Back to Blog
LegalTech & IA

PIPL Data Transfer Out of China: Is Your Company Required to Pass the CAC Assessment?

NakedPact Editorial Committee
Reviewer: Carmelo G.
Comitato Editoriale NakedPact
June 24, 2026
10 min read
PIPL Data Transfer Out of China: Is Your Company Required to Pass the CAC Assessment?

Who Needs a CAC Assessment for Cross-Border Data Transfers?

If your company transfers personal information out of China, you may be required to undergo a security assessment by the Cyberspace Administration of China (CAC). This is not optional for certain data processors. The assessment is mandatory if you process personal information of more than 1 million people, or if you have transferred personal information of over 100,000 people or sensitive personal information of over 10,000 people since January 1 of the previous year.

Understanding the Thresholds

The CAC assessment applies to critical information infrastructure operators (CIIOs) and other data processors that meet specific volume thresholds. For CIIOs, any cross-border data transfer requires the assessment. For non-CIIOs, the trigger is based on the scale of data processing. Think of it like a tax bracket: once you cross the line, you're in.

Step-by-Step Compliance Checklist

  • Determine if you are a CIIO under Chinese regulations.
  • Calculate the volume of personal information processed and transferred.
  • If thresholds are met, prepare a self-assessment report and apply to the CAC.
  • Engage a qualified lawyer to review your data mapping and transfer mechanisms.

For more details, refer to the official CAC Measures for Security Assessment of Cross-Border Data Transfer.

FAQ

What happens if I don't comply with the CAC assessment?

Non-compliance can result in fines up to 50 million RMB or 5% of annual revenue, suspension of business, and even criminal liability for responsible persons.

Does the assessment apply to transfers to Hong Kong?

Yes, Hong Kong is considered a separate jurisdiction for PIPL purposes, so cross-border data transfers to Hong Kong are subject to the same rules.

Can I use standard contractual clauses instead of the CAC assessment?

No, if you meet the thresholds for mandatory assessment, you must undergo the CAC assessment. Standard contractual clauses are only an option for transfers that do not trigger the assessment.

📋 CAC Assessment Readiness Checklist

  • Identify if you are a CIIO
  • Calculate total personal info processed (threshold: >1M individuals)
  • Calculate cross-border transfer volume (threshold: >100K individuals or >10K sensitive)
  • Prepare data mapping and transfer records
  • Conduct self-assessment report
  • Submit application to CAC

📊 Thresholds at a Glance

1M+ individuals processed
100K+ individuals transferred
10K+ sensitive info transferred
NakedPact Logo

NakedPact Editorial Committee

Article created by the NakedPact editorial team. Our mission is to analyze, simplify, and expose unfair terms and hidden risks in everyday contracts to protect citizens and consumers.

Do you own a website?

Do you own a website?

Want to communicate your data processing transparency to your users? Dynamically use our badge and showcase your platform's compliance.

🛡️ Protect your rights with one click

Don't risk signing abusive clauses. Install the free NakedPact extension for Chrome or Firefox and instantly analyze any contract on the web.

Don't trust, verify.

Now that you know the risks, don't sign blindly. Upload your contract to NakedPact and let AI find the hidden clauses for you. It's 100% free.

Analyze Your Contract Now

Rispettiamo la tua privacy

Usiamo i cookie per migliorare la tua esperienza e personalizzare gli annunci. Scopri di più.

NakedPact Logo

Estensione Chrome

Analizza i contratti e i Termini di Servizio direttamente sul tuo browser con l'estensione NakedPact.