Key Takeaways
- Cross-border data transfer is not a single compliance step; it is a source-based analysis across laws, CAC rules, and facts.
- For personal information, PIPL Article 38 is a gateway provision that should be read with Articles 39 and 40 and implementing rules.
- Important data, network data, sectoral rules, and the 2024 Data Flow Provisions may affect the analysis.
Cross-border data transfer under China data law refers to source-sensitive situations where data collected or generated in China is provided, accessed, transferred, or otherwise made available to an overseas recipient. The exact legal analysis depends on the data category, the processing role, the recipient, the purpose, the transfer arrangement, and the current official source text.
This topic is broader than one rule. For personal information, PIPL Article 38 is a key gateway provision. For important data, the Data Security Law and implementing rules may matter. For network data processing, the Cybersecurity Law and the Network Data Security Regulation may be relevant. CAC measures and later provisions can affect the practical route analysis.
This page is an introductory map. It explains the concepts a reader should separate before using more detailed route-comparison pages. It does not decide whether a real transfer requires security assessment, standard contract filing, certification, or another official condition.
What This Page Covers
- The difference between a broad cross-border data transfer topic and a specific personal information transfer mechanism.
- How personal information, important data, and network data can raise different source questions.
- Why PIPL Article 38 should be read with CAC measures and the 2024 Data Flow Provisions.
- What facts should be collected before route analysis.
- What this introductory page cannot determine.
Research Inputs to Collect
Before using any route page, collect the basic facts:
- what data is involved and whether it includes personal information, sensitive personal information, important data, network data, or mixed datasets;
- where the data is collected or generated and how the overseas recipient receives or accesses it;
- who sends the data, who receives it, and what each party’s role is;
- transfer purpose, transfer frequency, storage location, access method, and retention arrangement;
- whether a CIIO, large-scale processing, sectoral rule, local pilot rule, or prior filing history may be relevant;
- which official source documents should be read first.
These facts help organize the research. They do not produce a route conclusion.
What This Page Can and Cannot Do
This page can help readers understand the source map and decide which official documents to read next. It can also explain why cross-border data transfer research should not be reduced to one English label.
This page cannot choose a route, confirm an official adjustment, determine whether a filing is required, or replace case-specific legal review. The official Chinese text prevails.
Official Source Basis
| Official document | Chinese title | Authority | Date | Official source |
|---|---|---|---|---|
| Personal Information Protection Law | 中华人民共和国个人信息保护法 | Standing Committee of the National People’s Congress | Effective 2021-11-01 | https://www.cac.gov.cn/2021-08/20/c_1631050028355286.htm |
| Security Assessment Measures | 数据出境安全评估办法 | CAC, Order No. 11 | Effective 2022-09-01 | https://www.cac.gov.cn/2022-07/07/c_1658811536396503.htm |
| Standard Contract Measures | 个人信息出境标准合同办法 | CAC, Order No. 13 | Effective 2023-06-01 | https://www.cac.gov.cn/2023-02/24/c_1678884830036813.htm |
| 2024 Data Flow Provisions | 促进和规范数据跨境流动规定 | CAC, Order No. 16 | Effective 2024-03-22 | https://www.cac.gov.cn/2024-03/22/c_1712776611775634.htm |
| Network Data Security Regulation | 网络数据安全管理条例 | State Council, Order No. 790 | Effective 2025-01-01 | https://www.cac.gov.cn/2024-09/30/c_1729384452307680.htm |
Source status: this page uses official source anchors already tracked in the site. Certification is recognized in PIPL Article 38, but detailed certification scope and operational status require separate official-source review.
Concept Map
| Concept | Why it matters | Related official source | What remains case-specific |
|---|---|---|---|
| Personal information cross-border provision | PIPL Article 38 addresses conditions for providing personal information outside China. | PIPL; Security Assessment Measures; Standard Contract Measures; 2024 Data Flow Provisions. | Which route is available, whether Article 39/40 issues arise, and what materials are required. |
| Sensitive personal information | Sensitive data categories may affect consent, necessity, and protection analysis under PIPL. | PIPL. | Whether the data is sensitive personal information and what additional obligations apply. |
| Important data | Important data may raise data security and assessment questions separate from ordinary personal information analysis. | DSL; CAC rules where applicable. | Whether the data is identified as important data under current official rules. |
| Network data | Network data processing can connect cybersecurity, data security, and personal information rules. | Network Data Security Regulation; CSL; DSL; PIPL. | Entity role, processing activity, system context, sectoral rules, and local rules. |
| 2024 Data Flow Provisions | Later CAC provisions may affect the reading of earlier cross-border data transfer mechanisms. | CAC Order No. 16. | Whether a scenario is covered and how it interacts with earlier rules. |
Practical Reading Order
- Identify the data category and whether the data includes personal information, sensitive personal information, important data, or network data.
- For personal information, start with PIPL Articles 38, 39, and 40.
- Review the Security Assessment Measures, Standard Contract Measures, and filing guidance where those routes may be relevant.
- Read the 2024 Data Flow Provisions together with earlier rules rather than in isolation.
- If network data processing governance is involved, review the Network Data Security Regulation and related core laws.
- Separate editorial explanation from official source text. For any real activity, compare facts against the official Chinese text.
Common Misunderstandings
- Cross-border data transfer is not always the same as personal information cross-border provision. Data category matters.
- Security assessment is not automatically required for every transfer; the official text and the facts must be reviewed.
- The China standard contract route is not the same as the EU SCC framework.
- Certification is recognized in PIPL Article 38, but this page does not verify current certification scope or process.
- The 2024 Data Flow Provisions should not be treated as a blanket answer for all scenarios.
Related Pages
- China Cross-border Data Transfer Mechanisms Overview
- Security Assessment vs SCC vs Certification
- PIPL Article 38 Explained
- Standard Contract Measures Overview
- 2024 Data Flow Provisions Overview
- China Cross-border Data Transfer Readiness Overview
Source and Review Note
This page is an independent editorial reference based on official Chinese source documents listed above. It is for general informational purposes only, does not constitute legal advice, and does not determine a route for any company. The official Chinese text published by the competent authority prevails.