Companies domiciled outside China that directly collect and process the personal information of individuals residing in China in a cross-border manner are subject to the extraterritorial application of the PIPL.

Rules concerning the Standard Contract for Cross-Border Transfers of Personal Information, the Cyberspace Administration of China (CAC) finalized and issued the Measures for the Security Assessment of Transfers of Data Abroad (“Measures”) on 7 July 2022.

The Measures provide the implementation rules and guidelines concerning the security assessment mechanism for cross-border data transfers (CBDT) outside China. There are three overarching data protection laws, the Cybersecurity Law (CSL), the Data Security Law (DSL), and the Personal Information Protection Law (PIPL).