General Guides
Regional Guides
Starter Guides
Cross-border data transfer in China has become a hot topic in recent years due to the country’s strict regulations and policies regarding data privacy and security. However, However, the March 2024 reforms have made it easier for businesses to transfer data overseas where they have a good reason.
We explain how cross-border data transfers are regulated in China and summarise the March 2024 CAC reforms, which remain the current framework in 2026.
Overview of Cross-Border Data Transfer Regulations in China
Three main laws govern data transfer in China. The key elements of each are explained below.
1. Personal Information Protection Law (PIPL)
Enacted in 2021, the PIPL sets out comprehensive rules for processing personal information within China and transferring personal information outside of China. It requires any transfer of personal information outside of China ensure equivalent data protection as provided under Chinese law. This can be achieved by obtaining certification under approved standards, entering into standard contractual clauses, or passing a security assessment by the Chinese authorities.
Additionally, companies are required to conduct a security assessment to ensure that the transfer does not pose any risks to national security or the public interest.
The regulations cross-border transfer regulations have recently been relaxed.
2. Data Security Law (DSL)
Implemented in 2021, the DSL emphasizes the security and control of data processed and generated in China. It categorizes data based on its importance to national security, economic development, and social public interests, imposing stricter controls on “important data” and “core data.”
3. Cybersecurity Law (CSL)
Since 2017, the CSL has been China’s foundational cybersecurity and data protection legislation. It requires critical information infrastructure operators (CIIOs) to store personal information and important data collected and generated in China within the country.Cross-border transfer is permissible but subject to a stringent security assessment.
Companies that fail to comply may face fines, suspension of operations, or, in severe cases, criminal charges.
March 2024 Changes to the Data Transfer Regulations
The Cyberspace Administration of China (CAC) issued updated regulations on March 22, 2024 which continue to form the core compliance framework for cross-border data transfers in 2026. These regulations introduce several key changes to ease businesses‘ compliance burden while safeguarding sensitive information. The key changes are outlined below.
1. Exemptions
The Regulations exempt certain categories of data transfers from stringent checks if they do not include sensitive or significant personal information. For instance, data involved in international trade, academic cooperation, and other specific activities are exempt unless classified as “important data.” Personal information collected and processed outside mainland China is exempt as long as no sensitive domestic data is involved.
2. Thresholds for Data Transfers
The regulations now provide clearer guidance on what constitutes “important data” and modify the thresholds for when a security assessment by the CAC is required. Notably, the threshold for general personal information has been raised, reducing the instances where a security assessment is needed.
Indicative thresholds and mechanisms for cross-border data transfers (2024 CAC rules, applicable in 2026)
| Data transfer scenario (non-CIIO) | Volume of personal information per calendar year | Typical CAC mechanism under the current framework | Practical implication for businesses |
|---|---|---|---|
| Low-volume, non-sensitive personal information | Non-sensitive personal information of fewer than 100,000 individuals, with no important data and no sector-specific rules triggered | No CAC security assessment, Standard Contract filing or certification required (but PIPL obligations still apply) | Many day-to-day cross-border transfers may fall into this category, reducing procedural burden while still requiring a lawful basis, transparency and appropriate safeguards. |
| Medium volume or limited sensitive personal information | Non-sensitive personal information of 100,000–1,000,000 individuals, or sensitive personal information of fewer than 10,000 individuals | Standard Contract filing or Personal Information Protection Certification usually required; no CAC-led security assessment in most cases | Companies need structured contracts or certifications but avoid the most onerous CAC assessment, making ongoing operations more manageable. |
| High-volume or important data | Important data transfers, non-sensitive personal information of more than 1,000,000 individuals, or sensitive personal information of more than 10,000 individuals | Mandatory CAC security assessment for cross-border data transfers | Reserved for the riskiest transfers; firms must plan for longer timelines, heavier documentation and close coordination with regulators. |
| Exempt scenarios (safe harbours) | Various volumes, where specific exemption conditions are satisfied (for example, contract performance, HR management, emergency protection, or certain Free Trade Zone negative list scenarios) | No security assessment, Standard Contract filing or certification required, even if volumes are otherwise high, provided exemption criteria and PIPL obligations are fully met | Businesses can design data flows to fall within exemptions (for example, HR and contract-based transfers), but must still document necessity, consent where needed, and risk assessments. |
3. Special Rules for Free Trade Zones (FTZs)
FTZs can create negative lists that specify the types of data subject to export requirements, which can simplify compliance for companies operating within these zones.
4. Standard Contracts and Personal Information Protection Certification
For data transfers involving the sensitive personal information of more than 10,000 individuals and general personal information of more than 1,000,000 individuals, a standard contract must be filed, or a personal information protection certification must be obtained. However, these requirements are relaxed for less sensitive or fewer data subjects.
Unsure whether your data export falls under an exemption, SCC filing, or CAC assessment? MSA reviews your data flows and gives you a clear compliance path. Request a consultation. Message →
China’s data residency requirements restrict cross-border transfer of personal information and business data significantly—a framework creating operational friction for multinational companies accustomed to global data sharing norms. Local-processing requirements add infrastructure cost and complexity. accounting & tax filing help design data infrastructure compliant with residency restrictions. MSA Asia ensures your systems align with local law. Have a conversation about data transfer compliance.
