Measures on the Standard Contract for the Export of Personal Information

Summary

Overview & Analysis

The Measures on the Standard Contract for the Export of Personal Information establish the lightest and most accessible of China's three cross-border personal information transfer pathways — allowing qualifying processors to transfer personal information overseas by entering into a standardized contract template with the overseas recipient, followed by filing with the provincial-level cyberspace administration. The Measures apply to non-CII operators that process fewer than one million individuals' personal information and have cumulatively transferred fewer than 100,000 individuals' personal information (or fewer than 10,000 sensitive personal information) overseas since January 1 of the previous year. Before providing personal information overseas, processors must conduct a personal information protection impact assessment (PIPIA) and may only commence transfers after the standard contract takes effect. Transfers must be filed with the provincial CAC within 10 working days of the contract's effective date.

This policy is highly significant for AI development, particularly in the context of increasing cross-border data flows and global data sharing. AI projects typically rely on large-scale data exchange for model training and inference, and the standard contract provides a legal basis for cross-border data transfers while ensuring compliance with China's personal information protection laws. By using standard contracts, companies can streamline data compliance processes while ensuring the secure and lawful transfer of personal information. The standard contract template is set out in an annex to the Measures and must be used strictly as published — processors may add supplementary terms with the overseas recipient, but those additional terms must not conflict with the standard contract. Processors cannot circumvent the higher-tier security assessment requirement by splitting data volumes to fall within the standard contract threshold.

Three Cross-Border PI Transfer Pathways — Where Standard Contract Fits

These Measures govern the standard contract pathway — the lightest compliance tier, available only to lower-volume non-CII processors. All three pathways together form China's cross-border personal information transfer framework:

Pathway	When Required / Available	Key Trigger Thresholds (cumulative since prior Jan 1)
Security Assessment	Mandatory — CII operators; high-volume PI; any important data	Any important data; or CII operators; or ≥1M PI processors; or ≥100K PI / ≥10K sensitive PI
Certification	Non-CII; mid-range volumes; no important data	>100K but <1M individuals' PI (non-sensitive); or <10K sensitive PI
Standard Contract (this document)	Non-CII; lower volumes; no important data	<1M PI processed total; <100K PI provided overseas; <10K sensitive PI provided overseas

Standard Contract Process — Four Steps

Step 1

PIPIA

Conduct personal information protection impact assessment before providing PI overseas

Step 2

Sign Contract

Enter into standard contract strictly per annex template with overseas recipient

Step 3 — After contract takes effect

Begin Transfer

Outbound activities may only commence after the standard contract takes effect

Step 4 — Within 10 working days

File with CAC

File standard contract + PIPIA report with provincial-level CAC within 10 working days

Relevant AI Scenarios

In the AI context, this policy is relevant primarily for cross-border data flows, particularly when AI projects need to rely on overseas data sources, training data, or engage in cross-border data processing at volumes that fall within the standard contract thresholds.

1. Sharing AI Training Data Across Borders

AI projects often rely on large datasets for training, which may come from different global markets. Under this policy, when AI training data involves personal information at volumes below the thresholds, companies can transfer data using standard contracts instead of applying for a security assessment. Companies must ensure data legality, purpose clarity, and data security during processing — and must complete the PIPIA before any transfer begins.

2. Using International Cloud Services and Computing Platforms

Multinational companies in China may need to use foreign cloud services or computing platforms, which typically involve cross-border data transfers. For volumes within the standard contract threshold, companies must enter into standard contracts with overseas cloud providers to ensure the data transfer complies with Chinese legal requirements. This pathway reduces concerns over cross-border data flows and provides a clear, lightweight compliance path compared to the security assessment route.

3. Cross-Border Customer Data Management with AI

AI is commonly used in customer service, marketing, and product recommendation — often involving personal data. By using standard contracts, cross-border data transfers can meet compliance requirements, ensuring that customer data flows worldwide in accordance with China's personal information protection laws. For data sharing and cross-border collaboration involving personal information at the lower threshold, the standard contract route is the most operationally practical.

4. Cross-Border HR and Talent Management AI Applications

Many AI applications rely on cross-border human resources data for recruitment, employee analysis, and performance evaluation. When AI is used to process personal data in cross-border HR activities at volumes below the thresholds, standard contracts provide a convenient compliance route. Especially when data volumes are smaller and do not involve sensitive information at the threshold level, companies can complete compliance through contract signing and filing without undergoing complex assessment procedures.

5. Cross-Border AI R&D Collaborations and Joint Development

In cross-border collaborations and joint R&D projects using AI technology, sharing data and technology may be necessary. Where personal information volumes are within the standard contract thresholds, the standard contract pathway manages cross-border data transfers compliantly while avoiding the longer security assessment timeline. This fosters global technological cooperation and data sharing for multinational companies at the appropriate compliance tier for their data volumes.

Practical Advice for Managers at Multinational Companies

These Measures provide multinational companies with a more flexible compliance pathway, especially for cross-border personal information transfers at lower volumes. Managers should treat this policy as a critical part of the AI project compliance framework, incorporating it into project intake and architecture design from the outset.

Introduce Standard Contract Compliance Early in Project Design

Compliance with cross-border data flow regulations should be addressed in the AI project design phase, especially when projects require offshore data or cloud services. Require teams to classify data early and assess which transfers can use the standard contract, which require certification, and which require security assessment. Planning this early reduces compliance risks at launch — and avoids the mistake of drafting contracts too late to complete PIPIA before transfers begin.

Conduct the PIPIA Thoroughly — It Is a Required Filing Document

The personal information protection impact assessment must be completed before any transfer begins, and the PIPIA report is a required filing submission alongside the standard contract. It must cover legality and necessity of the transfer, data sensitivity and volume risks, the overseas recipient's security obligations and capabilities, post-transfer risks, and the impact of the overseas jurisdiction's PI framework. A superficial PIPIA creates liability and undermines the integrity of the filing.

Use the Annex Template Strictly — Supplementary Terms Must Not Conflict

The standard contract must be concluded strictly in accordance with the annex to the Measures — companies cannot use their own contract template. Additional terms agreed between the processor and overseas recipient are permissible but must not conflict with the standard contract. Draft any supplementary commercial terms with legal review to confirm they do not override the mandatory data protection obligations in the template. The CAC can update the annex, so use the current published version.

Track Cumulative Volumes Across All Projects to Monitor Threshold Shifts

The thresholds in Article 4 — fewer than 100,000 individuals' PI or fewer than 10,000 sensitive PI since January 1 of the previous year — are cumulative across all outbound transfers by the same processor, not per-project. A company with multiple AI initiatives transferring personal data overseas must track aggregate volumes. If cumulative volumes approach the threshold mid-year, the company needs to reassess which pathway applies and plan the transition to the next tier (certification) in advance.

Monitor Trigger Events Requiring Re-Assessment and Re-Filing

Article 8 requires re-conducting the PIPIA, supplementing or re-entering into the standard contract, and re-filing whenever: (1) the purpose, scope, type, sensitivity, method, storage location, or recipient's processing purpose/method changes, or the overseas storage period is extended; (2) the overseas recipient's jurisdiction's PI protection laws change in ways that could affect PI rights; or (3) other circumstances affect PI rights arise. Build a compliance calendar to track these triggers actively, rather than waiting for a compliance issue to surface.

By introducing standard contract mechanisms early, conducting rigorous personal information protection impact assessments, using the mandatory template correctly, tracking cumulative volumes carefully, and monitoring re-assessment triggers, multinational companies can maintain compliant, fast, and efficient cross-border personal information flows for their China AI projects — while preserving the flexibility to scale up to higher-tier pathways as data volumes grow.

Full Text

Complete Regulatory Text

Promulgated February 22, 2023 · Effective June 1, 2023 · Order No. 13 · Source: Cyberspace Administration of China
Note: The standard contract template (Annex) is published separately by the CAC and must be used in its current form. Additional terms may be agreed between the parties but must not conflict with the template.

Article Index

Articles 1–3 — Purpose, Scope & Governing Principles
Articles 4–5 — Eligibility Conditions & Pre-Transfer PIPIA Obligations
Articles 6–7 — Contract Requirements, Effective Date & Filing Obligations
Articles 8–13 — Re-Assessment Triggers, Confidentiality, Complaints, Supervision, Liability & Effective Date

Articles 1–3 — Purpose, Scope & Governing Principles

Article 1 — Purpose and Legal Basis

In order to protect personal information rights and interests and regulate outbound personal information activities, these Measures are formulated in accordance with the Personal Information Protection Law of the People's Republic of China and other relevant laws and regulations.

Article 2 — Scope of Application

These Measures shall apply where personal information processors provide personal information outside the territory of the People's Republic of China by entering into a standard contract for the export of personal information (hereinafter referred to as the "standard contract") with an overseas recipient.

Article 3 — Governing Principles

Where outbound personal information activities are conducted through the conclusion of a standard contract, the principles of combining independent contracting with filing-based administration and combining rights protection with risk prevention shall be followed, so as to ensure the secure and free flow of cross-border personal information.

Articles 4–5 — Eligibility Conditions & Pre-Transfer PIPIA Obligations

Article 4 — Eligibility Conditions for the Standard Contract Pathway

Where a personal information processor provides personal information overseas by entering into a standard contract, it shall simultaneously meet the following conditions:

(1) It is not a critical information infrastructure operator;
(2) It processes personal information of fewer than one million individuals;
(3) Since January 1 of the previous year, it has cumulatively provided personal information of fewer than 100,000 individuals overseas;
(4) Since January 1 of the previous year, it has cumulatively provided sensitive personal information of fewer than 10,000 individuals overseas.

Where laws, administrative regulations, or provisions of the national cyberspace administration provide otherwise, such provisions shall prevail.

Personal information processors shall not adopt methods such as splitting quantities to provide personal information overseas through standard contracts where they are legally required to undergo a security assessment for outbound data transfers.

Article 5 — Personal Information Protection Impact Assessment (PIPIA)

Before providing personal information overseas, a personal information processor shall conduct a personal information protection impact assessment, focusing on the following matters:

(1) The legality, legitimacy, and necessity of the purpose, scope, and method of processing personal information by the personal information processor and the overseas recipient;

(2) The scale, scope, type, and sensitivity of the personal information to be transferred overseas, and the risks such transfer may pose to personal information rights and interests;

(3) Whether the obligations undertaken by the overseas recipient, as well as its management and technical measures and capabilities, can ensure the security of the personal information transferred overseas;

(4) The risks of tampering, destruction, leakage, loss, or illegal use of personal information after it is transferred overseas, and whether channels for safeguarding personal information rights are smooth;

(5) The impact of the personal information protection policies and regulations of the country or region where the overseas recipient is located on the performance of the standard contract;

(6) Other matters that may affect the security of outbound personal information.

Articles 6–7 — Contract Requirements, Effective Date & Filing Obligations

Article 6 — Contract Requirements and Effective Date

The standard contract shall be concluded strictly in accordance with the annex to these Measures. The national cyberspace administration may adjust the annex based on actual circumstances.

Personal information processors may agree on additional terms with overseas recipients, provided that such terms do not conflict with the standard contract.

Outbound personal information activities may only be carried out after the standard contract takes effect.

Article 7 — Filing Obligations (Within 10 Working Days)

A personal information processor shall, within 10 working days from the effective date of the standard contract, file the contract with the provincial-level cyberspace administration where it is located. The filing shall include the following materials:

(1) The standard contract;
(2) The personal information protection impact assessment report.

The personal information processor shall be responsible for the authenticity of the filed materials.

Articles 8–13 — Re-Assessment, Confidentiality, Supervision, Liability & Effective Date

Article 8 — Circumstances Requiring Re-Assessment and Re-Filing

Where any of the following circumstances occur during the validity period of the standard contract, the personal information processor shall re-conduct a personal information protection impact assessment, supplement or re-enter into the standard contract, and complete the corresponding filing procedures:

(1) Changes in the purpose, scope, type, sensitivity, method, storage location of outbound personal information, or changes in the purpose or method of processing by the overseas recipient, or extension of the overseas storage period of personal information;

(2) Changes in the personal information protection policies and regulations of the country or region where the overseas recipient is located that may affect personal information rights and interests;

(3) Other circumstances that may affect personal information rights and interests.

Article 9 — Confidentiality Obligations of Regulators

Cyberspace administrations and their staff shall keep confidential any personal privacy, personal information, trade secrets, or confidential business information obtained during the performance of their duties, and shall not disclose or illegally provide or use such information.

Article 10 — Public Complaints and Reports

Any organization or individual discovering that a personal information processor has violated these Measures by providing personal information overseas may report to cyberspace administrations at or above the provincial level.

Article 11 — Supervisory Interviews

Where a cyberspace administration at or above the provincial level discovers that outbound personal information activities involve significant risks or a personal information security incident has occurred, it may, in accordance with the law, summon the personal information processor for an interview. The personal information processor shall rectify the issues as required and eliminate risks.

Article 12 — Legal Liability

Violations of these Measures shall be handled in accordance with the Personal Information Protection Law of the People's Republic of China and other relevant laws and regulations; where a crime is constituted, criminal liability shall be pursued in accordance with the law.

Article 13 — Effective Date and Transitional Arrangements

These Measures shall come into effect on June 1, 2023. Outbound personal information activities conducted prior to the implementation of these Measures that do not comply with them shall be rectified within six months from the date of implementation.

↑ Back to top

个人信息出境标准合同办法
（2023年2月22日公布，自2023年6月1日起施行，第13号令）
来源：中国网信网　注：标准合同模板见本办法附件，须严格按照附件内容订立。

第一条至第三条 — 目的、适用范围与基本原则

第一条

为了保护个人信息权益，规范个人信息出境活动，根据《中华人民共和国个人信息保护法》等法律法规，制定本办法。

第二条

个人信息处理者通过与境外接收方订立个人信息出境标准合同（以下简称标准合同）的方式向中华人民共和国境外提供个人信息，适用本办法。

第三条

通过订立标准合同的方式开展个人信息出境活动，应当坚持自主缔约与备案管理相结合、保护权益与防范风险相结合，保障个人信息跨境安全、自由流动。

第四条至第五条 — 适用情形与出境前个人信息保护影响评估义务

第四条

个人信息处理者通过订立标准合同的方式向境外提供个人信息的，应当同时符合下列情形：

（一）非关键信息基础设施运营者；
（二）处理个人信息不满100万人的；
（三）自上年1月1日起累计向境外提供个人信息不满10万人的；
（四）自上年1月1日起累计向境外提供敏感个人信息不满1万人的。

法律、行政法规或者国家网信部门另有规定的，从其规定。

个人信息处理者不得采取数量拆分等手段，将依法应当通过出境安全评估的个人信息通过订立标准合同的方式向境外提供。

第五条

个人信息处理者向境外提供个人信息前，应当开展个人信息保护影响评估，重点评估以下内容：

（一）个人信息处理者和境外接收方处理个人信息的目的、范围、方式等的合法性、正当性、必要性；
（二）出境个人信息的规模、范围、种类、敏感程度，个人信息出境可能对个人信息权益带来的风险；
（三）境外接收方承诺承担的义务，以及履行义务的管理和技术措施、能力等能否保障出境个人信息的安全；
（四）个人信息出境后遭到篡改、破坏、泄露、丢失、非法利用等的风险，个人信息权益维护的渠道是否通畅等；
（五）境外接收方所在国家或者地区的个人信息保护政策和法规对标准合同履行的影响；
（六）其他可能影响个人信息出境安全的事项。

第六条至第七条 — 合同要求、生效条件与备案义务

第六条

标准合同应当严格按照本办法附件订立。国家网信部门可以根据实际情况对附件进行调整。

个人信息处理者可以与境外接收方约定其他条款，但不得与标准合同相冲突。

标准合同生效后方可开展个人信息出境活动。

第七条

个人信息处理者应当在标准合同生效之日起10个工作日内向所在地省级网信部门备案。备案应当提交以下材料：

（一）标准合同；
（二）个人信息保护影响评估报告。

个人信息处理者应当对所备案材料的真实性负责。

第八条至第十三条 — 重新评估情形、保密、投诉、约谈、法律责任与施行日期

第八条

在标准合同有效期内出现下列情形之一的，个人信息处理者应当重新开展个人信息保护影响评估，补充或者重新订立标准合同，并履行相应备案手续：

（一）向境外提供个人信息的目的、范围、种类、敏感程度、方式、保存地点或者境外接收方处理个人信息的用途、方式发生变化，或者延长个人信息境外保存期限的；
（二）境外接收方所在国家或者地区的个人信息保护政策和法规发生变化等可能影响个人信息权益的；
（三）可能影响个人信息权益的其他情形。

第九条

网信部门及其工作人员对在履行职责中知悉的个人隐私、个人信息、商业秘密、保密商务信息等应当依法予以保密，不得泄露或者非法向他人提供、非法使用。

第十条

任何组织和个人发现个人信息处理者违反本办法向境外提供个人信息的，可以向省级以上网信部门举报。

第十一条

省级以上网信部门发现个人信息出境活动存在较大风险或者发生个人信息安全事件的，可以依法对个人信息处理者进行约谈。个人信息处理者应当按照要求整改，消除隐患。

第十二条

违反本办法规定的，依据《中华人民共和国个人信息保护法》等法律法规处理；构成犯罪的，依法追究刑事责任。

第十三条

本办法自2023年6月1日起施行。本办法施行前已经开展的个人信息出境活动，不符合本办法规定的，应当自本办法施行之日起6个月内完成整改。

↑ 返回顶部

No account yet?