Global menu

Our global pages


New PRC guideline on cross-border transfer of personal information 新的中国个人信息跨境转移指南

  • Hong Kong
  • Technology - Articles
  • Technology, Media and Telecoms - Telecoms


Since the introduction of the PRC Personal Information Protection Law (“PIPL”) in November 2021, there have been uncertainties regarding how multinational organisations are able to transfer PRC personal information offshore.

Currently, Article 38 of the PIPL provides the requirements for cross border transfer of personal information to outside the PRC, including:

(1) passing a regulator-led security assessment. This is typically reserved for “critical information infrastructure operators” or organisations seeking to export personal information over a prescribed threshold;

(2) obtaining security accreditation from a regulator-accredited professional institution;

(3) having in place standard contractual clauses (which have yet to be published) with the offshore recipient; or

(4) other circumstances permitted by PRC laws or regulations.

However, the law has been uncertain about whether these offshore transfer restrictions equally apply to organisations that have both data collection points and back-end processing capabilities located outside the PRC.

Recently, the PRC regulators released new draft guidelines (namely, the Consultation Draft of the Technical Specification for Accreditation of Cross-border Personal Information Processing Activities (the “Draft Accreditation Specification”)).

Although the focus of the Draft Accreditation Specification is to provide guidance on the requirements that data controllers must meet in order to obtain accreditation from a regulator-accredited professional institution (see (2) above), the Draft Accreditation Specification provided some interesting insights on the regulators’ latest thinking:

  • Firstly (and most importantly), the Draft Accreditation Specification clarifies that the cross-border transfer requirements under Article 38 of the PIPL may equally apply to transfers that wholly take place offshore (i.e. both the transferor and transferee are located outside the PRC).

    Specifically, the following two scenarios will be caught by the offshore transfer restrictions under the PIPL:

    (A) intra-group data transfers which involve a PRC entity; or

    (B) personal information transfers between an offshore transferor and an offshore transferee, as long as the data concerned is used to analyse and assess the behaviour of PRC individuals.

    While this provides some clarity, there are still some unanswered questions which have yet to be clarified by the PRC regulators.
  • Secondly, the PRC-based entity of a multinational organisation (in the case of an intra-group transfer) and the PRC-based designated representative of an offshore data controller may apply for the accreditation from the regulator-accredited professional institution to legitimise the offshore transfer.

Other obligations relating to cross-border data transfers (e.g. having in place a data transfer agreement, carrying out a self-assessed privacy impact assessment) continue to apply.

Multinational organisations should review their data flows and assess whether they are required to comply with requirements for cross-border personal information transfer under Article 38 of the PIPL.

To read the Draft Accreditation Specification, please see here (in Chinese language only).

For more information on cross-border transfer of personal information to outside of the PRC, please contact us.




(1) 通过监管机构主导的安全评估。这通常是保留给关键信息基础设施营运者或处理个人信息达到国家网信部门规定数量的的组织;

(2) 获得监管机构认可的专业机构发出的安全认证;

(3) 与境外接收方签订标准合同条款(条款内容尚未公布);或

(4) 中国法律或法规允许的其他情况。




  • 首先(也是最重要的),《认证规范草案》澄清了《个人信息保护法》第三十八条规定的信息跨境转移要求可同样适用于完全发生在境外的转移(即转让方和受让方都位于中国以外)。


    (A) 涉及中国实体的集团进行内部信息转移;或

    (B) 境外转让方和境外受让方之间的个人信息转移,而有关信息是用于分析和评估中国个人的行为。

  • 其次,跨国组织在中国的实体(在集团内部转移的情况下)和境外信息控制者在中国的指定代表可以向监管机构认可的专业机构申请认证,以使境外转移合法化。