If your China operation moves employee or customer data out of the country, 2026 is the year to get your transfer mechanism right. The framework is now complete — and "we'll deal with it later" has stopped being a safe answer.
Since 1 January 2026, China offers three legal routes to move personal data across the border, with the newer certification path completing the set. Choosing the right one — and doing the groundwork first — is what separates a clean transfer from an enforcement risk.
The three routes, in plain terms
1. Security Assessment (CAC) — the heaviest
A government review led by the Cyberspace Administration of China. It applies to large volumes of personal data, sensitive personal data, and critical information infrastructure operators. Expect the most scrutiny and the longest timeline — build it into the project plan, not the final week.
2. Standard Contract — the workhorse
The route most mid-size transfers use. You enter into the CAC standard contract with the overseas recipient and file it, together with a personal-information protection impact assessment. Proportionate, well-understood, and the default for a typical foreign group moving HR or customer data to headquarters.
3. Certification — the newer route
Obtain a certification from an accredited body. It is well suited to intra-group transfers across multiple entities under common rules, and a certification is typically valid for three years — useful where the same flows repeat across a corporate group.
Two things foreign companies still miss
- The groundwork is not optional. Notice, separate consent and the impact assessment come before the transfer mechanism — not after. A signed standard contract on top of missing consents does not fix the underlying gap.
- Penalties went up. 2026 amendments raised the consequences of getting this wrong. Enforcement is the trend, not the exception — the cost of "later" has risen.
How to choose
Pick the route that fits your data, not the one that looks easiest this quarter. As a rough guide: large or sensitive flows and CIIOs point to a security assessment; most standalone mid-size transfers fit the standard contract; and recurring, multi-entity intra-group flows are often best served by certification. The right answer depends on volume, sensitivity, your role, and the shape of your group.
For foreign companies operating in China, the practical move in 2026 is to map where personal data actually leaves the country, match each flow to a route, and complete the notice-consent-assessment groundwork now — before an audit makes the choice for you.
Frequently asked questions
It depends on the volume and sensitivity of the data and whether you are a critical information infrastructure operator. Most mid-size groups use the standard contract; intra-group transfers often suit certification; large or sensitive flows may require a security assessment.
Generally no. Notice, separate consent where required, and a personal-information protection impact assessment are prerequisites that apply before any transfer route — the mechanism sits on top of that groundwork.
A data-transfer certification is typically valid for three years, which makes it attractive for recurring intra-group flows across multiple entities.
This article is general information for foreign companies, not legal advice on any specific matter. Rules and practice change; please take advice on your facts.
