Beijing · China Counsel for Foreign Companies
Compliance · Data

PIPL Cross-border Data Transfer: The Three Legal Routes (2026)

June 18, 2026  ·  About 6 min read  ·  Beijing Gaojin Law Firm

If your China operation moves employee or customer data out of the country, 2026 is the year to get your transfer mechanism right. The framework is now complete — and "we'll deal with it later" has stopped being a safe answer.

Since 1 January 2026, China offers three legal routes to move personal data across the border, with the newer certification path completing the set. Choosing the right one — and doing the groundwork first — is what separates a clean transfer from an enforcement risk.

The three routes, in plain terms

1. Security Assessment (CAC) — the heaviest

A government review led by the Cyberspace Administration of China. It applies to large volumes of personal data, sensitive personal data, and critical information infrastructure operators. Expect the most scrutiny and the longest timeline — build it into the project plan, not the final week.

2. Standard Contract — the workhorse

The route most mid-size transfers use. You enter into the CAC standard contract with the overseas recipient and file it, together with a personal-information protection impact assessment. Proportionate, well-understood, and the default for a typical foreign group moving HR or customer data to headquarters.

3. Certification — the newer route

Obtain a certification from an accredited body. It is well suited to intra-group transfers across multiple entities under common rules, and a certification is typically valid for three years — useful where the same flows repeat across a corporate group.

Before any route works: you must do the basics first — give notice, obtain separate consent where required, and complete an impact assessment. Skipping the groundwork undermines whichever mechanism you pick.

Two things foreign companies still miss

  • The groundwork is not optional. Notice, separate consent and the impact assessment come before the transfer mechanism — not after. A signed standard contract on top of missing consents does not fix the underlying gap.
  • Penalties went up. 2026 amendments raised the consequences of getting this wrong. Enforcement is the trend, not the exception — the cost of "later" has risen.

How to choose

Pick the route that fits your data, not the one that looks easiest this quarter. As a rough guide: large or sensitive flows and CIIOs point to a security assessment; most standalone mid-size transfers fit the standard contract; and recurring, multi-entity intra-group flows are often best served by certification. The right answer depends on volume, sensitivity, your role, and the shape of your group.

For foreign companies operating in China, the practical move in 2026 is to map where personal data actually leaves the country, match each flow to a route, and complete the notice-consent-assessment groundwork now — before an audit makes the choice for you.

Frequently asked questions

Which route applies to us?
It depends on the volume and sensitivity of the data and whether you are a critical information infrastructure operator. Most mid-size groups use the standard contract; intra-group transfers often suit certification; large or sensitive flows may require a security assessment.
Can we transfer data if we haven't collected separate consent?
Generally no. Notice, separate consent where required, and a personal-information protection impact assessment are prerequisites that apply before any transfer route — the mechanism sits on top of that groundwork.
How long is a certification valid?
A data-transfer certification is typically valid for three years, which makes it attractive for recurring intra-group flows across multiple entities.

This article is general information for foreign companies, not legal advice on any specific matter. Rules and practice change; please take advice on your facts.

← All insights

A China question behind this?

If this touches a decision you're weighing, a short conversation is the fastest way to get to a clear answer.