FAQ
What's the difference between PIPL cross-border consent and CAC security assessment?
Separate consent is a per-individual data-subject mechanism that every transfer needs in some form. CAC security assessment is a regulatory-approval mechanism that only certain transfers need, based on data category and volume. They operate at different layers and one does not replace the other.
Short answer
Separate consent is a per-individual data-subject mechanism that every transfer needs in some form. CAC security assessment is a regulatory-approval mechanism that only certain transfers need, based on data category and volume. They operate at different layers and one does not replace the other.
The two mechanisms
Under PIPL (Personal Information Protection Law), data crossing the mainland-China border requires both a legal basis and a transfer-mechanism qualification.
The legal basis component typically requires **separate consent** from the data subject — distinct from the general consent for processing, and specifically informed about the cross-border transfer (the overseas recipient identity, processing purpose, retention period, and channels for exercising rights). This is a data-subject-facing mechanism.
The transfer-mechanism component requires one of three paths to be in place: a CAC security assessment (the strictest, mandatory for CII operators and for transfers above volume thresholds), a CAC-approved standard contractual clause (SCC), or a personal-information-protection certification. This is a regulator-facing mechanism.
A transfer almost always needs both — separate consent satisfies the legal basis; one of the three transfer mechanisms qualifies the transfer pathway itself.
The thresholds that trigger CAC security assessment
The CAC security-assessment route is mandatory rather than optional when: - The data exporter is a CII operator - The transfer involves Important Data as classified under DSL - The volume of personal information transferred crosses thresholds set by CAC guidance (these have been revised; current thresholds should be confirmed at engagement time)
For organizations below these thresholds, the SCC route or certification route are typically more practical.
Related
- What is PIPL? - What is DSL? - What is CII? - Does PIPL apply if my product never touches mainland-China users but my Chinese subsidiary processes their data?
---