· 9 min read · china-it · By Ben Fox
China Cross-Border Data Transfer Rules Explained (2026 Guide)
China's cross-border data transfer rules in 2026: the CAC security assessment, Standard Contract and certification routes, the thresholds, exemptions and free-trade-zone lists — explained for IT leaders.
Moving data out of Mainland China is regulated, but it is not banned. Under China’s data laws, personal information can leave the Mainland through one of three mechanisms — a CAC security assessment, the China Standard Contract, or certification — unless the transfer fits one of the exemptions introduced in March 2024. Which mechanism applies depends on how much data you move, how sensitive it is, and whether you operate critical infrastructure. This guide explains the rules as they stand in 2026, in plain language, for the IT and operations leaders who have to live with them.
This is the detailed companion to our China & Hong Kong data laws guide, which covers the wider legal framework (PIPL, DSL, CSL and Hong Kong’s PDPO). For the underlying privacy law, see Navigating China’s PIPL.
Not legal advice. This article summarises the rules for planning purposes. The thresholds and lists change; engage qualified PRC counsel before relying on any route described here.
Why this matters — and what changed
China’s Personal Information Protection Law (PIPL) restricts sending personal information outside the Mainland, and the Data Security Law adds controls on “important data.” For a foreign business this catches very ordinary things: HR records synced to a global system, CRM data in a global cloud tenant, China employees’ mailboxes hosted offshore — and yes, a transfer to Hong Kong counts as a cross-border transfer; Hong Kong is “outside the Mainland” for these rules.
The regime was genuinely hard to comply with until the CAC’s Provisions on Promoting and Regulating Cross-Border Data Flows (22 March 2024) relaxed the thresholds and created exemptions. Since then, two further pieces arrived:
- Certification Measures (effective 1 January 2026). The CAC and SAMR finalised the rules for the third route — certification — making it a real, usable option at last, with a supporting technical standard (GB/T 46068-2025, effective 1 March 2026).
- The amended Cybersecurity Law (effective 1 January 2026) raised penalties across the board — fines now reach RMB 10 million for serious violations, regulators can fine immediately without a warning-first step, and the law’s extraterritorial reach was broadened. The cost of getting this wrong went up this year.
The three mechanisms
| Mechanism | What it is | When it applies |
|---|---|---|
| CAC security assessment | A full government review of the transfer, run by the Cyberspace Administration of China | Mandatory for CIIOs (any personal information), for “important data,” and above the high-volume thresholds |
| China Standard Contract (SCC) | A prescribed contract between the China data exporter and overseas recipient, filed with the provincial CAC with an impact assessment | The mid-volume route — most foreign SMEs that need a mechanism use this one |
| Certification | A third-party certification of the exporter’s cross-border data protection regime, under the measures effective January 2026 | An alternative to the SCC at the same volumes — useful for intra-group transfers at scale |
The thresholds (2026)
Counted cumulatively from 1 January of the current year:
| Your situation | What you need |
|---|---|
| Critical Information Infrastructure Operator (CIIO) — any personal information | Security assessment |
| Transferring “important data” | Security assessment |
| Non-sensitive personal information of more than 1,000,000 individuals | Security assessment |
| Sensitive personal information of 10,000 or more individuals | Security assessment |
| Non-sensitive personal information of 100,000–1,000,000 individuals | Standard Contract filing or certification |
| Sensitive personal information of fewer than 10,000 individuals | Standard Contract filing or certification |
| Non-sensitive personal information of fewer than 100,000 individuals | No mechanism required |
“Sensitive” personal information under PIPL includes biometrics, religious beliefs, medical and health data, financial accounts, location tracking, and any personal information of minors under 14. A security assessment, once passed, is valid for three years (extendable).
The exemptions — where most SMEs actually land
The March 2024 Provisions exempt several common scenarios from needing any mechanism (consent and impact-assessment duties under PIPL still apply):
- Contract necessity. Transfers genuinely necessary to conclude or perform a contract with the individual — cross-border shopping and shipping, flight and hotel bookings, visa applications, cross-border payments and remittances.
- HR management. Transfers of employee data necessary for human resources management under lawfully adopted employment policies and collective contracts. This is the exemption that saves most multinationals’ HR systems.
- Emergencies. Transfers necessary to protect life, health or property in an emergency.
- Low volume. Under 100,000 individuals’ non-sensitive personal information in the year — no mechanism at all.
- Data transiting China. Personal information collected outside China, brought in for processing and sent back out without adding Mainland-origin personal data.
Two important non-exemptions: there is no general intra-group exemption (being one company group does not by itself excuse a transfer), and the exemptions never cover important data.
Free trade zone lists
Free trade zones may publish their own negative lists (only listed data needs a mechanism) or positive lists. Between 2024 and 2025, FTZs in Tianjin, Beijing, Shanghai, Fujian, Jiangsu, Zhejiang, Chongqing and Hainan published lists. If your China entity sits in an FTZ — common for trading and regional-HQ structures — its list may take a chunk of your transfers out of scope entirely. Check the list for your specific zone; they differ.
What is “important data”?
The DSL’s “important data” category — data that could endanger national security, the economy or public interest if leaked — always requires a security assessment to export, with no volume threshold. The practical reassurance from the 2024 Provisions: data is not important data unless a regulator or published catalogue has identified it as such, so ordinary commercial data does not become “important” by default. Sector catalogues (industrial, automotive, mapping and others) are emerging; manufacturers and anyone handling geolocation or survey data should watch them — a theme we cover in IT integration in China.
What this means for your IT architecture
The rules translate into a handful of practical design questions we work through with clients:
- Count your data subjects honestly. The thresholds are cumulative per calendar year across your China operations. An SME with 200 China employees and a modest China customer base usually sits under 100,000 non-sensitive individuals — exempt — unless sensitive categories (health data, financial accounts, minors) are involved, where the threshold is effectively zero for the assessment route at 10,000.
- Decide where systems live. Whether China users run on your global Microsoft 365 tenant or a separate China deployment is the single biggest architectural fork — we cover it in Microsoft 365 in China: global vs 21Vianet and in the cross-border IT playbook.
- Paper the HR route. If you rely on the HR exemption, your employment policies need to actually say what crosses the border and why — that paperwork is the exemption.
- Map the flows you forgot. Helpdesk tools, monitoring agents, backup replication and CRM sync all move personal data. A data-flow map is the first deliverable of any serious compliance effort — and tooling like Microsoft Purview helps you see and control it.
- Don’t forget the connectivity layer. Moving data lawfully is one question; moving it reliably through the Great Firewall is another — see SD-WAN, MPLS and IPLC compared.
Penalties
PIPL violations carry fines up to RMB 50 million or 5% of annual revenue for serious cases, plus personal liability for responsible individuals. The amended Cybersecurity Law (January 2026) added fines up to RMB 10 million for serious network-security violations and removed the warning-first requirement — regulators can now fine immediately. Enforcement against unfiled transfers has been visibly increasing since 2024.
China cross-border data transfer FAQs
Is sending data from Mainland China to Hong Kong a cross-border transfer?
Yes. Hong Kong is outside the Mainland for the purposes of PIPL and the transfer rules, so data sent from a Mainland entity to a Hong Kong office, server or cloud region is a cross-border transfer and needs an exemption or mechanism like any other export. Hong Kong’s own PDPO does not restrict the data once it arrives — its long-dormant export section (s.33) has never been brought into force.
Do I need a CAC security assessment for my China office?
Only if you are a critical information infrastructure operator, transfer “important data,” or exceed the high-volume thresholds — more than 1,000,000 individuals’ non-sensitive personal information or 10,000 individuals’ sensitive personal information in a calendar year. Most foreign SMEs fall well below these lines and either qualify for an exemption (contract necessity, HR management, under 100,000 individuals) or use the Standard Contract route.
What is the China Standard Contract?
A contract template prescribed by the CAC that a Mainland data exporter signs with the overseas recipient, setting out the protections that follow the data. It must be filed with the provincial cyberspace administration together with a personal information protection impact assessment. It is the standard route for mid-volume transfers — non-sensitive data of 100,000 to 1,000,000 individuals, or sensitive data of fewer than 10,000.
Does transferring employee data to a global HR system need a mechanism?
Usually not, since the March 2024 Provisions exempt transfers of employee data genuinely necessary for HR management conducted under lawfully adopted employment policies. The exemption depends on that paperwork existing and the transfer being necessary — and PIPL duties such as informing employees still apply. Sensitive employee data beyond HR necessity can still trigger a mechanism.
What changed in January 2026?
Two things. The CAC and SAMR’s Certification Measures took effect, making certification a fully operational third route for cross-border transfers — particularly relevant for large intra-group arrangements. And the amended Cybersecurity Law took effect, raising maximum fines to RMB 10 million, allowing immediate fines without a prior warning, and extending the law’s reach to overseas activities that endanger China’s cybersecurity.
How PTS helps
PTS supports foreign businesses operating across Hong Kong and Mainland China with the IT side of this problem: mapping where your data actually flows, designing tenant and hosting architectures that keep you inside the exemptions where possible, and running the on-the-ground China IT that makes the compliant design real. We work alongside your PRC counsel — they own the legal opinion, we make the infrastructure match it.
If you need help or advice related to this topic please get in touch with us here.
PTS Consulting provides managed IT support, structured cabling, audiovisual design and installation, and IT consultancy services for businesses across Hong Kong, Mainland China and Singapore.
Tags: