Beijing · China Counsel for Foreign Companies
Compliance · Data

PIPL Cross-border Data Transfer: The Three Legal Routes (2026)

June 18, 2026  ·  About 6 min read

By Aaron Lv, Partner  ·  China-qualified  ·  Beijing Gaojin Law Firm

Last updated: July 17, 2026

If your China operation moves employee or customer data out of the country, 2026 is the year to get your transfer mechanism right. The framework is now complete — and "we'll deal with it later" has stopped being a safe answer.

Key takeaways
  • Three legal routes move personal data out of China: CAC security assessment, standard contract, and certification.
  • Rough fit: large or sensitive flows and CIIOs → security assessment; most mid-size standalone transfers → standard contract; recurring multi-entity intra-group flows → certification.
  • The groundwork comes first, not after: notice, separate consent where required, and a PIPIA. A signed standard contract on top of missing consents fixes nothing.
  • The CAC's 2024 rules raised the volume thresholds that trigger these procedures and created exemptions for scenarios such as international trade, cross-border transport, HR administration and contract performance — check whether you need a route at all before choosing one.
  • Since April 2026, a Shanghai-wide negative list may exempt off-list flows entirely (see the update below).

Since 1 January 2026, China offers three legal routes to move personal data across the border, with the newer certification path completing the set. Choosing the right one — and doing the groundwork first — is what separates a clean transfer from an enforcement risk.

Update — July 2026: Shanghai has since extended its data export negative list to the entire city, the first of its kind in China. If you are registered in Shanghai and your data sits off that list, you may be able to take a simplified route and bypass the security assessment or standard contract. The three routes below still govern everything on the list — and all important data, high-volume sensitive personal information, and CIIOs, regardless of the list.

The three routes, in plain terms

1. Security Assessment (CAC) — the heaviest

A government review led by the Cyberspace Administration of China. It applies to large volumes of personal data, sensitive personal data, and critical information infrastructure operators. Expect the most scrutiny and the longest timeline — build it into the project plan, not the final week.

2. Standard Contract — the workhorse

The route most mid-size transfers use. You enter into the CAC standard contract with the overseas recipient and file it, together with a personal-information protection impact assessment. Proportionate, well-understood, and the default for a typical foreign group moving HR or customer data to headquarters.

3. Certification — the newer route

Obtain a certification from an accredited body. It is well suited to intra-group transfers across multiple entities under common rules, and a certification is typically valid for three years — useful where the same flows repeat across a corporate group.

Before any route works: you must do the basics first — give notice, obtain separate consent where required, and complete an impact assessment. Skipping the groundwork undermines whichever mechanism you pick.

Two things foreign companies still miss

  • The groundwork is not optional. Notice, separate consent and the impact assessment come before the transfer mechanism — not after. A signed standard contract on top of missing consents does not fix the underlying gap.
  • Penalties went up. 2026 amendments raised the consequences of getting this wrong. Enforcement is the trend, not the exception — the cost of "later" has risen.

How to choose

Pick the route that fits your data, not the one that looks easiest this quarter. As a rough guide: large or sensitive flows and CIIOs point to a security assessment; most standalone mid-size transfers fit the standard contract; and recurring, multi-entity intra-group flows are often best served by certification. The right answer depends on volume, sensitivity, your role, and the shape of your group.

For foreign companies operating in China, the practical move in 2026 is to map where personal data actually leaves the country, match each flow to a route, and complete the notice-consent-assessment groundwork now — before an audit makes the choice for you.

Frequently asked questions

Which route applies to us?
It depends on the volume and sensitivity of the data and whether you are a critical information infrastructure operator. Most mid-size groups use the standard contract; intra-group transfers often suit certification; large or sensitive flows may require a security assessment.
Can we transfer data if we haven't collected separate consent?
Generally no. Notice, separate consent where required, and a personal-information protection impact assessment are prerequisites that apply before any transfer route — the mechanism sits on top of that groundwork.
How long is a certification valid?
A data-transfer certification is typically valid for three years, which makes it attractive for recurring intra-group flows across multiple entities.
Do we need a transfer route at all?
Not always. The CAC's 2024 rules raised the personal-information volume thresholds that trigger these procedures and created exemptions for scenarios such as international trade, cross-border transport, HR administration and contract performance. And if you are registered in Shanghai, an off-list flow under the city's negative list may be exempt. Establish whether a route is required before choosing between the three.

Sources

This article is general information for foreign companies, not legal advice on any specific matter. Rules and practice change; please take advice on your facts.

← All insights

A China question behind this?

If this touches a decision you're weighing, a short conversation is the fastest way to get to a clear answer.