China Cross-border Data Transfer Route Comparison

Independent editorial reference. This page is based on official Chinese source links for general informational purposes only. It is not legal advice, and the official Chinese text prevails.

Key Takeaways

PIPL Article 38 provides several statutory pathways for providing personal information outside China.
Security assessment, standard contract, and certification are different mechanisms and should not be treated as interchangeable without reviewing the official text.
The 2024 data flow provisions affect how some cross-border transfer scenarios are managed, but this page does not decide any company-specific route.

This page is an independent editorial reference based on official Chinese source documents. It explains how the main public cross-border data transfer pathways fit together at a high level. It does not select a compliance route for any company, does not determine whether a filing, certification, or assessment is required, and does not replace case-specific legal review.

China cross-border data transfer analysis often starts with PIPL Article 38, but it rarely ends there. Article 38 identifies several possible legal conditions for providing personal information outside China. Separate CAC measures, filing guidance, later data flow provisions, and the facts of the transfer all affect the practical reading.

This page is designed as the main public entry point for comparing routes. It helps readers understand the relationship among CAC security assessment, the China standard contract route, personal information protection certification, and the 2024 Provisions on Promoting and Regulating Cross-border Data Flows. It deliberately avoids route-selection conclusions because those depend on data category, data volume, processor status, overseas recipient, transfer purpose, and the current official rules.

What This Page Covers

The relationship between PIPL Article 38 and implementing mechanisms.
The public reference role of CAC security assessment, standard contract, and personal information protection certification.
How the 2024 Provisions on Promoting and Regulating Cross-border Data Flows fit into the broader framework.
Why a route comparison is not the same as a legal conclusion.

Research Inputs to Collect

Before using this page as a route map, collect the facts that may affect source-based review:

data category, including whether personal information, sensitive personal information, important data, or mixed datasets may be involved;
processor role, overseas recipient, transfer purpose, transfer frequency, and storage/access arrangement;
approximate processing or transfer scale where relevant to official-source analysis;
whether a critical information infrastructure operator or large-scale processing issue may be relevant;
whether prior security assessment, standard contract filing, certification, or regulator communication history exists;
the official source documents that should be read first for the scenario.

These inputs do not decide the route. They help a reviewer compare facts against the official text.

What This Page Can and Cannot Do

This page can help locate official source documents, compare public mechanisms, and organize research questions. It can also help explain why PIPL Article 38, the Security Assessment Measures, the Standard Contract Measures, and the 2024 Data Flow Provisions should be read together.

This page cannot choose a route for a company, determine whether a filing or assessment is required, confirm compliance, or predict regulator acceptance. Those conclusions require case-specific review against the official Chinese text.

Official Source Basis

Official document	Chinese title	Authority	Date	Official source
Personal Information Protection Law	中华人民共和国个人信息保护法	Standing Committee of the National People’s Congress	Effective 2021-11-01	https://www.cac.gov.cn/2021-08/20/c_1631050028355286.htm
Security Assessment Measures	数据出境安全评估办法	Cyberspace Administration of China, CAC Order No. 11	Effective 2022-09-01	https://www.cac.gov.cn/2022-07/07/c_1658811536396503.htm
Standard Contract Measures	个人信息出境标准合同办法	Cyberspace Administration of China, CAC Order No. 13	Effective 2023-06-01	https://www.cac.gov.cn/2023-02/24/c_1678884830036813.htm
2024 Data Flow Provisions	促进和规范数据跨境流动规定	Cyberspace Administration of China, CAC Order No. 16	Effective 2024-03-22	https://www.cac.gov.cn/2024-03/22/c_1712776611775634.htm

Source status: the source links above are official source anchors used for this editorial reference page. The certification pathway is recognized in PIPL Article 38, but detailed certification scope, operational criteria, and current implementation status require separate official-source review before being used as a route-specific conclusion.

How the Route Framework Fits Together

PIPL Article 38 is the starting point for providing personal information outside China. It identifies several possible conditions that may support a cross-border provision of personal information, including passing a security assessment organized by the national cyberspace authority, obtaining personal information protection certification from a specialized institution in accordance with State provisions, entering into the standard contract formulated by the national cyberspace authority, or meeting another condition provided by laws, administrative regulations, or the national cyberspace authority.

That article is a gateway provision. It does not by itself answer every operational question. Implementing documents, official filing guidance, the type and volume of data, the identity of the processor, the identity of the overseas recipient, whether important data is involved, and later official rules may all matter.

Public Route Comparison

Pathway	When it may be relevant	Official source basis	Public process / filing / certification concept	What this page cannot determine	Related site page
CAC security assessment	May be relevant where a transfer falls within the official security assessment framework or involves issues addressed by the Security Assessment Measures.	PIPL Article 38; Security Assessment Measures; later 2024 Data Flow Provisions where applicable.	Official-source framework involving assessment by the national cyberspace authority, with materials and review requirements determined by the official rules.	Whether a specific activity triggers assessment, whether submitted materials are sufficient, or how regulators will treat a real filing.	Security Assessment vs Standard Contract vs Certification
China standard contract	May be relevant for certain personal information transfers that use the standard contract route under PIPL Article 38.	PIPL Article 38; Standard Contract Measures; Standard Contract Filing Guidelines; 2024 Data Flow Provisions where applicable.	Standard contract and filing concept under CAC rules. The filing guide is relevant to materials and process reading.	Whether the standard contract route is available for the facts, whether a completed contract package is adequate, or whether another mechanism is required.	Standard Contract Measures Overview
Personal information protection certification	Recognized by PIPL Article 38 as one possible condition for providing personal information outside China.	PIPL Article 38. Detailed certification source mapping is not fully verified in this site record.	Certification by a specialized institution in accordance with State provisions, as referenced by PIPL Article 38.	Current certification scope, certification body requirements, operational status, and route availability for a specific transfer.	PIPL Article 38 Explained
2024 data flow provisions	May affect route analysis where the transfer scenario is addressed by the 2024 provisions and related official adjustments.	2024 Data Flow Provisions; Security Assessment Measures; Standard Contract Measures; PIPL.	Later CAC provisions that interact with earlier cross-border data transfer management rules.	Whether an official adjustment applies to a specific activity, whether prior obligations remain, or whether other sectoral/local requirements apply.	2024 Data Flow Provisions Overview

Relationship to PIPL Articles 38, 39, and 40

PIPL Article 38 addresses conditions for providing personal information outside China. PIPL Article 39 is relevant because it concerns informing individuals about overseas recipients and obtaining separate consent where personal information is provided outside China. PIPL Article 40 is relevant for critical information infrastructure operators and personal information processors that reach quantities prescribed by the national cyberspace authority, because it addresses domestic storage and security assessment requirements.

These articles should be read together with the relevant CAC measures. A route comparison cannot determine the final result for a company because the official requirements depend on the facts and the version of the applicable rules.

Common Misunderstandings

Security assessment is not automatically required for every cross-border transfer. The official text and the facts must be assessed together.
The China standard contract route is not the same as the EU SCC framework. It is part of China’s own PIPL and CAC rule framework.
Certification is recognized in PIPL Article 38, but this page does not verify current certification scope or operational eligibility.
The 2024 Data Flow Provisions should not be read as a blanket exclusion from all cross-border data transfer obligations.
Route analysis may depend on data category, volume, processor status, overseas recipient, purpose, important data issues, and the latest official rules.

Practical Reading Notes

Use this page as a map, not a decision tool. A responsible review usually starts by identifying the data category, the transfer purpose, the overseas recipient, the processing role, whether important data may be involved, and whether the activity is affected by the 2024 data flow provisions. The next step is to compare those facts against official source text and current regulator guidance.

This page can help readers locate the right public-source documents and avoid treating route names as interchangeable. It cannot determine whether a real transfer is permitted, whether a regulator will accept a filing package, or whether a particular overseas recipient arrangement satisfies applicable law.

Source and Review Note

This page is based on official Chinese source documents listed above. It is an editorial reference for general information only. The official Chinese text published by the competent authority prevails.