Cross-border Data Transfer
Read the security assessment measures, standard contract measures, and 2024 data-flow provisions together with PIPL Article 38 and the core laws.
Open the source-reading guide Network and Cybersecurity
Connect the Network Data Security Regulation, CII protection framework, and cybersecurity review measures with the DSL and CSL.
Open the Cybersecurity Law Algorithm and AI Governance
Compare the source roles of the algorithm recommendation, deep synthesis, and generative-AI measures without treating them as interchangeable.
Start with algorithm recommendation rules effective Administrative Regulation Source: Verified
网络数据安全管理条例
- Authority
- State Council
- Publication
- 2024-09-24
- Effective
- 2025-01-01
- Translation
- Not prepared
- Audience
- Network data processors and platform operators
This State Council regulation provides a broad governance framework for network data processing. It addresses processing duties, personal information protection, important data, cross-border data activity, platform responsibilities, and regulatory oversight.
Why it matters: The regulation connects themes found across the PIPL, DSL, and CSL and gives readers a consolidated source for understanding how network data governance fits across those laws.
Open public summary effective Regulatory Measure Source: Verified
数据出境安全评估办法
- Authority
- Cyberspace Administration of China
- Publication
- 2022-07-07
- Effective
- 2022-09-01
- Translation
- Not prepared
- Audience
- All industries
These CAC measures establish the public regulatory framework for security assessment of certain cross-border data transfers, including application materials, assessment factors, review stages, and validity concepts.
Why it matters: Security assessment is one of the central mechanisms in China's cross-border data transfer framework and must be read alongside the PIPL, DSL, and later data-flow provisions.
Open public summary effective Regulatory Measure Source: Verified
个人信息出境标准合同办法
- Authority
- Cyberspace Administration of China
- Publication
- 2023-02-22
- Effective
- 2023-06-01
- Translation
- Not prepared
- Audience
- All industries
These CAC measures govern the China standard contract mechanism for certain cross-border transfers of personal information. They provide the regulatory context for the contract, filing concept, impact assessment relationship, and parties' responsibilities.
Why it matters: The standard contract is one of the conditions referenced by PIPL Article 38 and forms part of a wider source chain that includes the PIPL, CAC measures, official contract text, and later data-flow provisions.
Open public summary effective Regulatory Provision Source: Verified
促进和规范数据跨境流动规定
- Authority
- Cyberspace Administration of China
- Publication
- 2024-03-22
- Effective
- 2024-03-22
- Translation
- Not prepared
- Audience
- All industries
These 2024 CAC provisions adjust and clarify parts of the cross-border data transfer framework. They address specified transfer scenarios and interact with the earlier security assessment and standard contract measures.
Why it matters: The provisions are a key later source for understanding how China's cross-border data transfer framework developed after the earlier CAC measures.
Open public summary effective Regulatory Provision Source: Verified
互联网信息服务算法推荐管理规定
- Authority
- Cyberspace Administration of China; Ministry of Industry and Information Technology; Ministry of Public Security; State Administration for Market Regulation
- Publication
- 2021-12-31
- Effective
- 2022-03-01
- Translation
- Not prepared
- Audience
- Internet information service providers
These provisions regulate algorithmic recommendation services used by internet information service providers. They cover service governance, user rights, transparency, content management, and filing-related regulatory concepts.
Why it matters: They are an early central source in China's algorithm governance framework and provide context for later deep-synthesis and generative-AI measures.
Open public summary effective Regulatory Provision Source: Verified
互联网信息服务深度合成管理规定
- Authority
- Cyberspace Administration of China; Ministry of Industry and Information Technology; Ministry of Public Security
- Publication
- 2022-11-25
- Effective
- 2023-01-10
- Translation
- Not prepared
- Audience
- Deep synthesis service providers
These provisions govern deep-synthesis internet information services, including provider responsibilities, technical support roles, content governance, security management, and labeling concepts.
Why it matters: They form a major part of the public source chain for synthetic-content governance and connect algorithm regulation with later generative-AI rules.
Open public summary effective Regulatory Measure Source: Verified
生成式人工智能服务管理暂行办法
- Authority
- Cyberspace Administration of China and six other authorities
- Publication
- 2023-07-10
- Effective
- 2023-08-15
- Translation
- Not prepared
- Audience
- Generative AI service providers
These interim measures regulate generative artificial intelligence services provided to the public in China. They address service-provider responsibilities, training data, generated content, user protection, and regulatory supervision.
Why it matters: They are a central public source for understanding China's generative-AI service framework and its relationship with data, personal information, and content governance.
Open public summary effective Administrative Regulation Source: Verified
关键信息基础设施安全保护条例
- Authority
- State Council
- Publication
- 2021-08-17
- Effective
- 2021-09-01
- Translation
- Review pending
- Audience
- CII operators and sector regulators
This State Council regulation develops the protection framework for critical information infrastructure, including identification, operator responsibilities, protection measures, and coordination among competent authorities.
Why it matters: It provides important implementing context for the CSL's critical information infrastructure framework and related cybersecurity review requirements.
Open public summary effective Departmental Rule Source: Verified
网络安全审查办法
- Authority
- Cyberspace Administration of China and twelve other authorities
- Publication
- 2021-12-28
- Effective
- 2022-02-15
- Translation
- Review pending
- Audience
- CII operators network platform operators and relevant procurement or listing scenarios
These measures establish the cybersecurity review framework for specified network products and services and certain data processing activities, with a focus on national security risks.
Why it matters: They connect cybersecurity, critical information infrastructure, supply-chain, data processing, and national security review concepts.
Open public summary effective Regulatory Provision Source: Verified
汽车数据安全管理若干规定(试行)
- Authority
- Cyberspace Administration of China; National Development and Reform Commission; Ministry of Industry and Information Technology; Ministry of Public Security; Ministry of Transport
- Publication
- 2021-08-20
- Effective
- 2021-10-01
- Translation
- Review pending
- Audience
- Automotive data processors
These provisions address automotive data processing, including personal information and important data generated or collected in automotive activities.
Why it matters: They illustrate how China's general data and personal information rules are supplemented by sector-specific requirements.
Open public summary effective Regulatory Provision Source: Verified
移动互联网应用程序信息服务管理规定
- Authority
- Cyberspace Administration of China
- Publication
- 2022-06-14
- Effective
- 2022-08-01
- Translation
- Review pending
- Audience
- App providers and app distribution platforms
These provisions govern mobile internet application information services and address responsibilities of application providers and application distribution platforms.
Why it matters: They provide sector-specific context for app governance, personal information protection, content management, and platform responsibilities.
Open public summary