China PIPL Five Years On: Cross-Border Transfer Pathways Mature, Certification Closes the Gap (2026)
The Cyberspace Administration of China (CAC) has significantly clarified and refined the practical compliance pathways for cross-border data transfers through its October 31, 2025 Q&A (FAQ) and the October 14, 2025 Measures on Certification for Cross-Border Transfer of Personal Information (effective January 1, 2026). These updates provide critical operational parameters for multinational compliance teams, establishing strict boundaries around exemptions, defining a hard two-month timeline for Important Data assessments, and formalizing the Personal Information Protection (PIP) Certification pathway.
1. Narrow Construction of Cross-Border Exemptions
While the March 2024 Provisions on Promoting and Regulating Cross-Border Data Flows introduced helpful exemptions for contract performance and human resources management, the CAC's October 2025 FAQ warns that these exemptions must be narrowly construed.
- Contract Performance: The examples listed in the 2024 Provisions (e.g., cross-border shopping, shipping, remittance, flight bookings) are illustrative and not exhaustive. To qualify, a transfer must meet two criteria: (1) it is for the conclusion or performance of a contract to which the individual is a party, and (2) it is strictly necessary to transfer the personal information abroad.
- HR Management: To qualify, the transfer must be strictly necessary for HR management, limited only to personal information directly relevant to HR, and executed in a way that minimizes the impact on employees. The CAC advises that companies should not transfer higher-risk data (such as national ID numbers, passports, or bank accounts) without first verifying that the transfer meets these criteria. Furthermore, basic obligations—such as individual notification, separate consent, and conducting a Personal Information Protection Impact Assessment (PIA)—remain mandatory even when an exemption applies.
2. Important Data and the Hard Two-Month Assessment Trigger
The processing of "Important Data" (data posing national security or public interest risks) remains heavily regulated. The CAC May 2025 and October 2025 FAQs clarify that while data processors do not need to self-diagnose "Important Data" in the absence of official notification or public announcement, they must act immediately upon receiving notification:
- Once notified by relevant regulators (such as the National Medical Products Administration for life sciences) that they hold Important Data, processors must apply for a Security Assessment within two months.
- Crucially, all transfers of Important Data must stop until the Security Assessment is completed. Because there is no grace period for this two-month deadline, compliance teams are advised to prepare draft assessment materials while the regulatory identification process is still ongoing.
3. Overseas Remote Access vs. Local Access
The Guidelines for Data Export Security Assessment (Version 3), effective June 27, 2025, confirm that remote access to mainland China-stored data by overseas personnel constitutes a cross-border transfer. However, the October 2025 FAQ clarifies a vital distinction:
"The FAQ clarifies that when overseas personnel travel to mainland China and access data locally without transferring the data abroad, such access is NOT deemed to be cross-border data transfer, and that whether a cross-border data transfer occurs depends on where the access takes place."
4. Standard Contractual Clauses (SCC) Filing for Continuous Transfers
For continuous data transfers to the same recipient, processors can submit a single SCC filing based on a reasonable annual estimate, avoiding repetitive filings. However:
- If cumulative transfer volumes exceed the Security Assessment thresholds (e.g., personal information of more than 1 million individuals or sensitive personal information of more than 10,000 individuals calculated from January 1 of that year), the processor must immediately apply for a Security Assessment.
- Any "substantial" changes (such as new recipients, new purposes, or server location changes) require a complete re-filing of the entire compliance package, as there is currently no simplified update process. Onward transfers by the overseas recipient to third parties must be explicitly disclosed in Appendix I of the SCC filing.
5. PIP Certification Pathway Formalized
The CAC's Measures on Certification for Cross-Border Transfer of Personal Information (issued October 14, 2025, effective January 1, 2026) and the national standard GB/T 46068-2025 (Data Security Technology — Security Certification Requirements for Cross-Border Processing Activity of Personal Information) establish PIP Certification as a highly practical compliance pathway, especially for intra-group transfers within multinational corporations.
- The certification process involves technical verification, on-site review, and post-certification supervision by CAC-approved professional Certification Institutions.
- GB/T 46068-2025 outlines specific requirements for data subject rights, notification, consent, and the retention of processing records, providing a standardized baseline for audit.