PIPL Data Transfer Out of China: Is Your Company Required to Pass the CAC Assessment?

Table of Contents
Who Needs a CAC Assessment for Cross-Border Data Transfers?
If your company transfers personal information out of China, you may be required to undergo a security assessment by the Cyberspace Administration of China (CAC). This is not optional for certain data processors. The assessment is mandatory if you process personal information of more than 1 million people, or if you have transferred personal information of over 100,000 people or sensitive personal information of over 10,000 people since January 1 of the previous year.
Understanding the Thresholds
The CAC assessment applies to critical information infrastructure operators (CIIOs) and other data processors that meet specific volume thresholds. For CIIOs, any cross-border data transfer requires the assessment. For non-CIIOs, the trigger is based on the scale of data processing. Think of it like a tax bracket: once you cross the line, you're in.
Step-by-Step Compliance Checklist
- Determine if you are a CIIO under Chinese regulations.
- Calculate the volume of personal information processed and transferred.
- If thresholds are met, prepare a self-assessment report and apply to the CAC.
- Engage a qualified lawyer to review your data mapping and transfer mechanisms.
For more details, refer to the official CAC Measures for Security Assessment of Cross-Border Data Transfer.
FAQ
What happens if I don't comply with the CAC assessment?
Non-compliance can result in fines up to 50 million RMB or 5% of annual revenue, suspension of business, and even criminal liability for responsible persons.
Does the assessment apply to transfers to Hong Kong?
Yes, Hong Kong is considered a separate jurisdiction for PIPL purposes, so cross-border data transfers to Hong Kong are subject to the same rules.
Can I use standard contractual clauses instead of the CAC assessment?
No, if you meet the thresholds for mandatory assessment, you must undergo the CAC assessment. Standard contractual clauses are only an option for transfers that do not trigger the assessment.

NakedPact Editorial Committee
Article created by the NakedPact editorial team. Our mission is to analyze, simplify, and expose unfair terms and hidden risks in everyday contracts to protect citizens and consumers.
Sources and Legal References

Do you own a website?
Want to communicate your data processing transparency to your users? Dynamically use our badge and showcase your platform's compliance.
Recommended Readings
🛡️ Protect your rights with one click
Don't risk signing abusive clauses. Install the free NakedPact extension for Chrome or Firefox and instantly analyze any contract on the web.
Don't trust, verify.
Now that you know the risks, don't sign blindly. Upload your contract to NakedPact and let AI find the hidden clauses for you. It's 100% free.
Analyze Your Contract Now

