On February 24, 2023, the Cyberspace Administration of China released the Measures for the Standard Contract for Outbound Cross-border Transfer of Personal Information (in Chinese “《个人信息出境标准合同办法》”, the “Measures”), which will take effect on June 1, 2023. For enterprises to have a quick understanding of the content of the Measures, we prepare a brief analysis on the Measures below:

1. Application scope

According to the Measures, a personal information processor under the Personal Information Protection Law (“PIPL”) may provide personal information to an overseas recipient under a standard contract (“Standard Contract”) executed only when it does not meet any of the following criteria: 


According to the Measures for the Security Assessment of Outbound Data Transfers (in Chinese “《数据出境安全评估办法》”) that is effective on September 1, 2022, once a personal information processor reaches any of the criteria above, it shall apply for security assessment for the provision of the personal information to an overseas recipient. Given the correlation between the scenarios of applying for security assessment and entering Standard Contract, the Measures explicitly specify that, a personal information processor must not split up the amount of the personal information to be transferred overseas or adopt other means to provide to any overseas recipient under a Standard Contract such personal information whose outbound cross-border transfer should be subject to a security assessment according to law.

2. Main obligations: independent contracting combined with compliance with the record-filing requirement

For personal information processors who are to provide personal information through Standard Contract, the Measures require them to strictly follow the content of the Standard Contract as annexed in the Measures. Where the personal information processor agrees on other terms with the overseas recipient, such terms must not conflict with the terms of the Standard Contract.

Only after the Standard Contract for the transfer takes effect, may the personal information processor transfer personal information. Within 10 working days from the effective date of the Standard Contract executed, the personal information processor shall file a record with the provincial cyberspace authority where it is domiciled by submitting the following materials:

(1) the Standard Contract; and

(2) a personal information protection impact assessment ("PIPIA") report.

In addition, if any of the following circumstances occurs during the validity term of the Standard Contract, the personal information processor shall conduct a PIPIA again, and supplement the existing Standard Contract or execute a new Standard Contract, as well as file a record again:

图片23. Penalties

The Measures provide that, where a cyberspace authority at or above the provincial level finds any considerable risk or any personal information security incident in relation to an activity of outbound cross-border transfer of personal information, it may conduct a regulatory talk with the personal information processor concerned according to law. The personal information processor shall rectify and eliminate the risk as required.

The Measures further provide that, anyone who violated the Measures shall be dealt with in accordance with the PIPL and other laws and regulations; and there shall be investigation for criminal liability according to law if the violation constitutes a criminal offense.

According to the PIPL, anyone processing personal information in violation of the PIPL or failing to perform any obligation of personal information protection specified the PIPL in the processing of personal information, such as transferring personal information to overseas recipient without passing the security assessment, certification and signing Standard Contract as required by Article 38(1) of the PIPL, will be:

  • ordered to make a correction, given a warning, and confiscated of any illegal gain, and any application program that illegally processes personal information will be ordered to suspend or terminate its services; and

  • if the required correction is not made, a fine of up to CNY1 million will be imposed on the violator; and any person in charge or any other individual directly liable for the violation will be fined between CNY10,000 and CNY100,000.

  • If the illegal activity specified is of a grave nature, the violator will be ordered to make a correction, confiscated of any illegal again, and fined up to CNY50 million, or 5% of last year's annual revenue; and may also be ordered to suspend any related activity or to suspend business for rectification, and/or be reported to the relevant authority for the revocation of the related business permit or the business license; and any person in charge or any other individual directly liable for the violation will be fined between CNY100,000 and CNY1 million and may also be banned for a certain period of time from serving as a director, supervisor, senior officer or personal information protection officer of a relevant enterprise.

4. Grace period

The Measures provide that any activity of outbound cross-border transfer of personal information initiated before the entry into force of the Measures, i.e., June 1, 2023, that does not comply with the Measures shall be rectified within 6 months from the date of entry into force of the Measures, i.e., December 1, 2023. 

5. Suggestions

For enterprises transfer personal information collected or generated within China to overseas recipient, it is suggested that an internal assessment should conduct as soon as possible to identify whether they fall into any of the scenarios where a security assessment should be applied.

  • If they fall into any of the scenarios, it is suggested that they should apply to the national cyberspace administration authority for the security assessment via the local provincial-level cyberspace administration authority as soon as possible.

  • If they do not fall into any of the scenarios, they may provide personal information through entering into Standard Contract and record-filing, it is suggested that they should notify the overseas recipient of the requirements of the Measures and consider executing the Standard Contract and carrying out record-filing before December 1, 2023.

Annie Xue

Practice Areas:Cybersecurity and Data Protection, Antitrust and Anti-unfair Competition, Anti-commercial Bribery, China Social Credit System, Multilateral Development Bank Compliance, Government Affairs

T:010-6521 5999


Dr. XUE is a partner supervising the data and antitrust practice of GEN Law Firm. She specializes in regulatory affairs in cybersecurity and data protection, antitrust and anti-unfair competition, anti-commercial bribery, and Chinese social credit system. Dr. XUE has extensive experience in the said areas and profound understanding of the complicated issues standing at the intersection of those topics. 

Dr. XUE studied competition law at the School of Law of the University of Illinois and obtained J.S.D. there. Dr. XUE serves as an expert member on the Expert Panel of China Information Industry Association Medical and Health Industry Branch, Compliance Committee of China Chamber of Commerce of Metals, Minerals & Chemicals Importers & Exporters, Fair Competition Review Expert of Shenzhen Administration for Market Regulation, Expert of Hubei Provincial Administration for Market Regulation, and Expert of Liaoning Provincial Administration for Market Regulation. Dr. XUE also participated in many research topics led by law enforcement authorities and academia as a postdoctoral fellow at the Institute of Law of the Chinese Academy of Social Sciences, and actively contributed to the formulation of competition and data regulatory policies. Dr. XUE authored many articles and reviews related to legal compliance and served as an editor of The China Competition Bulletin hosted by Australia and New Zealand Government College. Dr. XUE participated in preparing the first Chinese translation of General Data Protection Regulation(GDPR), which was officially published in 2018.


Practice Areas:Cybersecurity and Data Protection, Personal information protection, Compliance supervision consulting

T:010-6521 5999


CHEN Yang focuses on cyber security and data protection, personal information protection and compliance supervision consulting, and has participated in many difficult and complex cases. Yang has the Chinese lawyer qualification and is a Certified Information Privacy Professional (Europe) and Certified Information Privacy Manager by the International Association of Privacy Professionals (IAPP), having rich experience in the field of data protection.