Data Strategy Briefing — February 24, 2023

Executive briefing: The Cyberspace Administration of China (CAC) issued the Measures on the Standard Contract for Outbound Transfer of Personal Information on 24 February 2023 (CAC release). Effective 1 June 2023, the Measures allow personal information processors that fall below specified thresholds to transfer data overseas using a CAC standard contract instead of the more onerous security assessment. Organisations must perform personal information protection impact assessments (PIAs), sign the standard clauses with foreign recipients, and file the contract and assessment with provincial CAC offices within 10 working days. Existing transfers must regularise within six months of the effective date.

Applicability thresholds and exclusions

Article 4 limits eligibility to processors that (1) are not critical information infrastructure operators (CIIOs); (2) process personal information of fewer than one million individuals; (3) have exported personal information of fewer than 100,000 individuals since the previous year; and (4) have exported sensitive personal information of fewer than 10,000 individuals since the previous year. Processors exceeding these thresholds must pursue the CAC security assessment or other lawful transfer mechanisms (e.g., certification). The Measures apply to both controller-to-controller and controller-to-processor transfers, covering employee data, customer information, and other personal data collected in China.

Personal information protection impact assessments

Before signing the standard contract, processors must complete a PIA evaluating legality, necessity, scale, recipient safeguards, and potential risks. Article 5 requires documentation of the personal information categories, quantity, processing purposes, overseas storage location, foreign legal environment, and risk mitigation measures. The PIA must also analyse the impact on the rights and interests of data subjects and confirm that overseas recipients meet PIPL-level protection standards. PIAs must be retained for at least three years and updated when transfer conditions change.

Contract obligations and supplementary clauses

The Annex provides mandatory clauses that cannot be altered. Key requirements include obligations for the overseas recipient to apply security measures, limit onward transfers, cooperate with CAC supervision, and notify processors of incidents. Processors must inform data subjects of transfer details and secure separate consent for sensitive personal information. Organisations may add supplemental clauses addressing audit rights, encryption, localization of logs, incident response timeframes, and termination triggers, provided they do not conflict with the standard text. Contracts must be executed in Chinese; bilingual versions are recommended for foreign counterparties.

Filing workflow and timelines

Within 10 working days of contract execution, processors must submit a filing package to the provincial CAC office that includes the signed contract, PIA report, and other supporting materials (e.g., proof of legal personality, data governance policies). The CAC has 15 working days to review completeness and may request supplements. Any material change—such as altered processing purposes, data categories, retention periods, or overseas recipient circumstances—requires a fresh PIA and refiling. Existing transfers predating June 2023 must complete filing by 30 November 2023.

Implementation roadmap for multinational organisations

1. Data mapping: Inventory China-origin personal information, categorising volumes, sensitivity, and destination countries. Align data inventories with PIPL classifications and identify transfers that exceed CAC thresholds.
2. Eligibility confirmation: Evaluate whether business units qualify for the standard contract mechanism. For transfers exceeding thresholds, prepare for the security assessment or certification pathways.
3. PIA development: Build templates aligned with Article 5 requirements. Incorporate legal analysis of recipient jurisdictions (e.g., GDPR adequacy, CLOUD Act exposure) and describe technical safeguards such as encryption, access controls, and zero trust architectures.
4. Contract localisation: Draft bilingual playbooks that incorporate Annex clauses verbatim, define roles (controller vs. processor), and add supplementary provisions covering audit rights, incident cooperation, and subcontractor controls.
5. Filing governance: Establish RACI matrices assigning responsibility for provincial filings, supporting evidence collection, and response to CAC inquiries. Implement workflow tools to track deadlines and status.

Responsible governance and ongoing compliance

Boards and privacy committees should oversee cross-border data strategies, reviewing metrics on PIA completion, filing timelines, and incident reports. Maintain records of data subject consent, contract versions, and overseas recipient audits. Coordinate with cybersecurity teams to ensure technical safeguards (encryption, data minimisation, DLP) align with PIPL requirements. Implement data subject rights processes that support cross-border access, correction, and deletion requests within statutory timeframes.

Sector-specific considerations

Technology and SaaS providers: Map cloud hosting arrangements, support localisation options, and ensure subcontractors (e.g., customer support centres) sign onward transfer clauses. Document encryption key management practices to demonstrate control.
Healthcare and life sciences: Address sensitive health data thresholds; implement de-identification or anonymisation where feasible. Coordinate with ethics committees on cross-border clinical research data flows.
Financial services: Align with People’s Bank of China guidelines on personal financial information and confirm that overseas risk analytics adhere to PIPL and Anti-Money Laundering data-sharing rules.
Manufacturing and automotive: Evaluate industrial IoT data containing employee or driver telematics; integrate CAC requirements with data localisation obligations under the Automotive Data Security Regulations.

Monitoring regulatory developments

The CAC Q&A clarifies that processors must refile when the overseas recipient is subject to foreign legal demands that could undermine protection levels. Organisations should monitor additional guidance from provincial CAC offices, potential updates to PIPL implementing rules, and emerging sector regulations (e.g., financial data export rules). Track enforcement actions to understand inspection focus areas, such as inadequate consent or insufficient technical safeguards. International businesses should coordinate with global privacy programmes to maintain consistency with GDPR Standard Contractual Clauses, acknowledging differences in Chinese requirements.

Measurement and reporting

Establish KPIs covering the number of transfers under standard contracts, PIA completion rates, filing status, and outstanding remediation items. Monitor audit findings, data breach incidents, and regulator inquiries. Maintain dashboards that calculate personal information export volumes relative to thresholds, generating alerts when approaching caps. Include compliance status in executive risk reports and ESG disclosures, highlighting privacy and data governance performance.

Sources

• CAC — Measures on the Standard Contract for Outbound Transfer of Personal Information
• CAC Q&A on Implementing the Standard Contract Measures
• DigiChina translation and analysis of the CAC Standard Contract Measures
• White & Case — China issues standard contract for personal information exports

Zeph Tech supports China-facing organisations with CAC standard contract implementation, including PIAs, bilingual contracting, and provincial filing governance.

Related briefings

Curated signals from the same pillar or overlapping topics.

Data Strategy · Credibility 40/100 · April 17, 2023

Data Strategy Briefing — April 17, 2023

Vietnam’s Decree 13/2023/ND-CP establishes a comprehensive personal data protection regime with stringent consent, localisation, and cross-border transfer obligations enforced by the Ministry of Public Security.

Data Strategy · Credibility 40/100 · September 1, 2023

Data Strategy Briefing — September 1, 2023

Switzerland's revised Federal Act on Data Protection is now in force, requiring Swiss and foreign controllers to document board-level accountability, operationalise new inventory, breach, and vendor controls, and…

Data Strategy · Credibility 50/100 · July 17, 2024

Data Strategy Briefing — July 17, 2024

Indonesia's two-year transition for the Personal Data Protection Law ends on 17 October 2024, leaving multinational data teams under 90 days to localise storage, appoint representatives, and finalise breach playbooks.

Data Strategy · Credibility 50/100 · October 17, 2024

Data Strategy Briefing — October 17, 2024

Indonesia's Personal Data Protection Law now applies in full, triggering localisation, breach notification, and administrative sanction powers for Kominfo and the new Data Protection Authority.

Data Strategy · Credibility 86/100 · April 28, 2021

Data Strategy Briefing — April 28, 2021

G7 digital ministers agreed the 28 April 2021 Roadmap for Data Free Flow with Trust, mapping governance principles for cross-border data, interoperability, and safeguards around privacy, security, and digital trade.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Data Interoperability Engineering Guide — Zeph Tech

  Engineer interoperable data exchanges that satisfy the EU Data Act, Data Governance Act, European Interoperability Framework, and ISO/IEC 19941 portability requirements.

• Data Stewardship Operating Model Guide — Zeph Tech

  Establish accountable data stewardship programmes that meet U.S. Evidence Act mandates, Canada’s Directive on Service and Digital, and OECD data governance principles while…

• Data Strategy Operating Model Guide — Zeph Tech

  Design a data strategy operating model that satisfies the EU Data Act, EU Data Governance Act, U.S. Evidence Act, and Singapore Digital Government policies with measurable…