Key Takeaways
- This overview identifies public-source reference areas commonly discussed in China cross-border data transfer research.
- It does not select a route, confirm compliance, or determine whether a filing or assessment is required.
- Any real matter should be checked against official Chinese source text and current regulator materials.
This page is a general reference overview only. It is not legal advice, filing advice, an operational tool, or a company-specific assessment.
This overview identifies source-based categories commonly discussed when researching China cross-border data transfer issues. It is designed as a public reference map, not as route-selection logic. Readers should compare any real scenario against PIPL Article 38, the Security Assessment Measures, the Standard Contract Measures, filing guidance, the 2024 Data Flow Provisions, and other official source text.
China cross-border data transfer analysis depends heavily on facts. The same transfer label can involve different legal questions depending on data category, processing scale, recipient, purpose, access arrangement, and whether important data or CIIO issues may be involved.
This page does not decide whether a security assessment, standard contract filing, certification, or another official condition applies. It describes source-based reference points without providing an action plan or compliance conclusion.
Official Source Basis
| Official document | Chinese title | Authority | Date | Official source |
|---|---|---|---|---|
| Personal Information Protection Law | 中华人民共和国个人信息保护法 | Standing Committee of the National People’s Congress | Effective 2021-11-01 | https://www.cac.gov.cn/2021-08/20/c_1631050028355286.htm |
| Security Assessment Measures | 数据出境安全评估办法 | CAC, Order No. 11 | Effective 2022-09-01 | https://www.cac.gov.cn/2022-07/07/c_1658811536396503.htm |
| Standard Contract Measures | 个人信息出境标准合同办法 | CAC, Order No. 13 | Effective 2023-06-01 | https://www.cac.gov.cn/2023-02/24/c_1678884830036813.htm |
| Standard Contract Filing Guidance, First Edition | 个人信息出境标准合同备案指南(第一版) | CAC | Published 2023-05-30 | https://www.cac.gov.cn/2023-05/30/c_1687090906222927.htm |
| 2024 Data Flow Provisions | 促进和规范数据跨境流动规定 | CAC, Order No. 16 | Effective 2024-03-22 | https://www.cac.gov.cn/2024-03/22/c_1712776611775634.htm |
Source status: this overview uses official source anchors. It does not reproduce official forms or determine whether any submission is complete.
Transfer Context
Commonly reviewed transfer-context categories include:
- what data leaves China or is accessed from outside China;
- who sends or makes the data available;
- who receives or accesses the data overseas;
- why the transfer is needed;
- whether the transfer is continuous, repeated, or one-off;
- where the data is stored and how overseas access is technically arranged.
Do not treat these categories as a conclusion. They are reference points for reading the official sources.
Data Category
Public-source research often distinguishes whether the dataset includes:
- personal information;
- sensitive personal information;
- important data;
- network data;
- mixed datasets with multiple categories;
- uncertain data categories that require review.
If classification is uncertain, the official text and current regulatory materials should be reviewed rather than forcing a conclusion.
Parties and Roles
Role-related reference points include:
- personal information processor or other data handler;
- overseas recipient;
- entrusted processor if relevant;
- joint processing arrangement if relevant;
- CIIO issue if it may be relevant;
- affiliate, external recipient, platform, or service-provider relationship.
Role analysis should be checked against the official text and the actual processing arrangement.
Volume, Scale, and Threshold-related Context
Do not invent thresholds or rely on memory. Public-source analysis may require attention to:
- approximate number of individuals involved where personal information is transferred;
- whether sensitive personal information is involved;
- frequency and continuity of transfer;
- historical and expected transfer volume;
- whether large-scale processing may be relevant;
- whether prior transfer records exist.
These categories do not determine a route by themselves.
Individual Rights and Notification / Consent Context
Where personal information is provided outside China, the following topics are often discussed in relation to PIPL Articles 38 and 39:
- privacy notification materials;
- overseas recipient name or identity information where relevant;
- transfer purpose, processing method, and personal information category;
- rights request handling channel;
- separate consent records where the official text requires separate consent;
- withdrawal, correction, deletion, or explanation handling procedures.
This overview does not provide consent wording or operational instructions.
Regulatory Mechanism Reference Points
The following public-source mechanisms are commonly discussed. This table does not choose a route or state that a route is available for a real matter.
| Route topic | Commonly discussed reference points | Related source area | Caution |
|---|---|---|---|
| Security assessment | Transfer facts, data category, risk materials, overseas recipient details, and prior assessment history. | Security Assessment Measures; 2024 Data Flow Provisions. | This overview does not decide whether assessment is required. |
| China standard contract | Contract documents, filing materials, impact assessment records, recipient obligations, and change history. | Standard Contract Measures; Filing Guidance. | This overview does not validate filing completeness. |
| Certification | Certification history, certified entity scope, and source materials if available. | PIPL Article 38; certification details require separate review. | Detailed certification scope remains requires review. |
| Other official condition | Any later law, administrative regulation, or CAC rule that may apply. | PIPL Article 38 and related official sources. | Do not rely on unofficial route labels. |
Document Categories Often Reviewed
Document categories often reviewed in source-based research include:
- data map and transfer flow description;
- transfer purpose description;
- overseas recipient description;
- personal information protection impact assessment records if relevant;
- standard contract draft or executed copy if relevant;
- prior filing, assessment, certification, or regulator communication history;
- security measures and access controls;
- retention, access, deletion, and onward-transfer arrangements;
- incident response and individual rights request handling procedures.
Source Documents to Read
Start with these official-source pages:
- PIPL Article 38 bilingual reference
- PIPL Article 39 bilingual reference
- PIPL Article 40 bilingual reference
- Security Assessment Measures: https://www.cac.gov.cn/2022-07/07/c_1658811536396503.htm
- Standard Contract Measures: https://www.cac.gov.cn/2023-02/24/c_1678884830036813.htm
- Standard Contract Filing Guidance: https://www.cac.gov.cn/2023-05/30/c_1687090906222927.htm
- 2024 Data Flow Provisions: https://www.cac.gov.cn/2024-03/22/c_1712776611775634.htm
- Network Data Security Regulation where relevant: https://www.cac.gov.cn/2024-09/30/c_1729384452307680.htm
Reference Use
This page can help readers locate official source documents and understand common reference categories. It does not decide whether a company should use security assessment, standard contract, certification, or another condition.
Related Pages
- China Cross-border Data Transfer Route Comparison
- Security Assessment vs SCC vs Certification
- PIPL Article 38 Explained
- Standard Contract Measures Overview
- 2024 Data Flow Provisions Overview
- What Is Cross-border Data Transfer?
Source and Review Note
This overview is an independent editorial reference based on official Chinese source links. It is for general informational purposes only, does not constitute legal advice, and does not determine any company’s route or filing obligations. The official Chinese text prevails.