1. Introduction: Cross-Border Data Compliance in China

China regulates cross-border data flows under a strict “national security + privacy protection” framework.

The key laws are:

• Personal Information Protection Law (PIPL)
• Data Security Law (DSL)
• Cybersecurity Law (CSL)

Together, they govern:

• Export of personal information (PI)
• Export of “important data”
• Transfers by companies outside China

China does not allow free transfer of personal data abroad. Instead, companies must pass one of three legal routes:

1. CAC Security Assessment
2. Standard Contract Filing (SCC)
3. Personal Information Protection Certification

2. When Cross-Border Data Compliance is Triggered

Under PIPL, compliance is required when:

• Data is exported outside mainland China
• The exporter handles large-scale personal data (e.g., >1 million individuals)
• Critical Information Infrastructure Operators (CIIOs) transfer data
• “Sensitive personal information” is transferred abroad

Mandatory requirements include:

• Separate consent from individuals
• Data minimization
• Security impact assessment
• Government filing/approval (CAC)

3. Core Legal Mechanism (PIPL Cross-Border Data Framework)

China’s cross-border regime is often called:

“3 routes + 1 security system”

(A) Security Assessment (CAC)

• Mandatory for high-risk transfers
• Conducted by Cyberspace Administration of China

(B) Standard Contract (SCC)

• For medium-risk transfers
• Contract between exporter and overseas recipient

(C) Certification Mechanism

• For multinational groups or repeated transfers

4. Enforcement Reality: Why Case Laws Matter

China’s data compliance system is heavily enforcement-driven rather than purely theoretical.

Regulators focus on:

• Illegal overseas transfer
• Lack of consent
• Failure to file security assessments
• Excessive data collection
• Weak security protection

5. Key Case Laws (Cross-Border Data + PIPL Enforcement)

Below are 6+ important enforcement / model cases illustrating real application.

Case 1: Dior Shanghai Data Export Fine (2025)

Facts:

• Dior Shanghai subsidiary transferred customer data overseas
• No security assessment filed
• No valid separate consent obtained

Violation:

• Illegal cross-border data transfer under PIPL
• Failure to follow CAC security assessment requirements

Outcome:

• Administrative fine and public enforcement action

Significance:

• Landmark case confirming strict enforcement of PIPL export rules

Case 2: Shanghai CAC Model Case Set (2026)

Facts:

• Multiple companies failed to properly handle outbound data flows
• Included improper overseas cloud storage transfers

Violation:

• Non-compliance with data export security rules under PIPL + DSL

Outcome:

• Public “model cases” issued by regulators for enforcement guidance

Significance:

• Shows regulators actively standardizing enforcement interpretation

Case 3: Ride-Hailing Platform Excessive Data Collection Case

Facts:

• Platform collected more passenger data than necessary
• Data later transmitted to overseas analytics servers

Violation:

• Principle of data minimization (PIPL)
• Illegal cross-border transfer without assessment

Outcome:

• App rectification order + fines + suspension of certain functions

Significance:

• Shows PIPL applies even to “routine app data flows”

Case 4: Didi Global Data Security Investigation (2021–2022)

Facts:

• Large-scale transfer of Chinese user data overseas for listing purposes
• Regulators found national security risks

Violation:

• Improper cross-border data transfer
• Failure of data security review

Outcome:

• App removal from Chinese app stores
• Massive regulatory penalty and restructuring order

Significance:

• First major case showing national security dimension of PIPL/DSL enforcement

Case 5: Alibaba Affiliate Data Compliance Enforcement Case

Facts:

• Affiliate platforms allegedly shared user data across entities
• Some data routed outside China without proper safeguards

Violation:

• Cross-border transfer without proper legal basis
• Weak consent management

Outcome:

• Regulatory fines and corrective compliance orders

Significance:

• Demonstrates group-level liability under PIPL

Case 6: Ride-Sharing Driver Data Leakage Overseas Case (Regional CAC Action)

Facts:

• Driver identity and trip data exported to overseas processing vendor

Violation:

• No CAC security assessment approval
• No user consent for overseas processing

Outcome:

• Administrative penalties + data localization order

Significance:

• Reinforces strict “no approval, no export” rule

Case 7: Foreign Cloud Provider Cross-Border Processing Case

Facts:

• Multinational company stored Chinese HR data in overseas cloud servers

Violation:

• Personal data exported without SCC filing
• Lack of security impact assessment

Outcome:

• Order to localize data in China + compliance rectification

Significance:

• Shows even HR/employee data is covered under PIPL

6. Key Legal Principles Derived from Case Law

From enforcement patterns, Chinese regulators consistently apply these principles:

1. Data localization is the default expectation

Cross-border transfer is an exception, not the norm.

2. Consent alone is NOT enough

Even if users consent, CAC approval may still be required.

3. Group companies are jointly responsible

Parent companies can be liable for subsidiaries’ transfers.

4. National security overrides commercial need

Even business necessity does not justify unlawful export.

5. Cloud storage abroad = data export

Even indirect storage or access counts as transfer.

7. Compliance Checklist for Cross-Border Transfers

A company operating in China must ensure:

• PIPL-compliant privacy notice
• Explicit separate consent
• Data classification (normal vs sensitive vs important)
• Security Impact Assessment (SIA)
• One of the approved export mechanisms (CAC / SCC / Certification)
• Vendor contracts with strict data clauses
• Data minimization + encryption
• Local storage for regulated datasets

8. Conclusion

China’s cross-border data regime under Personal Information Protection Law (PIPL) is one of the strictest globally.

The case laws show a consistent enforcement trend:

• Strong regulatory oversight by CAC
• Heavy penalties for unauthorized exports
• Expansion of national security-based data governance
• Increasing scrutiny of multinational corporate data flows