China Cross-Border Data Transfer Decision Tool: Determine Your Compliance Path
Navigating China’s cross-border data transfer (跨境数据传输, kuàjìng shùjù chuánshū) rules under the PIPL requires a clear decision path. Our 5-question Decision Tool evaluates whether your organization needs the Security Assessment (安全评估, ānquán pínggū), the Standard Contractual Clauses (标准合同条款, biāozhǔn hétóng tiáokuǎn, SCC), or the Certification (认证, rènzhèng). By analyzing key thresholds such as the 100 MB cumulative transfer volume or processing data of 1 million users, this tool determines your specific compliance route.
Why This Tool Is Essential
Failure to comply with the correct path renders the data transfer illegal under the PIPL. Companies face fines of up to RMB 50 million or 5% of annual revenue. Additionally, legal representatives can face personal fines of RMB 100,000 to 1 million. This tool helps you avoid these severe outcomes by clarifying your initial filing obligation before you commit significant resources to the wrong process.
How the Decision Tool Works
This tool is based on the Data Cross-Border Security Assessment Measures (数据出境安全评估办法, shùjù chūjìng ānquán pínggū bànfǎ) and the PIPL. It asks a sequence of structured questions regarding your data processing status. The outcome is one of three compliance paths: Security Assessment, Standard Contractual Clauses, or Certification. The evaluation cycle typically takes 4-8 weeks to complete internally before filing.
The 3 Critical Parameters
Your path depends on three variables: (1) Whether you are a CIIO (关键信息基础设施运营者, guānjiàn xìnxī jīchǔ shèshī yùnyíng zhě), (2) the total volume of data transferred cumulatively (the 100 MB threshold), and (3) the number of data subjects affected (1 million users for personal info, 100,000 for sensitive data).
Step-by-Step: Using the Tool Output
Step 1: Determine your CIIO status. If unsure, consult the industry-specific CIIO rules published by the MIIT. Step 2: Calculate your data volume. Use our Data Mapping template to estimate the cumulative transfer over 6 months. Step 3: Match your scenario to the Decision Matrix below. If your path is Security Assessment, allocate at least 3 months for preparation.
Decision Matrix: Choose Your Path
| If You Are… | Data Type | Volume / Subjects | Required Path |
|---|---|---|---|
| CIIO | Any | Any | Security Assessment |
| Non-CIIO | Personal Info | ≥100 MB OR ≥1M subjects | Security Assessment |
| Non-CIIO | Sensitive PI | ≥10,000 subjects | Security Assessment |
| Non-CIIO | Personal Info | <100 MB AND <1M subjects | SCC or Certification |
| Non-CIIO | Sensitive PI | <10,000 subjects | SCC or Certification |
Note: The Security Assessment must be re-filed every 2 years or when circumstances change. The CAC has 45 working days to process the application.
Decision Framework
If your entity is classified as a Critical Information Infrastructure Operator (CIIO) in sectors like finance, energy, or telecommunications, choose the Security Assessment. This path requires an application to the CAC and a re-assessment every 2 years.
If your entity processes data of fewer than 1 million individuals and transfers less than 100 MB cumulatively, choose the Standard Contractual Clauses (SCC) or Certification. This is a less burdensome path but requires strict contract management. The SCCs must be filed with the local cyberspace administration within 10 working days of execution.
Top 3 Pitfalls in Data Transfers
Next Steps for Compliance
Once you have determined your path, execution is critical. Start with a Data Mapping exercise, prepare your Legal Impact Assessment (LIA), and engage with certified cybersecurity auditors.
- Read our Complete Guide to PIPL Compliance for a step-by-step legal roadmap covering all filing scenarios.
- Prepare for the Security Assessment Application with our dedicated preparation checklist and document templates.
- Download our Standard Contractual Clauses Template (China) to accelerate your SCC filing and ensure legal accuracy.
— China Gateway 360 —
Remote China market entry support, built around execution.
