TL;DR: Cross-border data transfers (CBDT) from China are regulated under the Personal Information Protection Law (PIPL), the Data Security Law (DSL), and additional CAC-issued provisions. Under China’s data regime, businesses that collect or handle Mainland user data may need to identify an appropriate compliance mechanism based on data type, volume, and the role of the organization (e.g. CIIO - Critical Information Infrastructure Operator). March 2024 provisions ease certain restrictions but still require structured compliance strategies, especially for websites and digital platforms.

*Disclaimer: This guide is intended for informational purposes only and does not constitute legal advice. Chinafy is not a legal or corporate advisory entity. Given that legal obligations vary by business type and context, we recommend consulting with qualified legal counsel for advice specific to your organization. If needed, Chinafy can connect you with one of our experienced legal partners.

What is a cross-border data transfer?

Cross-border data transfer (CBDT) refers to the act of transmitting personal information (PI) or “important data” collected in Mainland China to locations or entities outside of it. This can involve infrastructure outside China (e.g., overseas servers) or foreign entities (e.g., offshore partners accessing data remotely).

CBDT is governed by multiple frameworks including:

Personal Information Protection Law (PIPL)

Data Security Law (DSL)

Cybersecurity Law (CSL)

Provisions on Promoting and Regulating Cross-Border Data Flows (2024)

The Cyberspace Administration of China (CAC) oversees the implementation and enforcement of these laws.

There are three types of cross-border data transfer:

Direct transfer - e.g., the user submits data and this is sent to an overseas CRM app directly.

Indirect transfer - e.g., an offshore team has remote access to a database in China.

Transfer via a third-party integration - e.g., embedded offshore services are handling Chinese user data.

What are compliance mechanisms in China?

Chinese law indicates that outbound PI transfers are subject to one of several Data Transfer Mechanisms.

These typically include:

Security assessment: Mandatory for CIIOs (Critical Information Infrastructure Operators) transferring any PI, any entity transferring “Important Data” or PI exceeding CAC thresholds (Article 4 Outbound Data Transfer Security Assessment Measures).

Standard contractual clauses: Common for non-CIIOs transferring PI or sensitive PI below the security assessment thresholds.

PI protection certification: Optional alternative to SCCs in some cases, issued by CAC-authorized bodies.

The purpose of these requirements is to ensure the security of data and to address potential impacts on national security and public interests when personal data and important data are transferred outside of China.

One critical consideration to keep in mind is that there are sector specific regulations for Industries such as finance and healthcare that may have additional data transfer restrictions.

Who to involve in CBDT reviews

A comprehensive CBDT review typically spans multiple departments. Typical CBDT reviews in practice often involve:

Legal/Compliance: To ensure all contracts include the necessary SCCs and meet PIPL/DSL requirements.

IT & Security: To validate the architecture and assess risks associated with data flow or server locations.

Marketing/Product: To evaluate third-party integrations, analytics tools, and features that may impact CBDT.

Regulators continue to scrutinize sensitive or high-volume PI transfers, so many organisations proactively prepare for assessments or certification pathways.

2024 CBDT regulatory updates

In March 2024, the CAC released the Provisions on Promoting and Regulating Cross-Border Flow of Data, aimed at facilitating data flows in low-risk scenarios.

Key highlights:

Eased restrictions for certain common business activities (e.g., email communications, cross-border trade, and employment-related data).

Threshold-based exemptions for PI transfers under specific volumes, enabling lighter compliance paths.

Emphasis on necessity and transparency: E.g., companies must inform users, obtain consent, and clearly document data handling procedures.

Even with these changes, businesses handling sensitive or high-volume PI should always prepare for assessments or certification pathways.

Chinafy collaborates with specialized partners, such as Lianwei Pancloud, who can advise on CBDT assessments and potential compliance pathways.

Get in touch with Chinafy today to better understand the next steps for your company’s website and data in China.