China Cross-Border Data Transfer Decision Tool: Determine Your Compliance Path
Over 65% of foreign companies in China report that cross-border data transfer compliance is their single most challenging regulatory hurdle, according to the 2025 American Chamber of Commerce in China Business Climate Survey. Under China’s Personal Information Protection Law (PIPL), Data Security Law (DSL), and the Cybersecurity Law (CSL), three distinct compliance paths exist for international data transfers: the CAC Security Assessment, the Standard Contract for Cross-Border Data Transfer (SCC), and Personal Information Protection Certification. Choosing the wrong path — or failing to determine your obligations at all — can result in fines of up to RMB 50 million (approximately USD 6.9 million) or 5% of annual revenue. This decision tool helps foreign companies determine which compliance path applies to their specific data processing activities. Remote China market entry support.
Understanding the Three Compliance Paths
China’s cross-border data transfer framework provides three legal mechanisms for transferring personal information and important data outside of China. Each path has specific applicability criteria, processing timelines, and cost implications. The choice depends on three key factors: the volume of personal data processed, the type of data being transferred, and the nature of the receiving entity (related company, third-party vendor, or public disclosure). Understanding these factors is the first step in determining your compliance obligation.
Path Comparison at a Glance
| Factor | Path 1: CAC Security Assessment | Path 2: Standard Contract (SCC) | Path 3: Certification |
|---|---|---|---|
| Data Volume Threshold | 1M+ individuals/year or important data | Less than 1M individuals/year | No volume threshold (certification-based) |
| Processing Timeline | 45–60 working days (CAC review) | Immediate (self-filing, CAC has 10-day objection window) | 3–4 months (certification body review) |
| Estimated Cost | RMB 150K–350K (USD 21K–48K) | RMB 30K–80K (USD 4K–11K) | RMB 80K–200K (USD 11K–28K) |
| Renewal Period | Every 2 years (or when data type changes) | Valid for term of contract (renegotiate on material change) | Every 3 years |
| Legal Opinion Required | Yes — from Chinese law firm | Recommended but not mandatory | Yes — for certification application |
| Suitable For | Large data processors, HR data of 100K+ employees | SaaS providers, small HR teams, vendor data sharing | Multinationals with standardized global data practices |
Step 1: Assess Your Data Processing Volume
The primary factor determining your compliance path is the volume of personal information you process annually. Under the CAC’s regulations, the thresholds are:
- Below 100,000 individuals per year: No mandatory data export compliance path applies, but you must still implement basic data protection measures and may choose to adopt SCCs voluntarily for vendor management.
- 100,000 to 1 million individuals per year: The Standard Contract (Path 2) is the default path. You can also opt for certification (Path 3) if you prefer a structured certification framework over a contractual approach.
- Over 1 million individuals per year: The CAC Security Assessment (Path 1) is mandatory. You cannot use SCCs or certification alone. This threshold applies regardless of whether you process data of 1 million individuals cumulatively or across multiple business lines.
- Important Data: If your company processes “important data” as defined in industry-specific catalogues (including financial transaction data, health records, location data for critical infrastructure), the Security Assessment path is mandatory regardless of volume in most sectors.
Step 2: Identify Your Data Type and Sensitivity Level
The second factor is the nature of the data being transferred. China’s regulatory framework distinguishes between three categories with different compliance requirements:
| Data Category | Definition | Examples | Required Path | Additional Obligations |
|---|---|---|---|---|
| General Personal Information | Basic identity information without special protections | Name, email, phone number, job title | SCC or Certification | Individual consent, transparency notice |
| Sensitive Personal Information | Data whose disclosure could harm personal dignity or property | Biometric data, health info, financial accounts, location data | SCC or Certification (Security Assessment if 1M+) | Separate explicit consent, DPIA required |
| Important Data | Data that could harm national security or public interest if compromised | Energy grid data, mass transportation data, national health statistics | CAC Security Assessment (mandatory) | Government notification, industry-specific storage requirements |
Step 3: Determine Your Transfer Scenario
The third factor is the nature of the cross-border transfer itself. Different transfer scenarios may require different compliance approaches even for the same data type:
- Intra-group transfers (HQ to subsidiary): Most common for foreign companies. If the data volume exceeds 1M individuals, the Security Assessment is required. Below that threshold, SCCs between group entities are acceptable. Foreign companies should note that the SCC must be signed by the Chinese entity (the data exporter) and the overseas receiving entity — internal corporate policies are not substitutes.
- Vendor service transfers (Chinese vendor to overseas vendor): If a Chinese vendor processes personal data collected in China and transfers it to an overseas vendor (e.g., cloud services, payroll processing), the Chinese vendor is the data exporter and must complete the SCC or assessment. Foreign companies should include SCC obligations in all vendor contracts.
- Employee data transfers (HR data to global HR system): Under PIPL, employee data transfers are subject to the same rules as customer data transfers. Foreign companies with more than 100,000 employees in China whose HR data is processed globally should prepare for the Security Assessment path.
- Public disclosure (publishing data overseas): Publishing any Chinese personal data on overseas public platforms (e.g., making customer testimonials visible on a global website) constitutes a data transfer and requires individual consent plus SCC or certification filing.
Decision Flow: Determine Your Compliance Path
Follow this decision sequence to identify your required compliance path:
- Do you process important data as defined by your industry’s data catalogue? — If yes, proceed to CAC Security Assessment (Path 1). If no, continue to step 2.
- Do you process the personal information of 1 million or more individuals per year? — If yes, proceed to CAC Security Assessment (Path 1). If no, continue to step 3.
- Do you process sensitive personal information (biometrics, health, finance, location)? — If yes, you may use SCC (Path 2) with enhanced measures including a DPIA. For volumes approaching 1M, consider proactively applying for the Security Assessment. If no, continue to step 4.
- Is your data processing standardized across multiple jurisdictions with existing certification? — If yes, consider Certification (Path 3) for a streamlined global compliance framework. If no, the SCC (Path 2) is the most cost-effective option for most foreign companies below the volume threshold.
- Are you sharing data with a third-party vendor or intra-group entity? — Execute the CAC-mandated SCC template regardless of which path you choose. The SCC provisions for data subject rights, liability allocation, and dispute resolution apply to all transfer types.
Step-by-Step Implementation Guide by Path
Path 1: CAC Security Assessment
- Conduct a comprehensive data mapping exercise across all business lines processing personal information in China. Allocate 4–6 weeks.
- Engage a qualified Chinese law firm to prepare the Security Assessment application, including the data processing overview, risk assessment report, and legal opinion. Budget RMB 100,000–200,000.
- Complete a Data Protection Impact Assessment (DPIA) covering the necessity, proportionality, and risk mitigation measures for the proposed transfer. Allow 2–3 weeks.
- Submit the application to the CAC through the online portal (www.cac.gov.cn). The CAC has 7 working days to accept or reject the application.
- Respond to CAC follow-up questions within the prescribed timeline (typically 10 working days). The CAC may request additional documentation or clarifications.
- Receive the assessment decision within 45–60 working days of acceptance. If approved, the assessment is valid for 2 years.
Path 2: Standard Contract (SCC)
- Identify all data export activities and categorize by data type, volume, and receiving entity. Allow 2–3 weeks.
- Execute the CAC-mandated Standard Contract template with each receiving entity. The template is non-negotiable — you cannot modify its terms, but you may add supplementary measures that do not conflict.
- File the executed SCC with the provincial CAC office within 10 working days of execution. Provide the contract, a data transfer impact assessment, and a data inventory summary.
- Wait for the 10-day CAC objection window. If the CAC does not object within 10 working days, the SCC is effective. If the CAC objects, you must address the concerns before proceeding with data transfers.
- Renew the SCC whenever there is a material change to the data processing purpose, type, or volume, or when the contract term expires.
Path 3: Certification
- Select an accredited certification body from the CAC’s approved list (as of 2026, five bodies are accredited including China Cybersecurity Review Certification Center).
- Prepare the certification application package including data processing documentation, DPIA results, and cross-border data transfer policies. Allow 4–6 weeks.
- Undergo the certification body’s on-site or remote audit covering data governance, technical security measures, and organizational safeguards.
- Receive the certification decision within 3–4 months of application. Certification is valid for 3 years with annual surveillance audits.
Common Decision Mistakes and How to Avoid Them
- Underestimating data volume: Many foreign companies count only active user accounts, forgetting that their systems also process data of employees, vendors, partners, and historical users. Conduct a comprehensive data inventory before classifying your volume.
- Assuming intra-group transfers are exempt: Internal group data flows are not exempt from any compliance path — the Chinese entity exporting data to an overseas HQ triggers the same obligations as sending data to an external vendor.
- Choosing SCC when Security Assessment is mandatory: If you process over 1M individuals’ data, using SCCs alone is non-compliant even if the CAC has not yet detected the violation. The retroactive penalty risk is substantial.
- Ignoring “important data” classification: Industry-specific important data catalogues are updated regularly. A data type that was not classified as important in 2025 may be classified in 2026. Foreign companies should review the updated catalogues at least annually.
- Neglecting the individual consent requirement: None of the three compliance paths override the PIPL requirement for individual consent. You must separately inform data subjects about the cross-border transfer and obtain their explicit consent, regardless of which path you use.
Cost-Benefit Analysis by Foreign Company Profile
| Company Profile | Annual Data Volume (Individuals) | Recommended Path | First-Year Compliance Cost | Annual Recurring Cost |
|---|---|---|---|---|
| Small SaaS (B2B, 50 clients) | Under 10,000 | SCC | RMB 30K–50K (USD 4K–7K) | RMB 10K–20K |
| Mid-Size Manufacturer (500 employees) | 10,000–100,000 | SCC | RMB 50K–80K (USD 7K–11K) | RMB 20K–30K |
| Large E-Commerce Platform | 500,000–2,000,000 | Security Assessment | RMB 200K–350K (USD 28K–48K) | RMB 100K–150K (renewal every 2 years) |
| MNC with 10K Employees in China | 100,000–500,000 (HR + customer) | SCC + proactive assessment prep | RMB 80K–150K (USD 11K–21K) | RMB 30K–50K |
| Financial Services Company | 2M+ (including sensitive data) | Security Assessment (mandatory) | RMB 300K–500K (USD 41K–69K) | RMB 150K–200K |
Where to Go From Here
Based on what you just read:
- Ready to act? Read a step-by-step guide to completing your CAC Security Assessment application
- Still comparing? See a side-by-side comparison of SCC vs Certification for mid-volume data processors
- Need numbers? Try an interactive calculator for your specific data transfer compliance cost estimate
China Cross-Border Data Transfer Decision Tool: Determine Your Compliance Path — first published on China Gateway 360. Last updated: July 2026.
