The Three Transfer Mechanisms
PIPL Article 38 establishes three lawful mechanisms for transferring personal information outside of China. These are not alternatives in all cases. The applicable mechanism depends on the data processor's characteristics, the volume and sensitivity of the data, and whether the processor qualifies as a critical information infrastructure operator. Understanding which mechanism applies is the first step in any cross-border transfer compliance assessment.
The CAC security assessment is mandatory for critical information infrastructure operators, for processors that handle personal information of more than 1 million individuals, and for processors that have cumulatively transferred personal information of more than 100,000 individuals (or sensitive personal information of more than 10,000 individuals) outside China since January 1 of the preceding year. The security assessment is conducted by the provincial-level CAC and involves government review of the transfer's necessity, the legal basis, the recipient's data protection capabilities, the contractual arrangements, and the risk to national security and public interest. The assessment result is valid for two years.
The standard contract mechanism is available to processors that do not trigger the mandatory security assessment thresholds. The processor must conclude a standard contract with the overseas recipient using the template published by the CAC, conduct a personal information protection impact assessment, and file the signed contract and impact assessment report with the provincial CAC within 10 working days of the contract taking effect. The standard contract prescribes specific terms on data protection obligations, data subject rights, remedies, and regulatory cooperation that cannot be modified.
Personal information protection certification is the third option, obtained from a specialized institution recognized by the CAC. This mechanism is primarily used for intra-group transfers within multinational companies. The certification process involves assessment of the company's data protection policies, technical measures, and organizational structures. It is less commonly used than the other two mechanisms but may be the most practical option for PE portfolio companies with established China subsidiaries transferring data to the parent company or other group entities.
The Security Assessment Process
For PE-backed companies that trigger the mandatory security assessment threshold, the process is more involved than a standard filing. The company must first conduct a self-assessment that evaluates the legality, legitimacy, and necessity of the data transfer; the scale, scope, type, and sensitivity of the personal information being transferred; the recipient's data protection policies, capabilities, and the data protection environment of the recipient country; the contractual arrangements between the parties; and the potential impact on individual rights.
The self-assessment is then submitted to the provincial CAC along with the application materials. The provincial CAC has 15 working days to decide whether to accept the application. If accepted, the assessment takes up to 45 working days, with a possible extension of an additional 45 working days for complex cases. In practice, the total timeline from application preparation to assessment result has ranged from 3 to 6 months.
The CAC can deny the assessment. Denial means the cross-border transfer cannot proceed under any mechanism, because processors that trigger the mandatory security assessment threshold cannot use the standard contract or certification alternatives. Denial effectively means the data must remain in China. For PE-backed companies, this outcome would require complete data localization and a redesign of any infrastructure that depends on cross-border data flows. This is the highest-consequence PIPL risk for companies that exceed the volume thresholds.
Standard Contract Filing Requirements
For companies below the mandatory security assessment thresholds, the standard contract mechanism is the most common path. But "standard" does not mean simple. The CAC published the standard contract template in February 2023, and it contains specific provisions that go beyond what most international data processing agreements cover.
The standard contract requires the overseas data recipient to accept obligations including: processing personal information only for the purposes, methods, and scope specified in the contract; complying with the data protection requirements of the contract even if they exceed what local law requires; notifying the data exporter of any legal obligations in the recipient country that might prevent compliance with the contract; cooperating with Chinese regulatory authorities in investigations; and accepting liability for damages to data subjects caused by breach of the contract terms.
Before filing, the data exporter must complete a personal information protection impact assessment (PIPIA). This assessment must evaluate the legality and necessity of the data processing and cross-border transfer activities, the potential impact on individual rights, the adequacy of protective measures, and the risks and remedies associated with the transfer. The PIPIA must be documented and filed with the standard contract.
The filing itself is submitted to the provincial CAC within 10 working days of the standard contract taking effect. While the CAC does not formally "approve" the filing (it is a notification mechanism, not an authorization), the CAC retains the authority to require modifications or order cessation of the transfer if it determines the transfer does not meet PIPL requirements. In practice, this means the CAC can retrospectively challenge a standard contract filing, creating ongoing regulatory exposure even after filing is complete.
Compliance Gaps in PE-Backed Companies
The compliance gaps we find in PE-backed companies with China operations follow predictable patterns. The most common is complete absence of any transfer mechanism. The company has been transferring data cross-border since launching in the China market, but never assessed whether PIPL's cross-border transfer requirements applied or which mechanism was needed. This is the most expensive gap to remediate because it requires starting from zero: data flow mapping, threshold assessment, mechanism selection, self-assessment or PIPIA, contract negotiation or certification application, and filing or submission.
The second most common gap is incomplete data flow mapping. The company has a standard contract in place for its primary data flow (typically the main product database to a US-hosted cloud instance), but has not mapped the secondary data flows that also constitute cross-border transfers: analytics tools, customer support platforms, email service providers, ad platform integrations, and internal reporting dashboards that query China-origin data from non-China infrastructure. Each of these is a separate cross-border transfer that must be covered by the transfer mechanism.
The third gap is PIPIA deficiency. Companies that have filed standard contracts often have PIPIAs that do not meet the substantive requirements. The assessment is formulaic, does not identify actual risks to data subjects, and does not describe protective measures in sufficient detail. The CAC has signaled through guidance and enforcement actions that pro forma PIPIAs are insufficient. A deficient PIPIA undermines the standard contract filing and creates enforcement exposure.
The fourth gap is consent. PIPL requires separate consent for cross-border transfers. Companies that filed standard contracts and completed PIPIAs but did not obtain separate cross-border transfer consent from data subjects have a compliance gap that the contractual and filing requirements do not cure. The consent requirement exists independently of the transfer mechanism requirement. Both must be satisfied.