(By Wang Hongliang) Many businesses are perplexed by the practical problem about outbound personal information transfer compliance, especially for foreign-inveested businesses that need to provide personal information abroad in many scenarios, for example when they have to provide personal information to their headquarters or affiliates.

Article 38[1] of the Personal Information Protection Law provides that in addition to other premises, security assessment, personal information protection certification and standard contract are approaches to outbound personal information transfer compliance. According to Article 4[2] of the Measures for Data Outbound Transfer Security Assessment (Exposure), the security assessment mainly applies to the situations when personal information is collected or generated by critical information infrastructure operators, personal information handlers processing personal information of one million people or more transfer personal information abroad or personal information of over 100 thousand people or sensitive personal information of over 10 thousand people is cumulatively transferred abroad.