China — International Data Transfers

China's Personal Information Protection Law (PIPL), effective November 1, 2021, imposes a three-track compliance framework for any personal information processor that transfers personal information outside the territory of the People's Republic of China. The regime is administered by the Cyberspace Administration of China (CAC) and applies both to processors located within China and, extraterritorially, to processors outside China that handle personal information of individuals physically located in mainland China for the purpose of providing products or services or analyzing their behavior.

## The three approved transfer mechanisms

Article 38 PIPL requires that a personal information processor "truly needs to provide personal information for a party outside the territory" meet one of four conditions:

1. Security assessment — passing the security assessment organized by the CAC under Article 40;
2. Personal information protection certification — obtaining certification from a specialized institution according to CAC-issued provisions;
3. Standard contract — concluding a contract with the overseas recipient in accordance with the standard contract formulated by the CAC; or
4. Other conditions — meeting other conditions set forth by laws, administrative regulations, or CAC provisions.

Where an international treaty or agreement that China has concluded or acceded to stipulates conditions for cross-border transfers, those treaty conditions may be followed instead (Art. 38, final paragraph).

Each mechanism requires procedural compliance before the transfer. The CAC has issued implementing regulations for the security-assessment and standard-contract tracks; the certification mechanism is governed by CAC provisions issued jointly with the State Administration for Market Regulation.

## Data localization overlay — Article 40

Article 40 PIPL imposes a data localization obligation on two categories of processor:

• Critical information infrastructure operators (as defined under the Cybersecurity Law); and
• Personal information processors that process personal information up to the amount prescribed by the CAC.

These entities must store domestically the personal information collected and generated within China. Where it is "truly necessary" to provide the information to a party outside China, the entity must undergo a security assessment organized by the CAC, unless laws, administrative regulations, or CAC provisions exempt the transfer.

The CAC threshold for the second category (volume-based data localization) has been prescribed in regulations effective September 1, 2022, but the specific quantitative or qualitative trigger is set by reference to sectoral guidelines issued by the CAC. As of May 29, 2026, practitioners should verify the applicable threshold for their industry and data type.

## Separate consent requirement — Article 39

Separate consent is mandatory for all cross-border transfers of personal information. Article 39 requires the processor to inform the individual of:

• the overseas recipient's name and contact information;
• the purposes and means of processing;
• the categories of personal information to be processed; and
• the methods and procedures for the individual to exercise rights over the overseas recipient.

The processor must obtain the individual's separate consent — a consent distinct from any general consent obtained for domestic processing.

The separate-consent requirement applies cumulatively with whichever Article 38 track the processor selects. A processor using the standard-contract mechanism or obtaining certification must still obtain separate consent from each data subject before the transfer.

Source: Personal Information Protection Law of the People's Republic of China, Arts. 38–40

The Measures for the Standard Contract for the Outbound Transfer of Personal Information (个人信息出境标准合同办法, CAC Order No. 13), effective June 1, 2023, operationalize the standard contract pathway under Article 38(1)(3) PIPL. This mechanism is available to personal information processors (data controllers) that fall within the volume thresholds established by the March 22, 2024 Provisions on Promoting and Regulating the Cross-Border Flow of Data (促进和规范数据跨境流动规定).

## Volume thresholds for standard contract filing

Under the 2024 Provisions, a personal information processor must file a standard contract with the provincial CAC office when its cross-border transfers meet the following thresholds, measured from January 1 of the calendar year:

• 100,000 to 1,000,000 individuals — non-sensitive personal information of 100,000 or more individuals but fewer than 1,000,000 individuals; or
• Fewer than 10,000 sensitive personal information subjects — sensitive personal information (as defined in Article 28 PIPL, including biometric identifiers, health data, financial account information, location tracking, and minors under 14) of fewer than 10,000 individuals.

Exemptions. Transfers are exempt from all three Article 38 mechanisms (security assessment, standard contract, and certification) when the processor provides personal information overseas for one of the narrow purposes enumerated in Article 5 of the 2024 Provisions:

1. Contract performance — truly necessary to conclude or perform a contract to which the individual is a party (cross-border purchases, delivery, wire transfers, payments, air/rail ticketing);
2. Human resources management — lawful HR management under employment rules or collective agreements, limited to employee personal information directly relevant to HR purposes and transferred in a manner that minimizes impact;
3. Emergency response — necessary in emergencies to protect the life, health, or property of a natural person.

The exemptions are narrowly construed. The 2024 Provisions emphasize that the processor must prove necessity and that the scope of transferred information must be limited to what is directly relevant to the stated purpose. HR exemptions apply only when the three-criteria test is met (necessity, scope limitation, minimization of impact).

## The standard contract instrument

The CAC publishes a mandatory template standard contract. The clauses in the template cannot be modified, but the processor and overseas recipient may agree on additional terms provided they do not conflict with the template (Article 6 of the Standard Contract Measures).

The processor must conduct a Personal Information Protection Impact Assessment (PIPIA) before signing the contract. The PIPIA assesses:

• the quantity, scope, type, and sensitivity of the personal information to be transferred;
• the risk the transfer poses to personal information rights and interests;
• the responsibilities and obligations the overseas recipient undertakes, and whether its management, technical measures, and capabilities are sufficient to ensure security;
• the risk of tampering, destruction, disclosure, loss, or illegal use after transfer;
• whether a smooth channel exists for protecting the rights of the data subjects; and
• the impact of the personal information protection laws and regulations in the country or region where the overseas recipient is located on performance of the standard contract.

## Filing procedure and 10-working-day deadline

Within 10 working days after the standard contract becomes effective, the processor must file the contract with the provincial CAC office where it is located (Article 7 of the Standard Contract Measures). The filing package includes:

1. A copy of the signed standard contract;
2. The PIPIA report; and
3. Any other materials required by the Filing Guidance.

On May 30, 2023, the CAC issued the Guidance on Filing for the Standard Contract for Outbound Cross-Border Transfer of Personal Information (First Edition) (个人信息出境标准合同备案指南第一版), which provides template forms for the PIPIA and specifies the submission format. A second edition of the Filing Guidance was issued in March 2024 to align with the 2024 Provisions.

The filing is administrative, not an approval. The provincial CAC does not issue a decision; the processor may commence transfers immediately upon filing, provided the 10-working-day deadline is met. However, the CAC retains supervisory authority to review filed contracts, request supplementary information, and order corrective action if the contract or PIPIA fails to meet statutory requirements.

## Validity and updates

An SCC filing remains valid as long as the standard contract remains valid. There is no fixed expiration date. However, the processor must submit an updated or revised filing if there are substantial changes during the contract's validity period, including:

• changes in the purpose of the transfer;
• changes in server location;
• changes in data recipients (adding or removing overseas entities); or
• other conditions that impact individuals' rights or interests.

Volume changes alone do not trigger a re-filing requirement, provided the updated volume does not cross the threshold requiring security assessment (1 million individuals or 10,000 sensitive personal information subjects). If the threshold is crossed, the processor must cease relying on the standard contract and undergo a CAC security assessment.

The CAC has not published a simplified process for updating a filed contract. Processors must file an updated version of the entire package of materials submitted with the original SCC filing.

## Anti-circumvention rule

Article 5 of the Standard Contract Measures prohibits processors from splitting personal information that should undergo security assessment into smaller batches to qualify for the standard contract mechanism. This anti-circumvention rule closes the loophole for processors that would otherwise fragment a single data flow across multiple filing submissions.

Source: Measures for the Standard Contract for the Outbound Transfer of Personal Information (CAC Order No. 13) Source: Provisions on Promoting and Regulating the Cross-Border Flow of Data Source: Guidance on Filing for the Standard Contract for Outbound Cross-Border Transfer of Personal Information (First Edition)

The security assessment mechanism is the first and most restrictive of the three Article 38 PIPL transfer pathways. It is mandatory for categories of data processor whose cross-border transfers present the highest risk to national security, public interest, or personal information rights. The mechanism is administered by the Cyberspace Administration of China (CAC) under the Measures for Security Assessment of Outbound Data Transfer (数据出境安全评估办法, CAC Order No. 8), effective September 1, 2022, and as amended by the March 22, 2024 Provisions on Promoting and Regulating the Cross-Border Flow of Data (促进和规范数据跨境流动规定).

## Mandatory triggers — who must undergo security assessment

Under Article 7 of the 2024 Provisions, a data processor must apply for security assessment through its provincial CAC office when the cross-border transfer meets any of the following conditions:

1. Critical information infrastructure operators (CIIO) — any CIIO that transfers personal information or important data to a party outside China, regardless of volume. CIIOs are designated under the Cybersecurity Law and include operators in sectors such as public communications and information services, energy, transport, water, finance, public services, and e-government. The designation is made by sectoral regulators and the CAC; a processor that has not been formally designated as a CIIO is not subject to this trigger.

1. Important data transfers — any data processor (other than a CIIO) that transfers important data to a party outside China. Article 19 of the 2022 Measures defines "important data" as data that, if tampered with, destroyed, leaked, illegally obtained, or illegally used, may endanger national security, economic operations, social stability, public health, or safety. Sectoral important-data catalogues are issued by relevant ministries and provincial authorities; if a data processor has not been notified or has not seen its data category published in an official catalogue, it is not required to treat the data as important data for security-assessment purposes (Article 2 of the 2024 Provisions).

1. High-volume personal information transfers — any data processor (other than a CIIO) that, from January 1 of the calendar year, has cumulatively transferred to parties outside China:

• 1,000,000 or more individuals' personal information (excluding sensitive personal information); or
• 10,000 or more individuals' sensitive personal information. Sensitive personal information is defined in Article 28 PIPL as biometric identifiers (for the purpose of uniquely identifying a natural person), religious belief, specific identity (such as administrative sanction or criminal record), medical health, financial account, location tracking, and personal information of minors under 14.

The thresholds are cumulative and calendar-year based. A processor that crosses the 1-million-individual or 10,000-sensitive-individual threshold on any date during the year must immediately apply for security assessment for all subsequent transfers in that calendar year, even if earlier transfers were lawfully completed under the standard-contract mechanism. The CAC has issued anti-circumvention guidance: splitting a single data set into smaller batches to avoid the threshold is prohibited and may result in administrative penalties.

## Security assessment procedure — self-assessment, filing, and CAC evaluation

Step 1: Data processor conducts risk self-assessment. Before applying to the CAC, the processor must complete an internal data outbound risk self-assessment (Article 5 of the 2022 Measures). The self-assessment focuses on:

• the legality, legitimacy, and necessity of the purpose, scope, and manner of the outbound transfer and of the overseas recipient's processing;
• the scale, scope, type, and sensitivity of the outbound data, and the risk the transfer poses to national security, public interest, or the rights and interests of individuals or organizations;
• the responsibility and obligations the overseas recipient has undertaken, and whether its management and technical measures and capabilities are sufficient to ensure security;
• the risk of tampering, destruction, leakage, loss, transfer, or illegal acquisition or use of the data during and after the transfer, and whether there is a smooth channel for protecting data-subject rights; and
• any other matters the data processor considers material.

The self-assessment report must be submitted with the security-assessment application.

Step 2: Processor files application with provincial CAC. The processor submits the application package to the CAC office of the province, autonomous region, or municipality where it is located. The package includes (Article 6 of the 2022 Measures):

• the application form (the CAC has published a template in the Security Assessment Application Guidance, currently Third Edition as of June 27, 2025);
• the data outbound risk self-assessment report;
• a copy of the legal instrument (contract, service-level agreement, or other binding document) between the processor and the overseas recipient, specifying the data protection responsibilities and obligations of both parties;
• a description of the data to be transferred, including the data categories, scope, volume, sensitivity, purpose, processing manner, and storage location;
• the identity and contact information of the overseas recipient, and a description of the laws and regulations on data and personal information protection in the country or region where the recipient is located; and
• any other materials required by the CAC.

Step 3: Provincial CAC completeness review (5 working days). The provincial CAC reviews the application for completeness within 5 working days (Article 7). If the materials are complete, the provincial office forwards them to the national CAC (the State Internet Information Office). If incomplete, the provincial office returns the package and identifies the missing items in a single notice.

Step 4: National CAC acceptance decision (7 working days). The national CAC determines whether to accept the application within 7 working days of receipt from the provincial office, and issues a written acceptance or rejection notice.

Step 5: National CAC substantive evaluation. The CAC evaluates the risk the outbound transfer poses to national security, public interest, and the rights and interests of individuals or organizations. The evaluation focuses on (Article 8):

• the legality, legitimacy, and necessity of the purpose, scope, and manner of the outbound transfer;
• the impact of the data-protection policies, laws, and cybersecurity environment of the country or region where the overseas recipient is located on the security of the outbound data, and whether the recipient's data-protection level meets the requirements of PRC laws, administrative regulations, and mandatory national standards;
• whether the overseas recipient has sufficient management and technical measures and capabilities to ensure data security;
• the risk of the data being tampered with, destroyed, leaked, lost, or illegally used during and after the transfer;
• whether there is a smooth and effective channel for protecting the rights and interests of data subjects and whether the data processor and the overseas recipient have established dispute-resolution mechanisms; and
• whether the overseas recipient complies with Chinese laws and the contractual obligations regarding the purpose, scope, and manner of data use, and whether there is a risk of re-transfer by the overseas recipient to other organizations or individuals.

The national CAC may request additional materials or conduct on-site inspections during the evaluation. The CAC does not publish a statutory time limit for completing the substantive evaluation; practitioners should expect the process to take several months.

Step 6: CAC issues evaluation result. The CAC issues a written decision. A passing evaluation result is valid for 3 years from the date of issuance (Article 9 of the 2024 Provisions). The processor may continue the outbound transfer throughout the validity period without re-applying, provided the facts underlying the evaluation do not change.

Extending the validity period. A processor may apply to extend the evaluation result for an additional 3 years if (1) the evaluation result is approaching expiration, (2) the processor needs to continue the outbound transfer, and (3) no circumstance requiring re-evaluation has arisen. The application must be filed at least 60 working days before expiration (Article 9 of the 2024 Provisions). The June 27, 2025 Third Edition of the Application Guidance provides the template and procedures for extension applications.

## Circumstances requiring re-evaluation

A processor that has passed security assessment must re-apply if any of the following circumstances arise during the validity period (Article 11 of the 2022 Measures):

• the purpose, scope, or manner of processing by the processor or the overseas recipient changes materially;
• the overseas recipient's country or region changes;
• the processor or the overseas recipient's data protection level or risk of data leakage changes materially;
• the legal instrument governing the transfer is amended or replaced in a manner affecting data-subject rights or interests; or
• other circumstances that materially affect data outbound security arise.

The CAC retains ongoing supervisory authority over approved transfers. If the CAC discovers that an outbound transfer no longer complies with data-outbound security management requirements, it may issue a written notice terminating the transfer. The processor must cease the transfer immediately. If the processor wishes to resume, it must complete corrective actions and re-apply for evaluation (Article 17 of the 2022 Measures).

## Relationship to the standard-contract and certification mechanisms

The security assessment, standard contract, and certification mechanisms are mutually exclusive for a given transfer. A processor cannot choose which mechanism to use once the mandatory security-assessment triggers apply. Specifically:

• A CIIO must use security assessment for all personal information and important data transfers, regardless of volume.
• A processor transferring important data (that has been officially designated) must use security assessment, regardless of whether the processor is a CIIO.
• A processor that crosses the 1 million / 10,000 sensitive threshold during the calendar year must use security assessment for all subsequent transfers in that year.

Processors below the security-assessment thresholds may choose between the standard-contract and certification mechanisms, subject to the volume thresholds set forth in the 2024 Provisions. The three mechanisms are in addition to, not a substitute for, the separate-consent requirement under Article 39 PIPL, which applies to all cross-border personal information transfers regardless of mechanism.

## Penalties for non-compliance

Violating the security-assessment obligation is subject to administrative penalties under the Cybersecurity Law, the Data Security Law, and PIPL. Under Article 66 PIPL, a processor that transfers personal information outside China without completing the required security assessment is subject to:

• an order to correct and a warning;
• confiscation of illegal gains;
• a fine of up to RMB 1,000,000 for the data processor;
• a fine of RMB 10,000 to RMB 100,000 on the directly responsible manager and other directly responsible personnel; and
• if the processor refuses to correct or if the circumstances are serious, an order to suspend business for rectification, suspension or revocation of the relevant business license or operating permit, or a fine of up to RMB 50,000,000 or 5% of the prior year's turnover.

Criminal liability may attach under the Criminal Law if the violation endangers national security or constitutes an offense such as illegal acquisition of personal information or illegal provision of data to a foreign entity.

Source: Measures for Security Assessment of Outbound Data Transfer (CAC Order No. 8, effective September 1, 2022) Source: Provisions on Promoting and Regulating the Cross-Border Flow of Data (effective March 22, 2024) Source: CAC Announcement on Measures for Security Assessment of Outbound Data Transfer

The certification mechanism is the third Article 38 PIPL transfer pathway and is administered jointly by the Cyberspace Administration of China (CAC) and the State Administration for Market Regulation (SAMR) under the Measures for the Certification of Cross-Border Personal Information Transfer (个人信息出境认证办法, CAC/SAMR Order No. 20), effective January 1, 2026. This mechanism provides a market-based, voluntary alternative to the standard contract filing for processors that fall within the same volume thresholds but prefer third-party certification over a bilateral contract-plus-filing model.

## Eligible processors — non-CIIO, mid-tier volume, no important data

Article 5 of the Certification Measures defines the processors eligible to use certification. A processor may apply for Personal Information Protection Certification (PIP Certification, 个人信息保护认证) when all of the following conditions are met:

1. Not a Critical Information Infrastructure Operator (CIIO) — the processor has not been formally designated as a CIIO under the Cybersecurity Law. CIIOs must undergo security assessment for all cross-border transfers regardless of volume.

1. Mid-tier volume thresholds — from January 1 of the calendar year, the processor has cumulatively transferred to parties outside China:

• 100,000 or more but fewer than 1,000,000 individuals' personal information (excluding sensitive personal information); or
• Fewer than 10,000 individuals' sensitive personal information. Sensitive personal information is defined in Article 28 PIPL as biometric identifiers (for the purpose of uniquely identifying a natural person), religious belief, specific identity (administrative sanction or criminal record), medical health, financial account, location tracking, and personal information of minors under 14.

1. No important data — the personal information to be transferred does not include important data as defined in sectoral catalogues issued by the CAC and relevant ministries. If the transfer includes important data, the processor must undergo security assessment regardless of volume.

The volume thresholds are identical to the standard-contract thresholds under the March 2024 Provisions on Promoting and Regulating the Cross-Border Flow of Data. A processor meeting these conditions may choose between certification and standard contract filing; the two mechanisms are mutually exclusive alternatives for the same risk tier.

## Anti-circumvention rule

Article 5 of the Certification Measures prohibits processors from splitting personal information that should undergo security assessment into smaller batches to qualify for certification. A processor that crosses the 1-million-individual or 10,000-sensitive-individual threshold during the calendar year must cease relying on certification or standard contracts and immediately undergo CAC security assessment for all subsequent transfers in that year.

## Pre-application obligations — notification, separate consent, and PIPIA

Article 6 of the Certification Measures requires the processor to fulfill three core obligations before applying for certification:

1. Notification — inform each data subject of the cross-border transfer in accordance with Article 39 PIPL, including the overseas recipient's name and contact information, the purposes and means of processing, the categories of personal information to be transferred, and the methods and procedures for the individual to exercise rights over the overseas recipient.

1. Separate consent — obtain the individual's separate consent for the cross-border transfer. The consent must be specific, explicit, and obtained independently from any general consent for domestic processing. This requirement applies to all cross-border personal information transfers under PIPL, regardless of which Article 38 mechanism the processor selects.

1. Personal Information Protection Impact Assessment (PIPIA) — conduct and document a PIPIA before applying for certification. Article 6(2) of the Certification Measures specifies six evaluation areas for the PIPIA:

• the legality, legitimacy, and necessity of the purpose, scope, and manner of processing by both the processor and the overseas recipient;
• the scale, scope, type, and sensitivity of the personal information to be transferred, and the risks the transfer poses to national security, public interest, and individual rights;
• the obligations the overseas recipient has undertaken, and whether its management and technical measures and capabilities are sufficient to ensure security;
• the risk of the data being tampered with, destroyed, leaked, lost, or illegally used after transfer, and whether a smooth channel exists for protecting data-subject rights;
• the impact of the personal information protection laws and regulations in the country or region where the overseas recipient is located on the security of the outbound data; and
• other matters that may affect the security of the cross-border transfer.

The PIPIA must be submitted with the certification application.

## Application procedure — CAC-approved certification bodies

Under Article 7 of the Certification Measures, the processor applies directly to a specialized certification institution (专业认证机构) that has obtained certification qualification from SAMR and has completed filing with the CAC. As of June 1, 2026, the joint CAC/SAMR list of approved certification bodies qualified to conduct PIP Certification has not been published on the National Certification and Accreditation Information Public Service Platform. Processors should monitor updates from the CAC and SAMR.

The certification bodies are market-based third-party evaluators, not government agencies. The processor selects a certification body from the approved list and pays a certification fee. The certification body conducts technical verification, on-site review, and post-certification supervision in accordance with the Personal Information Protection Certification Implementation Rules (个人信息保护认证实施规则) and the national standard GB/T 46068-2025, Data Security Technology — Security Certification Requirements for Cross-Border Processing Activity of Personal Information, which took effect on March 1, 2026.

Overseas processors. Article 7 permits processors located outside China that fall within the extraterritorial scope of PIPL (processing personal information of individuals located in China for the purpose of providing products or services or analyzing their behavior) to apply for certification. The overseas processor must apply through its specialized institution or designated representative established within China, as required by Article 53 PIPL.

## Certification validity — 3 years, with renewal option

Article 9 of the Certification Measures establishes a 3-year validity period for PIP Certification certificates. The processor may continue cross-border transfers throughout the validity period without re-applying, provided the facts underlying the certification do not change.

Renewal. A processor may apply for certification renewal if it needs to continue the transfer beyond the 3-year period. The renewal application must be submitted at least 6 months before the certificate expires. The certification body evaluates the renewal application using the same standards and procedures as the initial certification.

Certificate suspension and revocation. Article 10 requires the certification body to suspend the certificate if the processor's cross-border transfer activities no longer conform to the certification scope or no longer meet certification requirements. The certification body must revoke the certificate if the non-conformity is not corrected within the suspension period. The certification body reports the suspension or revocation to the CAC and SAMR and publishes the updated certificate status on the National Certification and Accreditation Information Public Service Platform within 5 working days.

## Comparison to standard contract filing

Both certification and standard contract filing are available to the same category of processor (non-CIIO, mid-tier volume, no important data). The two mechanisms differ primarily in structure and flexibility:

• Standard contract is a bilateral, contract-based mechanism. The processor and the overseas recipient sign the CAC's mandatory-template standard contract, and the processor files the signed contract with the provincial CAC office within 10 working days. The mechanism is self-managed — the processor conducts its own PIPIA and files the contract without third-party evaluation. It is suitable for point-to-point transfers where the overseas recipient is willing and able to sign a contract with defined data-protection obligations.

• Certification is a third-party evaluation mechanism. The processor applies to a CAC-approved certification body, which conducts technical verification and on-site review. The certification body issues a certificate valid for 3 years. The mechanism is managed by a market-based evaluator rather than the processor alone. It is particularly useful when:
• the overseas recipient is unwilling or unable to sign a contract (for example, a foreign government authority, a large commercial customer with standardized terms, or a cloud service provider that does not negotiate data-protection clauses);
• the processor engages in intra-group data sharing across multiple overseas affiliates or frequent transfers to multiple overseas recipients, and prefers a single certification covering the entire processing activity rather than managing separate standard contracts with each recipient; or
• the processor prefers independent third-party validation of its data-protection practices for reputational or commercial reasons.

Both mechanisms require the processor to obtain separate consent from data subjects and conduct a PIPIA before the transfer. Both are cumulative with the Article 39 separate-consent requirement, which applies to all cross-border personal information transfers regardless of mechanism.

## Supervision and enforcement

Article 13 of the Certification Measures grants SAMR and the CAC joint supervisory authority over certification activities. The regulators conduct periodic or ad-hoc inspections of certification bodies and may review certification processes and results. Provincial CAC offices and relevant authorities may interview (约谈) a certified processor if the cross-border transfer presents significant risk or if a personal information security incident occurs. The processor must implement corrective actions to eliminate the risk.

Violations of the Certification Measures are subject to penalties under PIPL, the Cybersecurity Law, the Data Security Law, and the Certification and Accreditation Regulations. Under Article 66 PIPL, a processor that transfers personal information outside China without completing the required certification (when certification is the chosen mechanism) is subject to the same penalties as failure to complete security assessment or standard contract filing: an order to correct, a warning, confiscation of illegal gains, a fine of up to RMB 1,000,000 for the processor, a fine of RMB 10,000 to RMB 100,000 on directly responsible personnel, and — if the violation is serious or the processor refuses to correct — a fine of up to RMB 50,000,000 or 5% of the prior year's turnover, suspension of business, or revocation of business license.

Criminal liability may attach under the Criminal Law if the violation endangers national security or constitutes an offense such as illegal acquisition of personal information or illegal provision of data to a foreign entity.

Source: Measures for the Certification of Cross-Border Personal Information Transfer (CAC/SAMR Order No. 20, effective January 1, 2026) Source: CAC/SAMR Announcement on the Measures for the Certification of Cross-Border Personal Information Transfer Source: Provisions on Promoting and Regulating the Cross-Border Flow of Data (effective March 22, 2024)

The Provisions on Promoting and Regulating the Cross-Border Flow of Data (促进和规范数据跨境流动规定), effective March 22, 2024, establish narrow exemptions from the three Article 38 PIPL transfer mechanisms (security assessment, standard contract, and certification). A processor that meets one of the exemption conditions in Articles 3–6 of the 2024 Provisions may transfer data or personal information to a party outside China without undergoing security assessment, filing a standard contract, or obtaining certification. These exemptions are threshold determinations — processors apply them before choosing among the three Article 38 mechanisms.

The exemptions do not waive the processor's obligation to comply with Article 39 PIPL separate consent and notification requirements, nor do they suspend any other PIPL or Data Security Law obligations. A processor relying on an exemption must still obtain separate consent from each data subject and conduct a Personal Information Protection Impact Assessment (PIPIA) before the transfer (Article 10 of the 2024 Provisions).

## Article 3 exemption — business data without personal information or important data

Article 3 exempts the cross-border transfer of data collected or generated in international trade, cross-border transport, academic cooperation, transnational production and manufacturing, or market marketing activities when the data does not contain personal information or important data. This exemption targets routine business-to-business data flows (invoices, logistics manifests, inventory records, non-personal analytics) that support cross-border operations but carry no national-security or personal-privacy risk.

The exemption is narrow. If the data set includes any personal information — even a single individual's name or identifier — or has been designated by a competent authority as important data, the processor must use one of the three Article 38 mechanisms. The CAC has issued sector-specific important-data catalogues; a processor whose data has not been notified or publicly designated as important data is not required to treat it as important data for purposes of this exemption (Article 2 of the 2024 Provisions).

## Article 4 exemption — offshore-collected personal information processed in China and re-exported

Article 4 exempts the transfer of personal information collected and generated outside China that was transmitted into China for processing and is now being transferred back outside China, provided the processing did not introduce any personal information or important data collected or generated within China. This exemption permits Chinese data centers and cloud processors to handle offshore personal information without triggering Article 38 obligations, as long as they do not commingle it with data of individuals located in China.

Example. A Singapore company transmits employee payroll data of Singapore-based staff to a Chinese cloud processor for analytics. The processor generates a summary report and sends it to a UK affiliate. The report may be transferred under the Article 4 exemption if the processor did not add data of individuals located in China and the data was not designated as important data.

The exemption fails if the processor introduces 境内个人信息 (personal information of individuals located in China). A single addition — for example, appending a Chinese employee's record to the offshore data set — triggers the Article 38 requirement for the entire outbound transfer.

## Article 5 exemptions — personal information transfers for specific purposes

Article 5 establishes four narrow exemptions for personal information transfers that meet specified purpose and necessity tests. All four require the processor to demonstrate that the transfer is 确需 ("truly necessary") for the stated purpose and to limit the scope of transferred data to the minimum necessary. The exemptions apply only when the data does not include important data.

1. Contract performance — Article 5(1)

A processor may transfer personal information without an Article 38 mechanism when the transfer is truly necessary to conclude or perform a contract to which the individual is a party. The 2024 Provisions enumerate illustrative scenarios:

• Cross-border purchases (e-commerce, online retail)
• Cross-border delivery (shipping, courier services)
• Cross-border remittances and payments (wire transfers, card payments, mobile wallet transactions)
• Cross-border account opening (opening a bank account at a foreign institution)
• Air and hotel bookings (flight reservations, hotel check-in)
• Visa processing (submitting application documents to a foreign consulate or visa service)
• Exam services (registration for standardized tests administered by overseas bodies)

The CAC's October 2025 FAQ clarifies that the list is illustrative, not exhaustive. The "等" (etc.) modifier permits other contract-performance scenarios to qualify for the exemption, provided they meet two cumulative conditions:

1. The transfer is for the purpose of concluding or performing a contract to which the individual is a party (the individual must be a contracting party, not a third-party beneficiary); and
2. The processor truly needs to transfer the personal information — necessity is assessed by reference to laws, regulations, national standards, and the actual circumstances of the contract.

Negative example (from the October 2025 FAQ). A domestic hotel that processes the reservation of a Chinese resident for a room in China may not rely on the contract-performance exemption to transfer the guest's personal information to an overseas data center, because the contract (a domestic hotel stay) does not itself require cross-border data transfer. The hotel must use a standard contract or certification if its cumulative transfers meet the Article 8 volume thresholds.

The exemption applies per transfer. A processor that conducts both exempt contract-performance transfers (for example, processing cross-border flight bookings) and non-exempt transfers (for example, sharing customer analytics with a foreign marketing affiliate) must assess each transfer independently. The exempt transfers do not count toward the Article 38 volume thresholds; the non-exempt transfers do.

2. Cross-border HR management — Article 5(2)

A processor may transfer employee personal information overseas without an Article 38 mechanism when the transfer is truly necessary to implement cross-border human resources management under lawfully formulated labor rules and regulations or lawfully signed collective agreements. The exemption is designed for multinational employers that must share employee data across affiliates — for example, transmitting Chinese employees' payroll information to a regional HR shared-service center or sharing performance records with a parent company for promotion decisions.

Necessity and scope limits. The CAC's October 2025 FAQ emphasizes three constraints:

1. The labor rules and collective agreements must be lawfully formulated and signed in accordance with PRC labor law;
2. The rules and agreements must comply with PIPL's data minimization, purpose limitation, and necessity principles — only personal information directly relevant to HR purposes may be transferred; and
3. The processor must adopt methods that minimize the impact on employees' rights and interests.

Example (from the October 2025 FAQ). Whether a processor may transfer employees' ID card numbers, passport numbers, and bank account details under the HR exemption depends on whether those data elements are directly relevant to the HR purpose and whether the transfer method minimizes impact. Transferring bank account details for payroll processing likely qualifies; transferring ID scans for a general personnel database may not.

The exemption does not extend to unilateral employer decisions that lack a lawful labor-rules or collective-agreement foundation. A processor that unilaterally decides to share employee data with an overseas affiliate without a documented HR policy or collective agreement cannot rely on the exemption.

3. Emergency protection — Article 5(3)

A processor may transfer personal information overseas without an Article 38 mechanism in emergency circumstances to protect a natural person's life, health, or property safety when the transfer is truly necessary. The exemption parallels Article 13 PIPL, which permits processing without consent in emergencies.

Examples. Transferring medical records to an overseas hospital during a medical evacuation; sharing location data with foreign search-and-rescue authorities after a natural disaster; transmitting financial account information to a foreign bank to block a fraudulent transaction threatening the account holder's property.

The exemption is time-limited. It applies only for the duration of the emergency. A processor that begins transferring data under the emergency exemption but continues after the emergency has passed must obtain separate consent and, if the volume thresholds are met, file a standard contract or undergo security assessment.

4. Low-volume non-sensitive transfers — Article 5(4)

A processor (other than a CIIO) that has cumulatively transferred, from January 1 of the calendar year, fewer than 100,000 individuals' personal information (excluding sensitive personal information) outside China is exempt from all three Article 38 mechanisms. This exemption creates a safe harbor for processors whose cross-border data flows remain below the 100,000-individual threshold that triggers standard-contract or certification filing under Article 8 of the 2024 Provisions.

Key terms:

• Cumulative — the count runs from January 1 and includes all cross-border personal information transfers during the year, measured by unique individuals (de-duplicated by natural person).
• Excludes sensitive personal information — the exemption applies only to non-sensitive personal information. A single transfer of sensitive personal information (as defined in Article 28 PIPL: biometric identifiers, religious belief, specific identity, medical health, financial account, location tracking, minors under 14) disqualifies the processor from the low-volume exemption, even if the total individual count is below 100,000. The processor must immediately file a standard contract or obtain certification once it crosses 1 individual of sensitive personal information, unless another exemption applies.
• CIIO exclusion — Critical Information Infrastructure Operators are categorically excluded from the low-volume exemption. A CIIO must undergo security assessment for all personal information and important data transfers, regardless of volume (Article 7 of the 2024 Provisions).

The low-volume exemption is dynamic. A processor that crosses the 100,000-individual threshold on any date during the calendar year must immediately cease relying on the exemption and file a standard contract or obtain certification for all subsequent transfers in that year. If the processor crosses 1,000,000 individuals (non-sensitive) or 10,000 individuals (sensitive), it must cease contract or certification filing and apply for security assessment (Article 7 of the 2024 Provisions).

## Article 6 — free-trade-zone negative-list exemption

Article 6 authorizes free trade zones (FTZs) to formulate data outbound negative lists (数据出境负面清单). A negative list enumerates data categories or processing activities that may not be transferred outside China from the FTZ. Data not on the negative list may be transferred without security assessment, standard contract, or certification, provided the transfer complies with other PIPL obligations.

Procedure. An FTZ drafts a negative list within the national data-classification framework, obtains approval from the provincial-level cyberspace affairs and informatization committee, and files the list with the CAC and the National Data Administration for review. Once filed, the list takes effect. As of June 2, 2026, the CAC has completed filing for negative lists from the Tianjin, Beijing, Hainan, Shanghai, and Zhejiang FTZs, covering 17 industry sectors including automotive, pharmaceuticals, retail, civil aviation, reinsurance, deep-sea industry, and seed industry (CAC announcement, March 2025).

Multi-FTZ portability. The CAC applies a "one FTZ drafts, multiple FTZs apply" principle. If an FTZ in one province has published a negative list for a given industry sector, other FTZs may adopt the same list by reference without re-drafting (CAC April 2025 FAQ).

The negative-list exemption is the broadest of the Article 3–6 exemptions because it permits FTZ data processors to transfer both personal information and important data (if not on the negative list) without an Article 38 mechanism. However, the exemption is geographically limited to FTZ-registered entities conducting FTZ-based processing activities. A processor located outside an FTZ cannot claim the benefit of an FTZ negative list.

## Relationship to Article 39 PIPL separate consent and PIPIA

All six exemptions (Articles 3–6 of the 2024 Provisions) exempt the processor from the Article 38 mechanisms (security assessment, standard contract, certification) but do not waive the processor's obligation to comply with Article 39 PIPL. Article 10 of the 2024 Provisions expressly reaffirms that a processor relying on an exemption must:

1. Notify each data subject of the cross-border transfer in accordance with Article 39 PIPL (overseas recipient's name and contact, purposes and means, categories of data, rights-exercise methods); and
2. Obtain the individual's separate consent for the cross-border transfer (a consent distinct from any general consent for domestic processing); and
3. Conduct a Personal Information Protection Impact Assessment (PIPIA) before the transfer.

The separate-consent and PIPIA obligations apply even when the processor qualifies for an exemption. For example, a processor transferring 50,000 individuals' non-sensitive personal information under the Article 5(4) low-volume exemption must still obtain separate consent from each of those 50,000 individuals and document a PIPIA assessing the risks of the transfer.

The CAC's October 2025 FAQ and April 2025 FAQ both emphasize this point in response to practitioner confusion. The exemptions permit the processor to skip the Article 38 procedural filing or evaluation step, but they do not suspend baseline PIPL data-subject protections.

## Anti-circumvention and enforcement

The CAC retains ongoing supervisory authority over processors relying on exemptions. Provincial CAC offices may audit a processor's exemption determination, request documentation of the necessity assessment (for contract-performance and HR exemptions), and order corrective action if the exemption claim is unsupported. If a processor splits a data set that should undergo security assessment into multiple smaller transfers to artificially qualify for an exemption, the CAC may impose administrative penalties under Article 66 PIPL: an order to correct, a warning, confiscation of illegal gains, a fine of up to RMB 1,000,000 on the processor, a fine of RMB 10,000 to RMB 100,000 on directly responsible personnel, and — if the violation is serious or the processor refuses to correct — a fine of up to RMB 50,000,000 or 5% of prior-year turnover, suspension of business, or revocation of business license.

Criminal liability may attach under the Criminal Law if the circumvention endangers national security or constitutes illegal provision of data to a foreign entity.

Source: Provisions on Promoting and Regulating the Cross-Border Flow of Data (effective March 22, 2024) Source: CAC Announcement on the Provisions on Promoting and Regulating the Cross-Border Flow of Data Source: Data Outbound Security Management Policy FAQ (October 2025) Source: Data Outbound Security Management Policy FAQ (April 2025)