Key Takeaways
- Security assessment, standard contract, and certification are separate public reference routes under the PIPL framework.
- The standard contract route is governed by CAC Order No. 13 and related filing guidance.
- Certification is recognized in PIPL Article 38, but detailed certification scope and status require separate official-source review.
This page compares three common public reference mechanisms discussed in China cross-border personal information transfer research: CAC security assessment, standard contract, and personal information protection certification. It is based on official Chinese source documents and does not determine which mechanism applies to any specific organization.
The comparison is useful because route names are often used loosely. In China’s system, security assessment, standard contract, and certification are not interchangeable labels. Each sits in a different part of the PIPL Article 38 framework and each depends on implementing rules, official source text, and the facts of the transfer.
Readers should treat this page as a research table, not a route-selection tool. It can help identify which official documents to read next and what questions to ask. It cannot decide whether a real activity falls within a specific route, whether a filing package will be accepted, or whether a certification pathway is currently available for a particular scenario.
What This Page Covers
- The official-source basis for each route.
- How each route connects to PIPL Article 38.
- Why the route labels should not be treated as interchangeable.
- What this page cannot determine without case-specific review.
Research Inputs to Collect
Before comparing mechanisms, collect the basic transfer record:
- what data is involved and whether personal information, sensitive personal information, or important data may be included;
- who the personal information processor or data handler is, and who the overseas recipient is;
- transfer purpose, frequency, recipient access method, retention arrangement, and storage location;
- approximate volume or processing scale where official thresholds or later rules may be relevant;
- whether a CIIO issue, important data issue, or prior route history may be relevant;
- any existing impact assessment records, standard contract materials, certification materials, or security assessment materials.
The same label can mean different things depending on facts. These inputs should be checked against official source text.
What This Page Can and Cannot Do
This page can compare the public-source basis for security assessment, standard contract, and certification. It can also help prepare research questions before reading the official measures in detail.
This page cannot determine that a route applies, that another route is outside scope, that a filing package is complete, or that a regulator will accept a submission.
Official Source Basis
| Document | Chinese title | Authority | Public status used here | Official source |
|---|---|---|---|---|
| PIPL | 中华人民共和国个人信息保护法 | Standing Committee of the National People’s Congress | Effective law | https://www.cac.gov.cn/2021-08/20/c_1631050028355286.htm |
| Security Assessment Measures | 数据出境安全评估办法 | CAC, Order No. 11 | Effective 2022-09-01 | https://www.cac.gov.cn/2022-07/07/c_1658811536396503.htm |
| Standard Contract Measures | 个人信息出境标准合同办法 | CAC, Order No. 13 | Effective 2023-06-01 | https://www.cac.gov.cn/2023-02/24/c_1678884830036813.htm |
| 2024 Data Flow Provisions | 促进和规范数据跨境流动规定 | CAC, Order No. 16 | Effective 2024-03-22 | https://www.cac.gov.cn/2024-03/22/c_1712776611775634.htm |
Source status: the PIPL, Security Assessment Measures, Standard Contract Measures, and 2024 Data Flow Provisions listed here are official source anchors. Certification is treated as a recognized PIPL Article 38 pathway, but detailed certification source mapping remains marked as requiring separate review in this site record.
Side-by-side Comparison
| Route | Main official basis | Typical relevance | Public-source requirement areas | Process concept | Key limitation | Requires review? |
|---|---|---|---|---|---|---|
| Security Assessment | PIPL Article 38; Security Assessment Measures; 2024 Data Flow Provisions where applicable. | May be relevant where the activity falls within the official CAC security assessment framework. | Data category, processing purpose, overseas recipient, quantity/scale issues, risk, security responsibilities, self-assessment materials, and official submission requirements. | A regulator-organized assessment route under CAC rules. | This page cannot determine whether a specific transfer is in scope, whether materials are sufficient, or how a regulator will treat a real submission. | Yes, for any real transfer. |
| Standard Contract | PIPL Article 38; Standard Contract Measures; Standard Contract Filing Guidelines; 2024 Data Flow Provisions where applicable. | May be relevant where a personal information processor uses the CAC standard contract route. | Contract execution, personal information protection impact assessment, filing materials, overseas recipient obligations, changes that may affect filing, and relationship to later provisions. | A standard contract and filing route tied to CAC rules and guidance. | This page cannot determine whether the route is available for the facts or whether a filing package is complete. | Yes, for factual scope and filing materials. |
| Certification | PIPL Article 38. | Recognized as a possible pathway for providing personal information outside China. | Certification details require separate review against current official certification rules and authoritative implementation documents. | Certification pathway recognized by statute. This site does not treat it as fully source-verified for operational use. | Detailed certification scope, current status, process, and suitability for any specific transfer remain outside this page. | Yes, marked for source review. |
Relationship to the 2024 Data Flow Provisions
The 2024 Provisions on Promoting and Regulating Cross-border Data Flows should be read with the earlier security assessment and standard contract measures. They are part of the public official framework for managing cross-border data flows and may affect how certain scenarios are evaluated. This page does not turn those provisions into a simple yes-or-no route decision.
Reading PIPL Article 38 Carefully
PIPL Article 38 is a gateway provision. It lists routes but does not provide all operational details for each route. For example, the standard contract route is implemented through CAC Order No. 13 and filing guidance. Security assessment has its own official measures. Certification appears as a recognized pathway, but detailed certification scope and current operational rules require separate source review.
Common Misunderstandings
- Security assessment, standard contract, and certification are not three names for the same process. They have different source bases and operational consequences.
- A route comparison does not answer whether a particular organization falls inside or outside a route.
- The China standard contract route should not be treated as identical to the EU SCC framework.
- Certification should be tracked as a PIPL Article 38 pathway, but detailed certification rules should not be assumed from Article 38 alone.
- The 2024 Data Flow Provisions may affect route analysis, but they do not turn the framework into a single automatic answer.
Practical Reading Notes
The most important practical point is to avoid route labels without source review. A transfer may involve personal information, sensitive personal information, important data, critical information infrastructure, or other regulated factors. Those facts can affect the route analysis.
This page can help organize research questions. It cannot conclude that a route is sufficient, that an assessment route is outside scope, or that a filing will be accepted.
Related Pages
- China Cross-border Data Transfer Route Comparison
- PIPL Article 38 Explained
- Standard Contract Measures Overview
- 2024 Data Flow Provisions Overview
- National Rules Registry
- Personal Information Protection Law
- CBDT Readiness Checklist
- PIPL Article 38 bilingual reference
Source and Review Note
This page is an independent editorial reference based on official Chinese sources. The official Chinese text prevails. Certification pathway details are marked for separate source review before any operational reliance.