Last review date: 13 January 2025

Yes

Any jurisdiction other than Mainland China, including Hong Kong, Macau and Taiwan, is considered a foreign jurisdiction.

Transfers of personal data to third countries are only permissible if there is a legal basis for the processing/transfer and one of the following applies:

• other solutions

Please see the separate question for information on data localization provisions that are not restricted to personal data.

According to the PIPL, controllers that need to transfer personal information out of the PRC are obliged to first carry out personal information protection impact assessments.

In addition, the controllers should obtain separate consents from the individuals (if the controllers' collection of personal information and relevant processing activities are based on consent from such individuals), and meet the following requirements:

a. Pass the security assessment conducted by the CAC ("CBDT Security Assessment") if any of the following thresholds/conditions are fulfilled by an entity in China (as the data exporter):

1. Export of any personal information (no quantitative threshold) by an exporter, which is a China entity processing personal information of one million or more individuals residing in China
2. Export of any personal information (no quantitative threshold) by an exporter, which is a CIIO
3. Since 1 January of the previous calendar year, an exporter of personal information (who is not an operator of critical information infrastructure or a large-scale personal information controller) provides personal information of 100,000 or more individuals residing in China OR sensitive personal information of 10,000 or more individuals abroad
4. Provide any important data (no quantitative threshold) abroad
5. Any other conditions as stipulated by the CAC

b. Obtain certification in relation to personal information protection from professional institutions according to the regulations of the CAC ("Certification"): Since the effectiveness of the Implementation Rules for Personal Information Protection Certification ("PIP Certification Rules") from 4 November 2022, only one institution (i.e., China Cybersecurity Review Technology and Certification Center) has been authorized by the CAC to administer and issue the PIP Certification. So far, only five companies have obtained the PIP certification results. It still remains unclear how this mechanism is practically achievable for the time being and if a company may choose to go through this mechanism instead of concluding the standard contract and filing the same with CAC for the transfer of personal information out of China.

c. Enter into a standard contract as prescribed by the CAC with the overseas receiving party/parties to stipulate the rights and obligations of both parties ("China SCC Filing") if all of the following thresholds/conditions have been concurrently fulfilled by an entity in China (as the data exporter):

1. The exporter of personal information is not a CIIO
2. The exporter of personal information processes personal information of less than one million individuals residing in China
3. Since 1 January of the previous calendar year, the exporter of personal information provides personal information of less than 100,000 individuals residing in China abroad and
4. Since 1 January of the previous calendar year, the exporter of personal information transfers sensitive personal information of less than 10,000 individuals residing in China abroad

d. Fulfill the requirements stipulated in other laws or regulations or in the rules set by the CAC.

According to the New CBDT Rules and other relevant implementation rules and guidelines, the thresholds triggering the regulatory formalities described above have been raised significantly:

• The current threshold for CBDT Security Assessment (if any of the following thresholds/conditions is fulfilled by an entity in China (as the data exporter)):
  1. Export of any personal information (no quantitative threshold) by an exporter, which is a CIIO
  2. Since 1 January of the current calendar year, an exporter of personal information (who is not a CIIO) provides personal information of 1,000,000 or more individuals residing in China OR sensitive personal information of 100,000 or more individuals abroad
  3. Provide any important data (no quantitative threshold) abroad

• The current thresholds triggering Certification or China SCC Filing (if any of the following thresholds/conditions is fulfilled by an entity in China (as the data exporter)):
  1. The exporter of personal information is not a CIIO, and the exporter of personal information exports personal information (without any sensitive personal information) of more than 100,000 individuals but less than one million individuals residing in China since 1 January of the current calendar year
  2. The exporter of personal information is not a CIIO, and the exporter of sensitive personal information exports personal information of less than 10,000 individuals residing in China since 1 January of the current calendar year

In addition, the New CBDT Rules also recognize the following circumstances where the regulatory formalities would be exempted ("Exempted Scenarios"):

1. Exemption for Data-in-transit: the personal information exported is limited to personal information collected and generated outside China and transmitted into China for domestic processing, during which no personal information or important data collected or generated within China is incorporated into the personal information exported (i.e., pure storage of overseas personal information in China or transit of overseas personal information through China)

    

2. Contracting Exemption: the data processor exports personal information where it is necessary to do so for the purpose of concluding or performing a contract to which the individual is a party, such as for cross-border shopping, cross-border posting and delivery, cross-border fund remittance, cross-border payment, cross-border account opening, air ticket ad hotel booking, visa application, examination services, etc.

    

3. HR Management Exemption: the data processor exports employees' personal information where it is necessary to do so for the purpose of implementing cross-border human resources management in accordance with labor rules and policies formulated in accordance with laws and collective contracts concluded in accordance with laws

    

4. Emergency Exemption: the data processor exports personal information where it is necessary to do so for the purpose of protecting the life, health and property safety of individuals under emergency conditions, and

    

5. Small-scale Data Exporter Exemption: the data processor is not a CIIO and it has exported non-sensitive personal information of less than 100,000 individuals since January 1 of the current year

    

6. Pursuant to the New CBDT Rules, Chinese authorities in various free trade zones in China have been empowered to issue their respective negative lists to further ease cross-border data transfer activities within the national framework of data classification and grading. According to these lists, only those cross-border data transfer activities conducted by companies located in the relevant free trade zones that fall into the negative lists would be subject to the applicable regulatory formalities.