Key Takeaways
- PIPL Article 38 is the gateway article for providing personal information outside China.
- The article lists possible statutory conditions, but implementing rules determine much of the operational process.
- Article 38 should be read with Article 39, Article 40, and relevant CAC measures.
PIPL Article 38 is one of the central provisions for China cross-border personal information transfer research. It addresses conditions for a personal information processor to provide personal information outside China. This page explains the role of Article 38 in plain English while keeping the official legal text and editorial explanation separate.
The article matters because it operates as a gateway provision. It points to several possible conditions, but it does not contain the full operational process for each route. A reader must connect Article 38 with implementing rules, related PIPL articles, and later official provisions before drawing any practical conclusion.
This page is useful for understanding the structure of the rule. It is not a filing checklist, route-selection tool, or company-specific compliance assessment. The official Chinese text and the relevant implementing documents must be reviewed for any real transfer.
What This Page Covers
- Why Article 38 matters for cross-border personal information transfers.
- How Article 38 relates to security assessment, standard contract, certification, and other statutory conditions.
- Why Article 38 does not by itself decide the operational route.
- How Article 39 and Article 40 may be relevant in the broader reading sequence.
Research Inputs to Collect
Before applying Article 38 in research, collect:
- whether the activity involves providing personal information outside China;
- the processor role, overseas recipient, transfer purpose, and recipient access arrangement;
- whether sensitive personal information may be involved;
- whether Article 39 notification and separate consent issues may be relevant;
- whether Article 40 domestic storage and security assessment issues may be relevant;
- whether security assessment, standard contract, certification, or another official condition has already been reviewed.
These facts help determine which official source documents should be read next. They do not produce a company-specific answer by themselves.
What This Page Can and Cannot Do
This page can explain why Article 38 is a gateway provision and how it connects to implementing rules. It can also help readers move from article-level reading to route-level research.
This page cannot determine the route for a real transfer, confirm whether a filing is required, or replace review of Articles 39, 40, CAC measures, and the official Chinese text.
Official Source Basis
| Official document | Chinese title | Authority | Date | Official source |
|---|---|---|---|---|
| Personal Information Protection Law | 中华人民共和国个人信息保护法 | Standing Committee of the National People’s Congress | Effective 2021-11-01 | https://www.cac.gov.cn/2021-08/20/c_1631050028355286.htm |
| Security Assessment Measures | 数据出境安全评估办法 | CAC, Order No. 11 | Effective 2022-09-01 | https://www.cac.gov.cn/2022-07/07/c_1658811536396503.htm |
| Standard Contract Measures | 个人信息出境标准合同办法 | CAC, Order No. 13 | Effective 2023-06-01 | https://www.cac.gov.cn/2023-02/24/c_1678884830036813.htm |
| 2024 Data Flow Provisions | 促进和规范数据跨境流动规定 | CAC, Order No. 16 | Effective 2024-03-22 | https://www.cac.gov.cn/2024-03/22/c_1712776611775634.htm |
Source status: PIPL and the CAC measures listed above are used here as official source anchors. Certification is recognized in Article 38, but detailed certification implementation remains marked as requiring separate official-source review in this site record.
What Article 38 Does
Article 38 functions as a gateway rule. It identifies statutory conditions that can be relevant when a personal information processor needs to provide personal information outside China for business or other needs. The routes listed in the article include security assessment organized by the national cyberspace authority, personal information protection certification by a specialized institution in accordance with State provisions, entering into the standard contract formulated by the national cyberspace authority, and other conditions provided by law, administrative regulation, or the national cyberspace authority.
The article is therefore important because it connects PIPL’s general personal information protection framework with cross-border transfer mechanisms. It is not, by itself, a filing manual or a route decision chart.
Relationship to Implementing Rules
Different implementing documents give more detail to different pathways. The Security Assessment Measures provide the official source basis for the CAC security assessment route. The Standard Contract Measures and the Standard Contract Filing Guidelines provide source basis for the standard contract route and filing concept. The 2024 Data Flow Provisions should be read with these documents because they affect how some cross-border data flow scenarios are managed.
Certification is also recognized in Article 38 as a statutory route. This page does not provide a complete certification process description because detailed certification scope and current implementation status require separate official-source review.
Article 38 Mechanism Map
| Article 38 mechanism | Implementing rule or related source | Practical reading note | What remains case-specific |
|---|---|---|---|
| Security assessment organized by the national cyberspace authority | Security Assessment Measures; 2024 Data Flow Provisions where applicable | Article 38 names the mechanism; CAC rules provide the public-source implementation context. | Whether a real activity falls within the assessment framework and what materials are required. |
| Personal information protection certification | Article 38 statutory reference | Certification is a recognized pathway in Article 38. | Detailed certification scope, current process, and operational availability require separate official-source review. |
| Standard contract formulated by the national cyberspace authority | Standard Contract Measures; Standard Contract Filing Guidelines; 2024 Data Flow Provisions where applicable | The China standard contract route is implemented through CAC rules and filing guidance. | Whether the route fits the facts and whether the filing materials are complete. |
| Other conditions provided by law, administrative regulation, or national cyberspace authority | Later or other official rules where applicable | Article 38 leaves room for other official conditions. | Which later official source applies and how it interacts with PIPL and CAC measures. |
Relationship to Article 39 and Article 40
Article 39 is relevant because it concerns informing individuals about matters related to overseas recipients and obtaining separate consent where personal information is provided outside China. Article 40 is relevant because it addresses domestic storage and security assessment requirements for critical information infrastructure operators and personal information processors that meet quantities prescribed by the national cyberspace authority.
These articles should be read together. Article 38 identifies possible conditions. Article 39 addresses notification and separate consent in the overseas provision context. Article 40 addresses domestic storage and assessment issues for certain operators or processing scale.
What Article 38 Does Not Decide Alone
Article 38 does not decide whether a specific organization must submit a security assessment, whether a standard contract filing package is complete, whether certification is currently suitable, or whether a later official provision affects the analysis. Those conclusions require review of the facts and the implementing documents.
Common Misunderstandings
- Article 38 is not a full operational checklist. It identifies possible conditions and should be read with implementing rules.
- A personal information processor should not assume that one route is available simply because the route appears in Article 38.
- Article 39 should not be skipped. Notification and separate consent may be relevant in the overseas provision context.
- Article 40 addresses domestic storage and assessment issues for certain operators or processing scale; it is not the same rule as Article 38.
- Certification is mentioned in Article 38, but this page does not verify current certification scope or implementation details.
Practical Reading Notes
For research purposes, Article 38 is best read as the first step in a sequence. Start with the official PIPL text, then identify whether Articles 39 and 40 are also relevant. Next, compare the facts against the Security Assessment Measures, Standard Contract Measures, filing guidance, and later 2024 Data Flow Provisions where applicable.
This page can help readers identify the legal architecture and locate official sources. It cannot determine a company’s route, validate a filing package, or replace review by qualified counsel.
Related Pages
- PIPL Article 38 bilingual reference
- PIPL Article 38 law record
- China Cross-border Data Transfer Route Comparison
- Security Assessment vs SCC vs Certification
- Standard Contract Measures Overview
- 2024 Data Flow Provisions Overview
- Personal Information Protection Law
- CBDT Readiness Checklist
- PIPL Compliance Checklist
Source and Review Note
This page is based on the official Chinese PIPL source and related official CAC documents listed above. It is an independent editorial reference for general information only. The official Chinese text prevails.