China’s Personal Information Protection Law (“PIPL”), enacted in 2021, establishes a structured regulatory framework for cross-border transfers of personal information (“PI”). Depending on the volume, sensitivity and context of PI being exported, exporters may face varying levels of compliance obligations. For instance, small-scale exports of non-sensitive PI may be exempt from formal applications to the Cyberspace Administration of China (“CAC”), while larger or more sensitive transfers may require a CAC-prepared standard PI transfer contract (“Standard Contract”) or a CAC-organized data security assessment (“Data Security Assessment”).
For multinational corporations (“MNCs”) operating in China, navigating these requirements can seem daunting. However, with the right approach, compliance is achievable and manageable.
We recently supported an MNC in successfully securing an approval for a Data Security Assessment. Through the application process, we gained firsthand experience in engaging with both provincial and national levels of CAC. This was a valuable opportunity to better understand CAC’s approach to exercising its authority under the PIPL and its interpretation of relevant regulations.
Notably, the number of successfully completed Data Security Assessments remains relatively low (only 285 as of December 2024), making this experience particularly rare and insightful.
This article summarizes our experience and provides a guide to key aspects of cross-border PI compliance, focusing on:
- Understanding the key regulatory requirements for PI export
- Identifying the appropriate level of compliance through a data audit
- Preparing for the impact assessment and application with CAC
- Maintaining post-approval compliance
1. Understanding the Regulatory Landscape: A Moving Target
PIPL provides the legal foundation for cross-border PI transfers, but the regulatory environment continues to evolve. Key requirements under PIPL Article 38 include:
- Passing a CAC-organized Data Security Assessment.
- Signing a CAC-Standard Data Transfer Contract with the overseas recipient.
- Obtaining PI protection certification from a professional institution.
Condition 3 (certification) is a less commonly used. Our focus is on Conditions 1 (Data Security Assessment) and 2 (Standard Contract).
When Standard Contracts are Required
The Measures for Personal Information Export Standard Contract (2022) (“Standard Contract Measures”) (Article 4) outline scenarios requiring a Standard Contract with foreign recipients and its filing with CAC, including:
- The exporter is not a Critical Information Infrastructure (CII) operators.
- Handling PI of fewer than 1 million individuals in China.
- Exporting sensitive PI of fewer than 10,000 individuals within a calendar year.
- Exporting non-sensitive PI of fewer than 100,000 individuals within a calendar year.
When Security Assessments Are Required
The Measures for Security Assessment of Data Exports (2022) (“Security Assessment Measures”) (Article 4) specify scenarios requiring mandatory CAC risk assessments, including:
- Exporting important data.
- CII operators or processors handling PI of over 1 million individuals.
- Exporting sensitive PI of 10,000 individuals or non-sensitive PI of 100,000 individuals within a calendar year.
Regulatory Relaxations Under the 2024 Provisions
The Provisions on Promoting and Standardizing Cross-Border Data Flows (2024) (“the Provisions”) introduce exemptions to ease compliance burdens for certain categories of data transfers. Businesses falling under these categories are exempt from Security Assessments or Standard Contracts:
- Contractual necessity: For activities like cross-border shopping, payment processing, shipping, or services such as hotel bookings and visa applications.
- Employment management: For cross-border human resource management, such as processing employee information for global payroll or benefits.
- Emergency situations: To protect an individual’s life, health, or property in emergencies.
- Low-volume, non-sensitive transfers: Non-sensitive PI of fewer than 100,000 individuals annually.
These changes are consolidated in the Regulations on the Management of Network Data Security, enacted shortly after the Provisions. The table below summarizes the regulatory requirements before and after the relaxation:
| Level of Compliance | Before the Relaxation | After the Relaxation |
| Exemption applies (internal compliance is still required) | No exemption | Satisfying the necessity requirements in the three stipulated scenarios; orLow-volume, non-sensitive transfer |
| Standard Contract | Exporting sensitive PI < 10,000 individuals or non-sensitive PI < 100,000 individuals within a calendar year | Exporting sensitive PI < 10,000 individuals or non-sensitive PI < 1 million individuals within a calendar year |
| Data Security Assessment | Handling PI of over 1 million individuals; or Exporting sensitive PI ≥ 10,000 individuals or non-sensitive PI ≥ 100,000 individuals within a calendar year. | Handling PI of over 1 million individuals; or Exporting sensitive PI ≥ 10,000 individuals or non-sensitive PI ≥ 1 million individuals within a calendar year. |
2. Conducting a Comprehensive Data Audit: The Cornerstone of Compliance
A successful compliance strategy begins with a detailed data audit, which involves:
- Evaluating the purpose, volume, and sensitivity of PI exports.
- Assessing the security capabilities of both the exporter and the foreign recipient.
- Reviewing legal agreements to ensure alignment with regulatory requirements.
The first point is critical, as the three elements correspond to the three key determinants of compliance obligations imposed on MNCs:
- Purpose – The necessity of the PI export must be justified. Unnecessary PI cannot be exported.
- Volume – Higher volumes of PI exports trigger stricter compliance requirements. For example, an MNC handling PI of over 1 million individuals must undergo a Data Security Assessment, even if exporting just one piece of PI.
- Sensitivity – MNCs can now benefit from the Provisions and export more PI. But sensitive PI exports are subject to stricter rules. Even a very small volume of sensitive PI export may require a Standard Contract.
If PI is deemed sensitive and the export volume reaches certain thresholds, the MNC must arrange a corresponding Security Assessment or Standard Contract to be filed with CAC. The MNC must also justify the necessity of the PI export, often by demonstrating how the transfer is essential to its business operations. Common justifications include:
- Global customer relationship management (e.g., membership systems).
- Cross-border analytics to improve customer experiences.
- Compliance with international legal or contractual obligations.
3. Preparing PIPIA and CAC application: Building a Strong Justification
Even if an exemption under the Provisions applies, MNCs are not waived from preparing Personal Information Protection Impact Assessment (“PIPIA”) to document compliance efforts. After the data audit, if an MNC determines that a CAC application is not required, it is advisable to engage a reputable, independent and domestic third party to prepare a PIPIA. This serves as a critical record in case of future regulatory challenges.
If no exemption applies, the next step is determining whether to pursue a Standard Contract or a Security Assessment. Under the Provisions, non-sensitive PI benefits from relaxed thresholds, allowing annual exports of up to 1 million individuals’ data under a Standard Contract. In contrast, sensitive PI exports remain strictly regulated. Exporting sensitive PI of even one individual requires a Standard Contract, while exports exceeding 10,000 individuals annually trigger a mandatory Data Security Assessment.
Accurate classification PI is therefore pivotal. Misclassification could lead to unnecessary assessments or, worse, regulatory non-compliance.
According to PIPL Article 28, sensitive PI is defined as data that, if leaked or misused, could harm an individual’s dignity, personal safety, or property. This includes:
- Biometric data
- Religious beliefs
- Political opinions
- Health and medical information
- Financial account details
- Location tracking data
- Information about minors under 14 years old
If an MNC exports sensitive PI of between 1-9999 individuals in a calendar year, a Standard Contract must be signed with its overseas recipient, usually its headquarters outside China. Since the terms are standard, the application process is straightforward, requiring submission of the signed contract and a PIPIA to the provincial CAC. Approval typically takes 10 working days.
For exports exceeding 10,000 sensitive PI individuals annually, a Security Assessment is required. The MNC must submit the following documents to the provincial CAC, which will forward them to the national CAC for approval:
- Application form
- Data Export Risk Self-Assessment Report
- Data contract between exporter and foreign recipient
- Other supporting materials as required
National CAC is legally required to complete the assessment within 45 working days from a formal acceptance. But prior to it, MNCs should expect to respond to multiple rounds of inquiries from both provincial and national CACs.
4. Embracing Post-approval Compliance: A Continuous Journey
Securing PI export approval is a significant milestone, but the journey doesn’t end there. Both Security Assessment Measures and Standard Contract Measures stipulate that any changes to the conditions recorded in the CAC application require a new application. Additionally, a Security Assessment is valid for only two years, requiring renewal even if no changes occur.
MNCs are encouraged to take the following measures to ensure full and continuous compliance with PIPL:
- Implement Ongoing Risk Monitoring: Establish mechanisms for continuously monitoring data security risks and promptly addressing any emerging threats.
- Conduct Regular Security Audits: Periodically assess data security posture to identify and rectify vulnerabilities.
- Invest in Robust Security Technologies: Leverage encryption, data masking, and access control technologies to safeguard data.
- Cultivate a Culture of Security Awareness: Regularly train employees on data security best practices.
Conclusion: MNC’s PI Compliance in China is Achievable and Manageable
While China’s PI export regulations may appear stringent, they are designed to protect individuals’ privacy without unduly burdening businesses. Recent relaxations under the Provisions demonstrate a pragmatic approach to balancing security and business needs.
For MNCs, successful compliance hinges on:
- Understanding regulatory requirements and staying updated on changes.
- Conducting thorough data audits to determine the appropriate level of compliance.
- Engaging proactively with CAC authorities to address inquiries and justify data export activities.
Our experience assisting an MNC through the Data Security Assessment process underscores that compliance is both achievable and manageable with the right preparation and expertise. By adopting a structured approach and leveraging professional guidance, MNCs can confidently navigate China’s data export regulations and ensure their operations remain compliant and secure.
In short, while the process requires effort, it is far from insurmountable. With clear guidelines, practical exemptions, and a collaborative approach, MNCs can successfully meet China’s personal information compliance requirements and continue to thrive in one of the world’s most dynamic markets.
For further information, please contact:
Albert Tsui, Partner, Anjie Broad
albert.tsui@anjielaw.com
