Independent editorial reference.This page is based on official Chinese source links for general informational purposes only. It is not legal advice, and the official Chinese text prevails.

Key Takeaways

  • The 2024 provisions use cumulative counts from January 1 of the current year for several personal-information export thresholds.
  • The official text separates ordinary personal information, sensitive personal information, important data, and CIIO scenarios.
  • The provisions do not fully prescribe every deduplication, group-company, or identity-resolution method, so unresolved counting-method choices should be documented and reviewed.

This guide explains how to read the personal-information subject count thresholds in China’s 2024 Provisions on Promoting and Regulating Cross-border Data Flows. It is a public source-reading guide, not a filing instruction or a company-specific threshold calculation.

The most important point is that the 2024 provisions use cumulative counts from January 1 of the current year in several places. They also separate ordinary personal information, sensitive personal information, important data, and critical information infrastructure operator scenarios. A real assessment should keep those categories separate instead of collapsing everything into one number.

This page is deliberately limited. It states what the official text says, identifies practical counting questions, and marks what remains unresolved by the public text. It does not decide whether a particular organization must file a security assessment, use the standard contract, pursue certification, or falls within an exemption.

Official Source Basis

Official document Authority Date Provisions relied on Official source
Provisions on Promoting and Regulating Cross-border Data Flows Cyberspace Administration of China, Order No. 16 Published and effective 2024-03-22 Articles 5, 7, 8, 10, 14 https://www.cac.gov.cn/2024-03/22/c_1712776611775634.htm
Personal Information Protection Law Standing Committee of the National People’s Congress Effective 2021-11-01 Articles 4, 28, 38, 39, 40, 55 https://www.cac.gov.cn/2021-08/20/c_1631050028355286.htm
Measures for Security Assessment of Cross-border Data Transfer Cyberspace Administration of China Effective 2022-09-01 Security assessment route context https://www.cac.gov.cn/2022-07/07/c_1658811536396503.htm
Measures for the Standard Contract for Cross-border Transfer of Personal Information Cyberspace Administration of China Effective 2023-06-01 Standard contract route context https://www.cac.gov.cn/2023-02/24/c_1678884830036813.htm

Source status: the numerical thresholds below are taken from the official CAC 2024 provisions. Practical counting methods that are not specified in the public text are marked as review items rather than stated as final rules.

Direct Answer

For threshold research under the 2024 provisions, start by counting personal information provided outside China since January 1 of the current year. Keep at least four categories separate:

  • ordinary personal information, where the official text says the count excludes sensitive personal information;
  • sensitive personal information;
  • important data;
  • transfers by or involving critical information infrastructure operators.

Do not use a single undifferentiated export count. The official text treats these categories differently.

Thresholds Stated in the 2024 Provisions

Source provision Trigger language in public-source terms Practical reading note
Article 5 A non-CIIO data handler providing less than 100,000 individuals’ personal information overseas from January 1 of the current year, excluding sensitive personal information, may fall within a listed exemption if the other Article 5 conditions are met. This is not a blanket exemption. Article 5 also excludes important data from the personal-information count and lists specific scenarios.
Article 7 A CIIO providing personal information or important data overseas, or a non-CIIO providing important data, or a non-CIIO cumulatively providing at least 1,000,000 individuals’ personal information excluding sensitive personal information or at least 10,000 individuals’ sensitive personal information from January 1 of the current year, must apply for security assessment through the provincial cyberspace authority to the national cyberspace authority. Important data and CIIO status are separate triggers. Do not rely only on a personal-information count.
Article 8 A non-CIIO cumulatively providing at least 100,000 but less than 1,000,000 individuals’ personal information excluding sensitive personal information, or less than 10,000 individuals’ sensitive personal information, from January 1 of the current year should use the standard contract route or personal information protection certification where the Article 8 conditions apply. The sensitive-personal-information wording should be read carefully with the official Chinese text and the facts.
Article 10 Personal information exports still require obligations under laws and administrative regulations, including notification, separate consent where required, and personal information protection impact assessment obligations. Thresholds do not replace PIPL duties.

Counting Boundaries to Keep Separate

A useful threshold worksheet should separate the following fields before any route conclusion is considered:

Field Why it matters
Current-year period The 2024 provisions repeatedly use cumulative provision from January 1 of the current year.
Ordinary personal information count Several thresholds expressly exclude sensitive personal information from the ordinary personal-information count.
Sensitive personal information count Sensitive personal information has its own threshold language and should not be buried inside the ordinary count.
Important data Important data is not solved by personal-information counting and may trigger different treatment.
CIIO status Article 7 separately addresses critical information infrastructure operators.
Exemption scenario Articles 3, 4, 5, and 6 may change the analysis, but each depends on its own conditions.
Mechanism considered Security assessment, standard contract, certification, and other official conditions have different source bases.

What the Official Text Does Not Fully Resolve

The public text does not provide a complete operational method for every counting problem. Treat the following as review items:

  • whether duplicate records for the same person are counted once or multiple times in a particular system design;
  • how identity matching should be handled where the same person appears across systems;
  • how group-company transfers should be aggregated when multiple China entities or overseas recipients are involved;
  • how to handle projected transfers versus already completed transfers;
  • how to treat changes in transfer purpose, recipient, access method, or data category during the same year.

For these questions, document the assumption used, preserve the source basis, and obtain qualified review for any real filing or route decision.

Common Counting Errors

  • Counting only database size when the threshold language is about personal information provided overseas.
  • Combining sensitive personal information with ordinary personal information even where the official text separates them.
  • Ignoring important data because the personal-information count is low.
  • Treating the below-100,000 scenario as a general exemption without checking Article 5 conditions and exclusions.
  • Skipping PIPL Article 39 notification and consent questions because a numerical threshold appears favorable.
  • Treating this guide as a filing decision instead of a source-reading aid.

Practical Worksheet

Before relying on a threshold, record:

  1. The current-year date range used for the count.
  2. The ordinary personal information subject count, excluding sensitive personal information where the official threshold requires that separation.
  3. The sensitive personal information subject count.
  4. Whether any important data may be involved.
  5. Whether a CIIO issue may be involved.
  6. The overseas recipient and access arrangement.
  7. The relevant official route being considered.
  8. Any unresolved counting-method assumption.

This record should make the uncertainty visible. It should not silently convert an unresolved method question into a legal conclusion.

Source and Review Note

This page is based on official Chinese source documents listed above. It is an independent editorial reference for general information only. It does not constitute legal advice, and the official Chinese text prevails.