China data transfers

The Cyberspace Administration of China (CAC) issued the Measures on the Standard Contract for Outbound Transfer of Personal Information on 24 February 2023 (CAC release). Effective 1 June 2023, the Measures allow personal information processors that fall below specified thresholds to transfer data overseas using a CAC standard contract instead of the more onerous security assessment. Teams must perform personal information protection impact assessments (PIAs), sign the standard clauses with foreign recipients, and file the contract and assessment with provincial CAC offices within 10 working days. Existing transfers must regularise within six months of the effective date.

Applicability thresholds and exclusions

Article 4 limits eligibility to processors that (1) are not critical information infrastructure operators (CIIOs); (2) process personal information of fewer than one million individuals; (3) have exported personal information of fewer than 100,000 individuals since the previous year; and (4) have exported sensitive personal information of fewer than 10,000 individuals since the previous year.

Processors exceeding these thresholds must pursue the CAC security assessment or other lawful transfer mechanisms (for example, certification). The Measures apply to both controller-to-controller and controller-to-processor transfers, covering employee data, customer information, and other personal data collected in China.

Personal information protection impact assessments

Before signing the standard contract, processors must complete a PIA evaluating legality, necessity, scale, recipient safeguards, and potential risks. Article 5 requires documentation of the personal information categories, quantity, processing purposes, overseas storage location, foreign legal environment, and risk mitigation measures. The PIA must also analyze the impact on the rights and interests of data subjects and confirm that overseas recipients meet PIPL-level protection standards. PIAs must be retained for at least three years and updated when transfer conditions change.

Contract obligations and supplementary clauses

The Annex provides mandatory clauses that cannot be altered. Key requirements include obligations for the overseas recipient to apply security measures, limit onward transfers, cooperate with CAC supervision, and notify processors of incidents. Processors must inform data subjects of transfer details and secure separate consent for sensitive personal information. Teams may add supplemental clauses addressing audit rights, encryption, localization of logs, incident response timeframes, and termination triggers, provided they do not conflict with the standard text. Contracts must be executed in Chinese; bilingual versions are recommended for foreign counterparties.

Filing workflow and timelines

Within 10 working days of contract execution, processors must submit a filing package to the provincial CAC office that includes the signed contract, PIA report, and other supporting materials (for example, proof of legal personality, data governance policies). The CAC has 15 working days to review completeness and may request supplements. Any material change—such as altered processing purposes, data categories, retention periods, or overseas recipient circumstances—requires a fresh PIA and refiling. Existing transfers predating June 2023 must complete filing by 30 November 2023.

Implementation roadmap for multinational teams

1. Data mapping: Inventory China-origin personal information, categorising volumes, sensitivity, and destination countries. Align data inventories with PIPL classifications and identify transfers that exceed CAC thresholds.
2. Eligibility confirmation: Evaluate whether business units qualify for the standard contract mechanism. For transfers exceeding thresholds, prepare for the security assessment or certification pathways.
3. PIA development: Build templates aligned with Article 5 requirements. Incorporate legal analysis of recipient jurisdictions (for example, GDPR adequacy, CLOUD Act exposure) and describe technical safeguards such as encryption, access controls, and zero trust architectures.
4. Contract localization: Draft bilingual playbooks that incorporate Annex clauses verbatim, define roles (controller vs. processor), and add supplementary provisions covering audit rights, incident cooperation, and subcontractor controls.
5. Filing governance: Establish RACI matrices assigning responsibility for provincial filings, supporting evidence collection, and response to CAC inquiries. Implement workflow tools to track deadlines and status.

Responsible governance and ongoing compliance

Boards and privacy committees should oversee cross-border data strategies, reviewing metrics on PIA completion, filing timelines, and incident reports. Maintain records of data subject consent, contract versions, and overseas recipient audits. Coordinate with cybersecurity teams to ensure technical safeguards (encryption, data minimization, DLP) align with PIPL requirements. Implement data subject rights processes that support cross-border access, correction, and deletion requests within statutory timeframes.

Considerations by sector

Technology and SaaS providers: Map cloud hosting arrangements, support localization options, and ensure subcontractors (for example, customer support centers) sign onward transfer clauses. Document encryption key management practices to show control.
Healthcare and life sciences: Address sensitive health data thresholds; implement de-identification or anonymization where feasible. Coordinate with ethics committees on cross-border clinical research data flows.
Financial services: Align with People’s Bank of China guidelines on personal financial information and confirm that overseas risk analytics adhere to PIPL and Anti-Money Laundering data-sharing rules.
Manufacturing and automotive: Evaluate industrial IoT data containing employee or driver telematics; integrate CAC requirements with data localization obligations under the Automotive Data Security Regulations.

Monitoring regulatory developments

The CAC Q&A clarifies that processors must refile when the overseas recipient is subject to foreign legal demands that could undermine protection levels. Teams should monitor additional guidance from provincial CAC offices, potential updates to PIPL implementing rules, and emerging sector regulations (for example, financial data export rules). Track enforcement actions to understand inspection focus areas, such as inadequate consent or insufficient technical safeguards. International businesses should coordinate with global privacy programs to maintain consistency with GDPR Standard Contractual Clauses, acknowledging differences in Chinese requirements.

Measurement and reporting

Establish KPIs covering the number of transfers under standard contracts, PIA completion rates, filing status, and outstanding remediation items. Monitor audit findings, data breach incidents, and regulator inquiries. Maintain dashboards that calculate personal information export volumes relative to thresholds, generating alerts when approaching caps. Include compliance status in executive risk reports and ESG disclosures, highlighting privacy and data governance performance.

References

• CAC — Measures on the Standard Contract for Outbound Transfer of Personal Information
• CAC Q&A on Implementing the Standard Contract Measures
• DigiChina translation and analysis of the CAC Standard Contract Measures
• White & Case — China issues standard contract for personal information exports

This brief supports China-facing teams with CAC standard contract setup, including PIAs, bilingual contracting, and provincial filing governance.

Data Management Implementation

Data management teams should assess how this development affects data collection, processing, storage, and sharing practices. Policy updates should address any new requirements for data handling, consent management, or purpose limitations. Technical setups should align with documented policies and support audit evidence collection demonstrating compliance with data management requirements.

Ongoing monitoring should verify that data processing activities continue to align with documented purposes and comply with applicable requirements as practices evolve.

Related articles

Curated signals from the same pillar or overlapping topics.

Data Strategy · Credibility 76/100 · April 17, 2023

Data Strategy — Privacy compliance

Vietnam's Personal Data Protection Decree in April 2023 created comprehensive data protection requirements. Consent, data subject rights, and cross-border transfer rules for organizations operating in Vietnam.

Data Strategy · Credibility 73/100 · September 1, 2023

Data Strategy — Switzerland regulation

Switzerland's revised data protection law took effect September 1, 2023. Stronger requirements for data inventories, breach handling, and transparency—especially around profiling. If you process Swiss data, you are under…

Data Strategy · Credibility 73/100 · July 17, 2024

Data Strategy — APAC regulation

Indonesia's privacy law transition ended October 17, 2024. If you are processing Indonesian data, you need local storage, a local representative, and breach notification procedures in place. The grace period is over.

Data Strategy · Credibility 73/100 · October 17, 2024

Indonesia Pdp Law Enforcement

Indonesia's Personal Data Protection Law enforcement began in October 2024. If you are processing Indonesian personal data, you need lawful bases, data subject rights mechanisms, and cross-border transfer safeguards. The…

Data Strategy · Credibility 86/100 · April 28, 2021

G7 and Data Free Flow with Trust

G7 digital ministers agreed the 28 April 2021 Roadmap for Data Free Flow with Trust, mapping governance principles for cross-border data, interoperability, and safeguards around privacy, security, and digital trade.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Data Strategy Operating Model Guide

  Design a data strategy operating model that satisfies the EU Data Act, EU Data Governance Act, U.S. Evidence Act, and Singapore Digital Government policies with measurable…

• Data Interoperability Engineering Guide

  Engineer interoperable data exchanges that satisfy the EU Data Act, Data Governance Act, European Interoperability Framework, and ISO/IEC 19941 portability requirements.

• Data Stewardship Operating Model Guide

  Establish accountable data stewardship programmes that meet U.S. Evidence Act mandates, Canada’s Directive on Service and Digital, and OECD data governance principles while…

Coverage intelligence

Published

February 24, 2023

Coverage pillar

Data Strategy

Source credibility

76/100 — medium confidence

Topics

China data transfers · Privacy compliance · Cross-border governance · Personal information protection

Sources cited

4 sources (cac.gov.cn, digichina.stanford.edu, hitecase.com)

Reading time

5 min

References

1. CAC — Measures on the Standard Contract for Outbound Transfer of Personal Information — Cyberspace Administration of China
2. CAC Q&A on Implementing the Standard Contract Measures — Cyberspace Administration of China
3. DigiChina translation of CAC Standard Contract Measures — Stanford DigiChina
4. China issues standard contract for personal information exports — White & Case