China Data Transfer Rules: What Foreign Companies Must Know

Transferring data out of China has become increasingly complex. With the Personal Information Protection Law (PIPL), Data Security Law, and various regulations, foreign companies must navigate a maze of requirements. Here's what you need to know.

The Legal Framework

Three main laws govern data in China:

• Cybersecurity Law (2017): Establishes data localization for critical information infrastructure
• Data Security Law (2021): Creates data classification system and security requirements
• Personal Information Protection Law (PIPL, 2021): China's comprehensive privacy law, similar to GDPR

When Do These Rules Apply?

The rules apply if you:

• Have a legal entity in China that collects data
• Process personal information of individuals in China (even without a China presence)
• Transfer any data collected in China to overseas recipients

Cross-Border Transfer Requirements

To transfer personal information outside China, you must use one of these mechanisms:

1. Security Assessment by CAC

Mandatory for:

• Critical information infrastructure operators
• Processors handling personal information of 1 million+ individuals
• Cumulative transfers of 100,000+ individuals' personal information since January 1 of previous year
• Cumulative transfers of 10,000+ individuals' sensitive personal information

This involves submitting an application to the Cyberspace Administration of China (CAC) and can take several months.

2. Standard Contractual Clauses (SCCs)

For transfers not requiring security assessment, you can use China's standard contractual clauses:

• Sign the government-prescribed contract with the overseas recipient
• Conduct a personal information protection impact assessment
• File with local CAC within 10 working days of the contract taking effect

3. Certification

Obtain certification from a recognized institution. This option is less commonly used and still developing.

Practical Compliance Steps

Step 1: Data Mapping

Understand what data you collect, where it's stored, and where it flows:

• What personal information do you collect in China?
• Where is it processed and stored?
• Does it leave China? To where?
• How much data and how many individuals?

Step 2: Determine Your Pathway

Based on your data volumes and business type, identify which transfer mechanism applies.

Step 3: Implement Required Measures

• Obtain valid consent for cross-border transfers
• Conduct impact assessments
• Execute required contracts
• Complete filings or assessments as needed

Step 4: Ongoing Compliance

• Monitor data volumes (thresholds can be crossed)
• Update assessments when circumstances change
• Maintain records of transfers
• Respond to regulatory inquiries

Common Scenarios

Multinational with China Subsidiary

If your China subsidiary shares employee data, customer data, or business data with headquarters, you likely need SCCs or security assessment depending on volumes.

SaaS Company Serving China Customers

If you process data of Chinese users on servers outside China, you need a lawful transfer mechanism and may need to appoint a China representative.

E-commerce Selling to China

Customer data collected from Chinese buyers must be handled according to PIPL, including cross-border transfer requirements.

Penalties for Non-Compliance

• Fines up to 50 million RMB or 5% of previous year's revenue
• Suspension of business operations
• Revocation of business licenses
• Personal liability for responsible individuals

Recent Developments

The regulatory landscape continues to evolve:

• Exemptions for certain routine business transfers are being clarified
• Free trade zones may have relaxed requirements
• Industry-specific rules continue to emerge