top of page

Companies must comply with new rules for cross-border transfer of personal information

Multinational corporations operating in China often share information with their subsidiaries or headquarters outside the country. However, since the Measures on the Standard Contract for Cross-border Transfers of Personal Information came into effect last June, certain personal data processors, including companies handling data on fewer than 1 million people, are required to sign contracts with overseas recipients before sending data abroad.

The legislative framework in China for governing data security consists of three laws , the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law, and a series of government regulations backed by these laws.

Accounting and Tax

The new rules, aimed at protecting national security, directly impact the cross-border transfer of personal information by businesses operating in China, Chinese companies listed overseas and those in data-rich industries such as retail, internet, health care, automotive, civil aviation, and finance.

Corporations which regularly share employee or customer data with their headquarters, share IT infrastructure with their Chinese subsidiaries or have remote access to data stored in China, may be subject to China’s cross-border data transfer requirements.

One of the three mechanisms for transferring personal information out of China is the signing of a standard contract with an overseas recipient.

The other two are a mandatory security assessment by the Cyberspace Administration of China (CAC) for critical information infrastructure operators and transfers of important/sensitive personal data; and certification by an accredited institution (such as for intra-group transfers, and data processors abroad subject to the extra-territorial application of China’s Personal Information Protection Law).

The certification is only available if the transfer does not fall within the mandatory assessment requirements, and not all entities can adopt this option, for example if representative offices set up by foreign entities are not eligible.

Businesses that transfer personal data out of Mainland China on a smaller scale, such as small and medium-sized enterprises, may opt for the standard contract.

This option can only be used under certain circumstances:

  • the data processor is not a critical information operator;

  • it processes the personal data of less than 1 million individuals;

  • since 1 January of the previous year, the personal data of less than 100,000 individuals (in aggregate) has been transferred; and

  • since 1 January of the previous year, sensitive personal data of not more than 10,000 individuals (in aggregate) has been transferred

A personal information protection impact assessment (PIA) must be executed before entering into the standard contract, according to the measures. This step evaluates important matters such as the legality and necessity of the data transfer, the scale, scope, and sensitivity of the outbound personal data, the risks to the rights and interests of individuals concerned, and other security issues.

Data systems must be compatible with Chinese law in order to pass the PIA.

It is prohibited to divide the data into smaller quantities to meet the standard contract criteria in an attempt to circumvent the mandatory security assessment regime.

The standard contract, impact assessment report and other supporting documents must be presented at the local cyberspace administration authority within 10 working days of the effective date of the contract.

Industry experts consider that many aspects of the rules remain vague, such as in security assessments, thus slowing down the approval process and causing confusion for some companies.

Can Woodburn help you?

While the Chinese government hopes to develop the digital economy to uplift the country's gross domestic product, the rules could slow down progress for the industry. Regulators are struggling to strike a balance between enhancing data security and promoting data-driven economic growth.

Though the Measures have been effective for some time, their implementation has been slow in practice as there are too many such companies in China and not enough manpower to handle their assessment reports.

A lack of clarity of the review criteria is slowing down the approval process, with regulators and companies not seeing eye-to-eye on why the requested data transfers are necessary. The measures for security assessment require applicants to explain why it is justified, legal and necessary for their data to flow overseas and for overseas recipients to process it, but not much more is specified.

With the implementation of the Measures on the standard contract, regulators will shift more of their efforts to helping these contracts complete the filing process, which in turn will speed up their approval of security assessments, according to experts.

He Yuan, executive director of Shanghai Jiao Tong University's data law research center, noted the workload on local regulators could increase substantially as firms with fewer than 1 million people will also need to sign a standard contract starting June.

High compliance costs, difficulties in communicating with overseas data recipients and regulatory uncertainty are some key factors affecting companies' willingness to declare cross-border data transfers.

Companies that need to rectify any non-compliant arrangements occurring before June 1, 2023, have until November 30, 2023 to do so.


Woodburn Accountants & Advisors is one of China’s most trusted business setup advisory firms.

Woodburn Accountants & Advisors is specialized in inbound investment to China and Hong Kong. We focus on eliminating the complexities of corporate services and compliance administration. We help clients with services ranging from trademark registration and company incorporation to the full outsourcing solution for accounting, tax, and human resource services. Our advisory services can be tailor-made based on the companies’ objectives, goals and needs which vary depending on the stage they are at on their journey.


Talk to an expert

Schedule a 30-mins complimentary, no-obligation call to see how Woodburn can help you. Book a call with our Head of Business Advisory - Kristina Koehler-Coluccia.

Topics we can advise on include:

  • Company Registration

  • Cloud Accounting & Financial Reporting

  • Cloud Payroll Services

  • Tax & Audit Services

  • Recruitment

  • Employer-of-Record

  • Visa Application

  • Trademark Registration

  • Switch to Woodburn

  • Partner with Woodburn (cross referral) 

Our calls are automatically scheduled via Zoom - or via Teams, WeChat or WhatsApp upon direct request. 

Our advisory calls are available from Monday-Friday from 8am to 5pm CEST and Wednesday until 9pm CEST.



Woodburn Accountants & Advisors is one of China and Hong Kong’s
most trusted business setup advisory firms

bottom of page