Independent editorial reference. This page is based on official Chinese source links for general informational purposes only. It is not legal advice, and the official Chinese text prevails.

Key Takeaways

  • Cross-border data transfer is not a single compliance step; it is a source-based analysis across laws, CAC rules, and facts.
  • For personal information, PIPL Article 38 is a gateway provision that should be read with Articles 39 and 40 and implementing rules.
  • Important data, network data, sectoral rules, and the 2024 Data Flow Provisions may affect the analysis.

Cross-border data transfer under China data law refers to source-sensitive situations where data collected or generated in China is provided, accessed, transferred, or otherwise made available to an overseas recipient. The exact legal analysis depends on the data category, the processing role, the recipient, the purpose, the transfer arrangement, and the current official source text.

This topic is broader than one rule. For personal information, PIPL Article 38 is a key gateway provision. For important data, the Data Security Law and implementing rules may matter. For network data processing, the Cybersecurity Law and the Network Data Security Regulation may be relevant. CAC measures and later provisions can affect the practical route analysis.

This page is an introductory map. It explains the concepts a reader should separate before using more detailed route-comparison pages. It does not decide whether a real transfer requires security assessment, standard contract filing, certification, or another official condition.

What This Page Covers

  • The difference between a broad cross-border data transfer topic and a specific personal information transfer mechanism.
  • How personal information, important data, and network data can raise different source questions.
  • Why PIPL Article 38 should be read with CAC measures and the 2024 Data Flow Provisions.
  • What facts should be collected before route analysis.
  • What this introductory page cannot determine.

Research Inputs to Collect

Before using any route page, collect the basic facts:

  • what data is involved and whether it includes personal information, sensitive personal information, important data, network data, or mixed datasets;
  • where the data is collected or generated and how the overseas recipient receives or accesses it;
  • who sends the data, who receives it, and what each party’s role is;
  • transfer purpose, transfer frequency, storage location, access method, and retention arrangement;
  • whether a CIIO, large-scale processing, sectoral rule, local pilot rule, or prior filing history may be relevant;
  • which official source documents should be read first.

These facts help organize the research. They do not produce a route conclusion.

What This Page Can and Cannot Do

This page can help readers understand the source map and decide which official documents to read next. It can also explain why cross-border data transfer research should not be reduced to one English label.

This page cannot choose a route, confirm an official adjustment, determine whether a filing is required, or replace case-specific legal review. The official Chinese text prevails.

Official Source Basis

Official documentChinese titleAuthorityDateOfficial source
Personal Information Protection Law中华人民共和国个人信息保护法Standing Committee of the National People’s CongressEffective 2021-11-01https://www.cac.gov.cn/2021-08/20/c_1631050028355286.htm
Security Assessment Measures数据出境安全评估办法CAC, Order No. 11Effective 2022-09-01https://www.cac.gov.cn/2022-07/07/c_1658811536396503.htm
Standard Contract Measures个人信息出境标准合同办法CAC, Order No. 13Effective 2023-06-01https://www.cac.gov.cn/2023-02/24/c_1678884830036813.htm
2024 Data Flow Provisions促进和规范数据跨境流动规定CAC, Order No. 16Effective 2024-03-22https://www.cac.gov.cn/2024-03/22/c_1712776611775634.htm
Network Data Security Regulation网络数据安全管理条例State Council, Order No. 790Effective 2025-01-01https://www.cac.gov.cn/2024-09/30/c_1729384452307680.htm

Source status: this page uses official source anchors already tracked in the site. Certification is recognized in PIPL Article 38, but detailed certification scope and operational status require separate official-source review.

Concept Map

ConceptWhy it mattersRelated official sourceWhat remains case-specific
Personal information cross-border provisionPIPL Article 38 addresses conditions for providing personal information outside China.PIPL; Security Assessment Measures; Standard Contract Measures; 2024 Data Flow Provisions.Which route is available, whether Article 39/40 issues arise, and what materials are required.
Sensitive personal informationSensitive data categories may affect consent, necessity, and protection analysis under PIPL.PIPL.Whether the data is sensitive personal information and what additional obligations apply.
Important dataImportant data may raise data security and assessment questions separate from ordinary personal information analysis.DSL; CAC rules where applicable.Whether the data is identified as important data under current official rules.
Network dataNetwork data processing can connect cybersecurity, data security, and personal information rules.Network Data Security Regulation; CSL; DSL; PIPL.Entity role, processing activity, system context, sectoral rules, and local rules.
2024 Data Flow ProvisionsLater CAC provisions may affect the reading of earlier cross-border data transfer mechanisms.CAC Order No. 16.Whether a scenario is covered and how it interacts with earlier rules.

Practical Reading Order

  1. Identify the data category and whether the data includes personal information, sensitive personal information, important data, or network data.
  2. For personal information, start with PIPL Articles 38, 39, and 40.
  3. Review the Security Assessment Measures, Standard Contract Measures, and filing guidance where those routes may be relevant.
  4. Read the 2024 Data Flow Provisions together with earlier rules rather than in isolation.
  5. If network data processing governance is involved, review the Network Data Security Regulation and related core laws.
  6. Separate editorial explanation from official source text. For any real activity, compare facts against the official Chinese text.

Common Misunderstandings

  • Cross-border data transfer is not always the same as personal information cross-border provision. Data category matters.
  • Security assessment is not automatically required for every transfer; the official text and the facts must be reviewed.
  • The China standard contract route is not the same as the EU SCC framework.
  • Certification is recognized in PIPL Article 38, but this page does not verify current certification scope or process.
  • The 2024 Data Flow Provisions should not be treated as a blanket answer for all scenarios.

Source and Review Note

This page is an independent editorial reference based on official Chinese source documents listed above. It is for general informational purposes only, does not constitute legal advice, and does not determine a route for any company. The official Chinese text published by the competent authority prevails.