Focused Analysis on Data Transfer from EU to China under GDPR – Part II

Ivelina Cherneva

B. China’s Permissible Cross-Border Transfer Mechanisms under PIPL

Under China’s Personal Information Protection Law (PIPL), there are three primary mechanisms for legitimizing cross-border data transfers.

First, a CAC Security Assessment is mandatory for critical information infrastructure operators (CIIOs), as well as for non-CIIOs that transfer personal information of more than one million individuals or sensitive personal data of over 10,000 individuals annually. The assessment, once approved, is valid for three years.[2]

Second, China Standard Contractual Clauses (SCCs) may be used by non-CIIOs below specific thresholds—fewer than 100,000 individuals’ personal information or 10,000 sensitive records cumulatively since January 1 of the previous year. Filing with the CAC and a Personal Information Protection Impact Assessment (PIPIA) are required.[3]

Third, the Personal Information Protection Certification mechanism is primarily applicable to intra-group transfers. Certification is conducted by specialized Chinese institutions rather than regulators and requires adherence to national standards, a legally binding agreement, and completion of a PIPIA.[4]

In addition to these mechanisms, exemptions introduced in March 2024 apply to certain outbound transfers (primarily outbound data).[5] Transfers conducted for purposes such as human resources management, the conclusion or performance of contracts with individuals, or in response to emergencies are exempt. So are transfers involving non-personal or non-important data, or those that merely transit through China without involving domestic personal information or important data. Importantly, the designation of “important data” is not proactive and only applies when explicitly notified by the authorities.

C. Compatibility and Conflicts with GDPR Mechanisms

a. Adequacy Decisions

GDPR permits transfers to “adequate: countries, a status China lacks. PIPL, conversely, does not recognize inbound transfers based on the exporting country’s adequacy. China imposes its own mandatory mechanisms for outbound transfers, driven by national security and data sovereignty. This asymmetry means EU companies must comply with two distinct sets of rules.

b. Standard Contractual Clauses (SCCs)

Both EU and China use SCCs, but they differ significantly.

Table 1: Differences between EU SCCs and China SCCs:

Relying solely on EU SCCs for transfers to China is insufficient. Chinese laws (CSL, DSL, PIPL) grant broad governmental access, conflicting with Schrems II requirements.[6] Mandatory data localization for CIIOs can also impede transfers. EU companies must satisfy both GDPR (EU SCCs + TIA + supplementary measures) and PIPL (China SCCs + PIPIA + CAC filing, or CAC Security Assessment, or Certification). PIPL also requires separate, explicit consent for cross-border transfers.

c. Binding Corporate Rules (BCRs)

China’s PIPL does not explicitly recognize GDPR-approved BCRs as a standalone mechanism for inbound data transfers. While China has a “Certification” mechanism for intra-group transfers, it is reviewed by specialized institutions.[7] An EU-approved BCR does not automatically satisfy Chinese requirements; EU companies would likely need to pursue China’s Certification in parallel.

d. Data Localization Requirements

China’s CSL mandates that personal information and “important data” from CIIOs must be stored within Mainland China. PIPL also requires localization for certain data volumes. These requirements directly conflict with GDPR’s principle of free data flow, creating barriers for international business.[8]

e. Government Access and National Security Concerns

China’s CSL, DSL, and PIPL grant broad governmental access to data for national security or public interest. PIPL requires prior approval from Chinese authorities before providing data to foreign judicial/law enforcement agencies. This conflicts with GDPR’s emphasis on data subject rights and Schrems II’s demand for supplementary measures to counteract such access. Contractual clauses cannot bind a sovereign government, making it difficult for EU exporters to demonstrate “essentially equivalent” protection.

I am text block. Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

(2) Potential Practical Challenges and Compliance Recommendations for EU Companies Transferring Data to Chinese Partners

A. Navigating Dual Compliance Obligations

EU companies must comply with both the GDPR and China’s PIPL, CSL, and DSL, all of which have extraterritorial reach. PIPL imposes stricter requirements in key areas, such as “separate” and “explicit” consent for cross-border transfers and the absence of “legitimate interests” as a legal basis, making GDPR compliance insufficient on its own.[9] Thus, the EU companies shall conduct detailed analysis of each processing and transfer activity to identify PIPL-specific requirements. Allocate specialized legal resources familiar with both regimes.

B. Data Mapping and Classification

Mapping all EU–China data flows is essential, including categories, volumes, and sensitivity. Data may be classified as “important” under Chinese law, triggering mandatory Cyberspace Administration of China (CAC) security assessments, even if it’s not personal data. Definitions remain vague, increasing compliance risk.[10] Thus, the EU companies shall expand classification efforts beyond GDPR standards to account for China’s “important data” categories and may leverage industry-specific Chinese guidance where available.

C. Conducting Comprehensive Impact Assessments

Transfers require both a GDPR Transfer Impact Assessment (TIA) and a PIPL Personal Information Protection Impact Assessment (PIPIA). Conducting a TIA for China is especially difficult due to broad national security laws and limited judicial oversight, making it hard to ensure GDPR-level protection. Therefore, the EU companies shall integrate the TIA and PIPIA into a single, streamlined process and emphasize data minimization, anonymization, and strong technical safeguards to reduce risk.

D. Implementing Supplementary Measures

Where the TIA identifies gaps in protection, technical, contractual, and organizational supplementary measures are needed. However, enforcement risks remain high given China’s laws mandating decryption and limited remedies against state access. Therefore, the EU companies shall use end-to-end encryption (EU-only keys), pseudonymization, and reinforce contractual protections in SCCs. Adopt strict access controls, staff training, and internal protocols for handling government data requests. Avoid transferring highly sensitive EU data to China where feasible.[11]

E. Managing Consent and Data Subject Rights

PIPL requires explicit, separate consent for cross-border transfers. Consent is revocable, which can disrupt ongoing data use. Both laws grant broad data subject rights, with additional PIPL provisions (e.g., rights of deceased individuals’ next of kin). EU Companies shall design granular, transparent consent mechanisms and establish unified processes for handling data subject requests under both legal frameworks.

F. Strategic Considerations

Due to high compliance burdens, EU companies should reframe data protection as a strategic business issue. First, they should minimize transfers by limiting data collection and cross-border flows to what is strictly necessary. Second, they should anonymize data where feasible. Third, for high-volume, sensitive, or CIIO-related data, companies should consider localization—storing and processing such data within China, despite the added operational complexity.[12]

[1] How China’s data rules will impact its trade competitiveness | World Economic Forum https://www.weforum.org/stories/2022/11/china-data-export-regulations-threaten-trade-competitiveness/. accessed 4 August 2025.

[2] PIPL, Article 38; Data Export Security Assessment Measures, Articles 4–5; CSL, Article 37.

[3] PIPL, Article 38; Measures on Standard Contract for Cross-border Transfer of Personal Information, 2023, Articles 4–6.

[4] PIPL, Article 38; Specifications for Security Certification of Cross-Border Personal Information Processing Activities (TC260, issued 2022) – voluntary standard.

[5] Provisions on Promoting and Regulating Cross-border Data Flows, issued by CAC, effective March 22, 2024. This regulation primarily applies to data transfers from China (outbound data), and does not include data entering China (inbound data).

[6] Cross-Border Data Transfer Mechanism in China and Its Compliance, California Lawyers Association https://calawyers.org/business-law/cross-border-data-transfer-mechanism-in-china-and-its-compliance/. accessed August 2, 2025.

[7] Personal Information Protection Law (PIPL), Article 38(3); Measures for Security Assessment of Cross-Border Data Transfers, CAC, 2022; Specifications for Security Certification of Cross-Border Personal Information Processing Activities, TC260, 2022; What You Need to Know About China ‘Binding Corporate Rules’ Under the New Certification Specifications, K&L Gates, https://www.klgates.com/What-You-Need-to-Know-About-China-Binding-Corporate-Rules-Under-the-New-Certification-Specifications-7-22-2022. accessed August 4, 2025.

[8] See id at [16].

[9] See id at [7].

[10] See id at [16].

[11] See id at [7].

[12] See id at [20].