What data can I transfer out of China without a security assessment?

Date:

Share post:





What data can I transfer out of China without a security assessment?


What data can I transfer out of China without a security assessment?

China’s data export regime, established under the Personal Information Protection Law (PIPL), the Data Security Law (DSL), and the Cybersecurity Law (CSL), imposes strict requirements on cross-border data transfers. For foreign-invested enterprises operating in China, understanding which data can leave the country without undergoing a formal security assessment is essential for compliance planning and cost management. The answer depends on the type of data in question, the volume involved, and whether it has been properly anonymized.

Understanding the Three Data Categories Under Chinese Law

Chinese data protection law classifies data into three broad categories, each subject to different transfer rules. The first category is personal information, which encompasses any data relating to an identified or identifiable natural person. The second is important data, which refers to data that, if tampered with, destroyed, leaked, or illegally obtained or used, may harm national security, economic operations, or public interests. The third category is general business data, which includes operational and commercial information that does not fall into either of the first two categories.

The security assessment requirement applies primarily to the cross-border transfer of important data and large volumes of personal information. Data that falls outside these categories is generally not subject to the security assessment procedure, though it may still be subject to other transfer mechanisms such as standard contractual clauses or certification.

Data That Does Not Require a Security Assessment

The following types of data can typically be transferred out of China without undergoing a formal security assessment with the Cyberspace Administration of China (CAC), provided that other applicable legal requirements are met.

Anonymized Data

Data that has been properly anonymized falls outside the scope of PIPL and is therefore not subject to any cross-border transfer restrictions. Under Article 4 of PIPL, personal information means information recorded electronically or otherwise that relates to an identified or identifiable natural person. Data that cannot identify a specific individual — after anonymization — no longer constitutes personal information. However, the standard for anonymization under Chinese law is stringent. The Measures for Security Assessment of Data Cross-Border Transfer require that the anonymization process be irreversible. Simply removing names and ID numbers is insufficient if the data could still be re-identified through aggregation or correlation with other datasets. Enterprises must ensure that the anonymization process meets the technical standards set by relevant authorities to avoid regulatory risk.

General Business Data With No Personal or Important Data Component

Routine operational data that contains no personal information and has not been classified as important data can be transferred freely. Examples include publicly available market research reports, aggregated industry statistics, operational metrics that do not identify individuals, and internal company policies that contain no employee personal data. However, enterprises should exercise caution when transferring financial data, supply chain information, or strategic planning documents. Even if such data does not qualify as important data under the DSL, it may still be subject to contractual confidentiality obligations or industry-specific regulations.

Data Exported Under the Standard Contractual Clauses (SCC) Route

Rather than a full security assessment, enterprises that transfer moderate volumes of personal information may use the Standard Contractual Clauses for Cross-Border Transfer of Personal Information (China SCCs). This mechanism does not require prior approval from the CAC but does require the filing of signed contracts with provincial-level cyberspace administrations. The SCC route is available for personal information transfers that fall below the volume thresholds that trigger mandatory security assessment. For most enterprises, this is the most practical route for routine HR data, customer data, and supplier information transfers to overseas headquarters.

Key Point: The security assessment requirement is triggered when an enterprise transfers important data, or personal information exceeding specified volume thresholds. Below these thresholds, SCCs or certification may be used instead of a full CAC security assessment.

Data Transferred Under the Certification Route

Personal information protection certification, issued by accredited institutions, serves as an alternative to both the security assessment and the SCC route. Enterprises that obtain certification for their data processing and transfer practices can rely on this certification as the legal basis for cross-border data transfers, provided the certification covers the specific data processing activities in question. This route is particularly suitable for multinational enterprises that transfer data frequently across multiple jurisdictions and wish to establish a compliance framework that can be centrally managed.

Volume Thresholds That Trigger Mandatory Security Assessment

The Measures for Security Assessment of Data Cross-Border Transfer, effective September 1, 2022, establish clear thresholds that determine when a CAC security assessment is mandatory. An enterprise must apply for a security assessment if any of the following conditions are met:

  • It transfers important data of any volume outside China.
  • It has processed the personal information of 1 million or more individuals since January 1 of the previous year and plans to transfer personal information abroad.
  • It has accumulated personal information of 100,000 or more individuals or sensitive personal information of 10,000 or more individuals since January 1 of the previous year, and plans to transfer such information abroad.

If an enterprise does not meet any of these thresholds, it may use the SCC route or the certification route instead of the security assessment. This is the critical distinction: data below these thresholds can be transferred without a security assessment, provided a valid legal transfer mechanism is in place.

Important Data Classification and Its Implications

The concept of important data under the DSL is deliberately broad. The Data Security Law defines important data as data that, if leaked, could directly harm national security, economic stability, or public interest. Each industry sector is expected to publish its own catalog of important data categories. As of 2026, several industries have published or drafted important data catalogs, including the financial sector, the automotive industry, telecommunications, energy, and healthcare. Foreign-invested enterprises in these sectors should review the relevant catalogs to determine whether the data they process qualifies as important data. If it does, any cross-border transfer of such data, regardless of volume, requires a security assessment.

Importantly, the default assumption should be that data is NOT important data unless it falls within a published catalog or sectoral guideline. Regulators have indicated that only a small subset of enterprise data qualifies as important data, and proactiveness in classifying data as important is not expected or encouraged. Enterprises should, however, document their classification decisions and be prepared to justify them during audits or inspections.

Practical Recommendations for Foreign Enterprises

To minimize the compliance burden while ensuring lawful cross-border data flows, foreign enterprises operating in China should adopt the following strategies. First, implement a data classification system that clearly identifies personal information, important data, and general business data. This classification should be documented and reviewed regularly as regulations evolve.

Second, invest in robust anonymization or pseudonymization techniques for data that does not need to be transferred in identifiable form. Properly anonymized data is not subject to PIPL’s cross-border restrictions, making it the most cost-effective route for bulk data transfers for analytics, research, or business intelligence purposes.

Third, for personal information that must be transferred in identifiable form and falls below the mandatory security assessment thresholds, execute and file the China SCCs with the relevant provincial cyberspace administration. This provides a clear legal basis for the transfer without the time and expense of a full security assessment.

Fourth, monitor the development of sectoral important data catalogs in your industry. Even if your data currently does not qualify as important data, regulatory definitions may expand, and what is freely transferable today may require a security assessment tomorrow.

Practical Note: Most routine cross-border data transfers by foreign-invested enterprises — including employee HR data for payroll and benefits administration, customer contact information for global CRM systems, and supplier data for procurement — fall below the security assessment thresholds. For these transfers, the SCC route is the appropriate mechanism, and no security assessment is required.

Consequences of Non-Compliance

Transferring data outside China without the appropriate legal mechanism carries significant penalties under PIPL. For general personal information violations, enterprises may face fines of up to 50 million RMB or 5 percent of annual revenue, whichever is higher. Responsible individuals may face fines of up to 1 million RMB and potential restrictions on holding management positions. In cases involving important data, penalties may include suspension of business operations, revocation of business licenses, and criminal liability. These enforcement actions are not theoretical — several multinational companies have faced investigations and penalties for data transfer violations since PIPL came into effect.

Summary

Data that can be transferred out of China without a security assessment includes properly anonymized data, general business data that does not contain personal information or important data, and personal information transferred under the SCC or certification routes that falls below the mandatory assessment thresholds. The key to a compliant data transfer strategy is accurate data classification and the selection of the appropriate legal mechanism based on the data type and volume. For most routine business transfers by foreign enterprises in China, the SCC route provides a practical and lawful path that does not require a security assessment, while anonymization offers the most flexibility for bulk non-identifiable data transfers.


Related articles

How a Korean Logistics Firm Set Up 3 Warehouses Across China: Real Estate Case Study

How a Korean Logistics Firm Set Up 3 Warehouses Across China: Real Estate Case Study body{font-family:'Segoe UI',Arial,sans-serif;line-height:1.8;colo

How a Japanese Manufacturer Bought Factory Land in Suzhou Industrial Park: Case Study

How a Japanese Manufacturer Bought Factory Land in Suzhou Industrial Park: Case Study A Japanese automotive precision components maker, Aichi Precisio

How a French Retailer Negotiated a Prime Location Lease in Nanjing Road: Case Study

How a French Retailer Negotiated a Prime Location Lease in Nanjing Road: Case Study body{font-family:'Segoe UI',Arial,sans-serif;line-height:1.8;color

How a Japanese Manufacturer Bought Factory Land in Suzhou Industrial Park: Case Study

How a Japanese Manufacturer Bought Factory Land in Suzhou Industrial Park: Case Study A Japanese automotive precision components maker, Aichi Precisio