Privacy & Information Security Law Blog

On January 30, 2026, the Cybersecurity Administration of China (“CAC”) released a Q&A document (the “Guidance”) on policies and regulations for the security management of cross-border data transfers (“CBDT”). 

The Guidance outlines the interconnection between the various requirements for CBDT, including a security assessment, conclusion of a Standard Contract issued by CAC and a personal information protection certification.

• Data handlers (that are not operators of critical information infrastructure) may enter into Standard Contracts or, alternatively, obtain certification for CBDT if they transfer more than 100,000 but less than 1,000,000 records of personal information (excluding sensitive personal information) outside of China per year, or more than 10,000 but less than 100,000 records of sensitive personal information. If a data handler instead submits the CBDT for a security assessment, it must conduct CBDT activities in accordance with the results of that assessment.
• If a data handler has entered into a Standard Contract or obtained certification for CBDT, but has cumulatively transferred more than one million pieces of personal information (excluding sensitive personal information) or more than 10,000 pieces of sensitive personal information since January 1 of the relevant year, it must submit an application for a security assessment, and all personal information transferred via Standard Contracts or certification since January 1 of that year shall be included in the scope of that assessment. In such cases, the data handler must, as above, conduct CBDT activities in accordance with the outcome of the security assessment.

The Guidance also states that domestic data handlers that have concluded and filed the Standard Contract for CBDT in the Guangdong-Hong Kong-Macao Greater Bay Area (“Greater Bay Area”) shall not unlawfully transfer personal information outside the Greater Bay Area. If it is necessary to transfer the personal information outside of the Greater Bay Area, the data handler must satisfy the compliance obligations of submitting the transfer for a security assessment, or entering into a Standard Contract or obtaining certification for CBDT, depending on the circumstances.