability
- The data importer’s data-protection capability
- The legal environment of the receiving jurisdiction
- Risk mitigation measures and contractual safeguards
- Data-subject rights protection in the receiving jurisdiction
Approval timelines vary; complex assessments can take multiple quarters.
2. CAC-Approved Standard Contractual Clauses (SCC)
A contractual mechanism similar in structural concept to GDPR SCCs but with PRC-specific clauses. Applicable to transfers below CAC Security Assessment thresholds.
The SCC route requires:
- Execution of CAC-template Standard Contractual Clauses between data exporter and overseas data importer
- A Personal Information Protection Impact Assessment (PIPIA) covering the transfer scope and risk evaluation
- Filing of the executed SCC and PIPIA with the provincial cyberspace authority
The SCC route is the most-used mechanism for typical commercial operations transferring personal information out of China.
3. Personal Information Protection Certification
Certification issued by accredited certification bodies under State Administration for Market Regulation (SAMR) oversight. The certification route is particularly relevant for:
- Intra-group transfers within multinational organizations
- Operators with broad cross-border processing where contract-by-contract SCC is impractical
The certification process evaluates the operator’s overall personal-information-protection management system and the specific cross-border-transfer scenarios within its scope.
Important Data — CAC Security Assessment only
For Important Data classified under DSL, cross-border transfer always requires CAC Security Assessment. The SCC and certification routes are not available for Important Data.
This is the single most consequential structural distinction in the cross-border transfer framework — Important Data classification turns what might otherwise be an SCC-route transfer into a CAC Security Assessment-route transfer, with materially different timelines, scrutiny, and process burden.
Practical decision tree for overseas operators
For an overseas operator with cross-border transfer needs, the operational decision tree:
Step 1: Identify the data category. Personal information, non-personal data, or Important Data?
Step 2: For personal information, identify volume.
- Sensitive personal information above threshold → CAC Security Assessment
- Personal information of more than threshold individuals → CAC Security Assessment
- Below threshold → SCC or Certification
Step 3: For non-personal data, identify Important Data status.
- Important Data → CAC Security Assessment
- General non-personal data → typically no mechanism required, though sector-specific rules may apply
Step 4: For SCC route, prepare PIPIA, execute SCC, file with provincial cyberspace authority.
Step 5: Establish ongoing-operations infrastructure — transfer log, data-subject-rights handling, ongoing risk assessment.
The most common operational mistake is misclassifying data category (Important Data treated as personal information; volume threshold underestimated). The consequence is mechanism mismatch — either over-procedure (CAC Security Assessment where SCC would suffice, delaying transfer) or under-procedure (SCC where Security Assessment is required, exposing the operator to enforcement).
Required artifacts for cross-border transfer
Regardless of mechanism, operators typically need:
- Data inventory — what personal information / data is being transferred, in what volume, to whom, for what purpose
- Legal basis identification — what PIPL legal basis authorizes the underlying processing
- Separate consent records (for personal information requiring separate consent for cross-border transfer)
- Personal Information Protection Impact Assessment (PIPIA) — risk analysis of the transfer scenario, mandatory for SCC route
- Data Processing Agreement with overseas recipient
- Data-subject-rights infrastructure — accessible mechanism for individuals to exercise rights
Exemptions and recent simplifications
The 2024 CAC simplifications introduced exemptions for specific cross-border-transfer scenarios — including limited HR data, contract-performance transfers, and certain pilot-zone transfers. The exemption list has been iterated and should be confirmed against current CAC guidance.
Frequently asked questions
Do we need a mechanism for every cross-border transfer, or per-transferee?
Per-transferee with per-purpose specification. A single SCC can cover multiple transfers to the same overseas recipient for the same processing purpose. New recipients or materially-new purposes require new (or amended) mechanism.
How long does CAC Security Assessment take?
Variable — historical observation has been multi-quarter for complex assessments. Operators planning Security Assessment-route transfers should plan timelines accordingly.
Can we use GDPR SCCs?
No — Chinese SCC requirements are template-specific and require the CAC-template clauses, not GDPR SCCs. Operators transferring data both into China (where GDPR SCCs may apply on the EU side) and out of China (where CAC SCCs apply on the PRC side) operate parallel contractual structures.
Do exporting companies that store data in China through a Chinese subsidiary count as cross-border transfer?
If data is stored in China and remains in China, no cross-border transfer is occurring. If the subsidiary or parent operates a process that moves data out of China (replication, backup to overseas, intra-group access from overseas), that movement is a cross-border transfer and requires a mechanism.
Related
Placeholder — pending founder + China-licensed legal review. Current thresholds, exemption-list status, and procedural timelines must be verified against current CAC publications before publication. Cross-border transfer regulatory environment has been actively iterated; do not rely on this draft for operational decisions without verification.