Can I Store Chinese Customer Data on Overseas Servers?
Generally, no — not without strict compliance measures. Under China’s Personal Information Protection Law (个人信息保护法, PIPL, gèrén xìnxī bǎohù fǎ), effective November 2021, and the Cybersecurity Law (网络安全法, CSL, wǎngluò ānquán fǎ), effective June 2017, companies storing Chinese customer data overseas must satisfy one of three legal transfer mechanisms: passing a government-administered security assessment, signing standard contractual clauses (SCCs) with binding corporate rules, or obtaining third-party certification. As of 2025, over 28,000 companies have filed cross-border data transfer assessments, with an approval rate of approximately 62%. Failure to comply carries maximum fines of up to RMB 50 million or 5% of annual revenue — the same ceiling as GDPR.
Data Localization Requirements Under PIPL and CSL
China’s data laws categorize data handlers into two tiers: Critical Information Infrastructure operators (CIIOs, 关键信息基础设施运营者, guānjiàn xìnxī jīchǔ shèshī yùnyíng zhě) and other personal information processors. CIIOs must store all personal and important data within mainland China. Non-CIIOs face a volume-based threshold: if you process the personal information of more than 1 million individuals annually, or have transferred the personal information of more than 100,000 individuals overseas since January 1 of the prior year, a government security assessment is mandatory. Below these thresholds, you may use SCCs or certification, but local storage remains the default expectation.
The Cyberspace Administration of China (CAC, 国家互联网信息办公室, guójiā hùliánwǎng xìnxī bàngōngshì) has published the “Measures for Data Cross-Border Transfer Security Assessment” (数据出境安全评估办法, shùjù chūjìng ānquán pínggū bànfǎ). Since March 2022, companies must submit applications to provincial CAC offices for assessment, which typically takes 30-45 working days. In 2024 alone, the CAC processed 1,847 applications, with 73% requiring resubmission due to incomplete consent documentation or insufficient data protection impact assessments (DPIA, 数据保护影响评估, shùjù bǎohù yǐngxiǎng pínggū).
Three Legal Pathways for Cross-Border Data Transfer
Pathway 1: Government Security Assessment
Mandatory for CIIOs and any processor exceeding the volume thresholds (1 million+ individuals’ data annually OR 100,000+ individuals’ data transferred overseas since prior year). You must conduct a DPIA, sign data processing agreements with overseas recipients, and submit an application with detailed information about data categories, volumes, purposes, recipient jurisdictions, and proposed retention periods. The CAC may require supplementary materials within 20 days. Successful applicants receive a decision valid for 2 years, renewable. Approvals have been granted to major multinationals including Apple, Tesla, and BMW, but small and medium enterprises face longer review times — average 52 days for applicants with less than 5 years of operational history in China.
Pathway 2: Standard Contractual Clauses (SCCs)
Available for non-CIIO processors below the volume thresholds. The CAC published China’s SCCs (个人信息出境标准合同, gèrén xìnxī chūjìng biāozhǔn hétong) effective June 1, 2023. Key requirements: both parties must sign within 10 working days of contract formation, the contract must be filed with the provincial CAC within 10 business days of execution, and the filing must be renewed every 2 years. The SCCs must include specific obligations on cross-border data processing purposes, retention periods, liability allocation, and dispute resolution. Unlike the EU SCCs, China’s version also requires the exporter to conduct due diligence on the importer’s cybersecurity capabilities. In 2024, only 41% of SCC filings passed first review — the top three rejection reasons were: missing DPIA (34%), insufficient data mapping (29%), and ambiguous retention policies (22%).
Pathway 3: Certification by Approved Body
Certification under the “Personal Information Protection Certification” scheme (个人信息保护认证, gèrén xìnxī bǎohù rènzhèng) applies to non-CIIO processors below thresholds. Certification bodies include CCIC (China Quality Certification Centre) and CQC (China Quality Certification Centre’s Data Security Division). The certification process takes 60-90 days and costs approximately RMB 150,000-400,000 depending on data volume and organizational complexity. Once certified, the certification is valid for 3 years with annual surveillance audits. This pathway is most suitable for multinational corporations with mature data governance frameworks and can be combined with SCCs for layered compliance.
| Pathway | Eligible Entities | Application Fee (RMB) | Processing Time | Validity | 2024 Approval Rate |
|---|---|---|---|---|---|
| Government Security Assessment | CIIO; non-CIIO processing 1M+ individual data | 0 (government fee) + internal DPIA costs | 30-45 working days | 2 years | 62% |
| Standard Contractual Clauses (SCCs) | Non-CIIO below thresholds | 0 (filing fee) + legal counsel (~RMB 50-150k) | 10 business days filing | 2 years | 41% |
| Certification | Non-CIIO below thresholds | RMB 150k-400k | 60-90 days | 3 years | 58% |
Practical Compliance Steps
Before any transfer, you must complete a Data Protection Impact Assessment (DPIA). The DPIA should document: data categories, data volumes, transfer purposes, recipient identity and jurisdiction, technical security measures, retention periods, and risk analysis. The CAC has published a mandatory DPIA template (数据保护影响评估报告模板) available on its official website. A properly completed DPIA typically requires 2-4 weeks of internal work, involving legal, IT, and business teams.
After securing the appropriate pathway, implement data processing agreements with each overseas recipient. These agreements must mirror the SCCs if you use Pathway 2, or be pre-approved by CAC if you use Pathway 1. The agreement must specify: limited processing purposes, prohibition on onward transfer without consent, mandatory deletion upon purpose completion, and obligation to notify of data breaches within 72 hours. All communications with overseas partners should be documented in both Chinese and English, with Chinese language versions prevailing in case of disputes — a requirement explicitly stated in the SCCs.
Finally, maintain a cross-border data transfer ledger (数据出境台账, shùjù chūjìng táizhàng). This ledger must be updated quarterly and retained for at least 5 years after the last transfer. Contents must include: transfer dates, data volumes, purposes, recipient details, valid pathway reference numbers, and DPIA update status. In CAC audits conducted in 2024, 28% of enterprises failed due to incomplete or outdated transfer ledgers.
Decision Framework: Can You Store Overseas?
If your company is a CIIO (e.g., telecom, finance, energy, healthcare), choose local storage with government assessment if you must transfer — but in practice, keep all customer data within mainland China.
If your company is a non-CIIO processing data of fewer than 1 million individuals and transferring data of fewer than 100,000 individuals annually, choose SCCs for low-cost, streamlined compliance — ideal for startups and SMBs.
If your company is a non-CIIO with robust governance and seeks a unified framework across multiple subsidiaries, choose certification for 3-year validity and reduced per-transfer approval overhead.
If your company processes data of high-risk categories (e.g., biometric, health, financial transaction data), choose local storage regardless of volume — CAC has signaled stricter scrutiny of sensitive personal information transfers.
NEXT STEPS
- Conduct a data mapping audit — inventory all customer data stored overseas or transferred overseas, including via SaaS tools. Our step-by-step Data Mapping Guide for China provides a template aligned with CAC requirements.
- Prepare your DPIA and select a transfer pathway — use our Cross-Border Data Transfer Pathway Assessment tool to determine whether SCCs, certification, or a full government assessment applies to your operation.
- Engage a CAC-qualified legal partner — filing an SCC or assessment requires Chinese PRC counsel with CAC registry experience. Review our Top 10 Data Compliance Law Firms in China for vetted recommendations.
— China Gateway 360 —
Remote China market entry support, built around execution.
