Cross-border Data Transfer in China

last updated on 10 May 2023
by Felix Engelhardt

At the latest when the Chinese Data Security Law ("DSL") and the Personal Infor­ma­tion Protection Law ("PIPL") came into force in September and November 2021, respec­tively, the handling of data of all kinds has become one of the most important compli­ance issues for companies operating in China. Most global companies are already quite familiar with the relevant issues due to their obligations under the EU’s General Data Protection Regulation ("EU-GDPR") and national laws in Europe. 


However, companies have quickly discovered that there are sometimes considerable differences between the requirements of EU laws and the Chinese law. This is evident, among other things, in the area of cross-border data transfer. The permissible grounds available under the EU GDPR for exporting personal data (in particular adequacy decision, binding corporate rules or standard data protection clauses in contracts) do not apply to international data transfers from China. Instead, the PIPL provides for its own, much shorter catalogue of per­missible grounds for outbound data transfer. This includes an official security review, officially recognized certifications, standard contractual clauses and other reasons according to Chinese laws and regulations. Furthermore, unlike under EU data protection law, companies transferring data out of China have to direct their focus not only on personal information but must include data of any kind in their risk assessment, regardless of whether this data is related to an identified or identifiable person or not. With the EU Data Governance Act coming into force on 24 September 2023, companies will face additional challenges, especially with regard to the international transfer of non-personal data.
In most cases, data mapping and risk analyses can help to identify cross-border data flows, spot existing vul­ne­ra­bilities at an early stage and take appropriate measures to remedy them quickly. Unfortunately, Chinese lawmakers had so far left companies largely in the dark about what exactly needs to be done to transfer data between China and abroad in a legally compliant manner. Hope for a little more legal clarity has been created by various recent developments, which we would like to briefly present in a four-part series of articles:

 From the Newsletter


Contact Person Picture

Sebastian Wiendieck


+86 21 6163 5329

Send inquiry

 How we can help

 Read more

Deutschland Weltweit Search Menu