If your China operation moves employee or customer data out of the country, 2026 is the year to get your transfer mechanism right. The framework is now complete — and "we'll deal with it later" has stopped being a safe answer.
- Three legal routes move personal data out of China: CAC security assessment, standard contract, and certification.
- Rough fit: large or sensitive flows and CIIOs → security assessment; most mid-size standalone transfers → standard contract; recurring multi-entity intra-group flows → certification.
- The groundwork comes first, not after: notice, separate consent where required, and a PIPIA. A signed standard contract on top of missing consents fixes nothing.
- The CAC's 2024 rules raised the volume thresholds that trigger these procedures and created exemptions for scenarios such as international trade, cross-border transport, HR administration and contract performance — check whether you need a route at all before choosing one.
- Since April 2026, a Shanghai-wide negative list may exempt off-list flows entirely (see the update below).
Since 1 January 2026, China offers three legal routes to move personal data across the border, with the newer certification path completing the set. Choosing the right one — and doing the groundwork first — is what separates a clean transfer from an enforcement risk.
The three routes, in plain terms
1. Security Assessment (CAC) — the heaviest
A government review led by the Cyberspace Administration of China. It applies to large volumes of personal data, sensitive personal data, and critical information infrastructure operators. Expect the most scrutiny and the longest timeline — build it into the project plan, not the final week.
2. Standard Contract — the workhorse
The route most mid-size transfers use. You enter into the CAC standard contract with the overseas recipient and file it, together with a personal-information protection impact assessment. Proportionate, well-understood, and the default for a typical foreign group moving HR or customer data to headquarters.
3. Certification — the newer route
Obtain a certification from an accredited body. It is well suited to intra-group transfers across multiple entities under common rules, and a certification is typically valid for three years — useful where the same flows repeat across a corporate group.
Two things foreign companies still miss
- The groundwork is not optional. Notice, separate consent and the impact assessment come before the transfer mechanism — not after. A signed standard contract on top of missing consents does not fix the underlying gap.
- Penalties went up. 2026 amendments raised the consequences of getting this wrong. Enforcement is the trend, not the exception — the cost of "later" has risen.
How to choose
Pick the route that fits your data, not the one that looks easiest this quarter. As a rough guide: large or sensitive flows and CIIOs point to a security assessment; most standalone mid-size transfers fit the standard contract; and recurring, multi-entity intra-group flows are often best served by certification. The right answer depends on volume, sensitivity, your role, and the shape of your group.
For foreign companies operating in China, the practical move in 2026 is to map where personal data actually leaves the country, match each flow to a route, and complete the notice-consent-assessment groundwork now — before an audit makes the choice for you.
Frequently asked questions
It depends on the volume and sensitivity of the data and whether you are a critical information infrastructure operator. Most mid-size groups use the standard contract; intra-group transfers often suit certification; large or sensitive flows may require a security assessment.
Generally no. Notice, separate consent where required, and a personal-information protection impact assessment are prerequisites that apply before any transfer route — the mechanism sits on top of that groundwork.
A data-transfer certification is typically valid for three years, which makes it attractive for recurring intra-group flows across multiple entities.
Not always. The CAC's 2024 rules raised the personal-information volume thresholds that trigger these procedures and created exemptions for scenarios such as international trade, cross-border transport, HR administration and contract performance. And if you are registered in Shanghai, an off-list flow under the city's negative list may be exempt. Establish whether a route is required before choosing between the three.
Sources
- China Briefing — CAC Provisions on Promoting and Regulating Cross-border Data Flows (effective 22 March 2024) — raised volume thresholds, scenario exemptions, security-assessment validity extended to three years, and the authority for free trade zones to set their own negative lists.
- Shanghai's data export negative list now covers the whole city — our companion piece on the April 2026 city-wide extension.
This article is general information for foreign companies, not legal advice on any specific matter. Rules and practice change; please take advice on your facts.
