China’s Cyberspace Administration and the State Administration for Market Regulation have jointly issued the Measures for the Certification of Cross-Border Personal Information Export. This new regulatory framework establishes a standardized system for the certification of personal information transfers beyond China’s borders. The Measures aim to enhance data protection, strengthen compliance mechanisms, and support the secure and lawful flow of information in an increasingly interconnected digital economy.
Background and Objectives of the New Measures
With the rapid globalization of the digital economy, cross-border data exchange has become integral to international business operations. Recognizing the importance of secure data governance, China’s Personal Information Protection Law (PIPL) outlines several legal channels for transferring personal data abroad. Certification through professional institutions is one such channel.
The newly issued Measures build upon earlier guidance released in 2022 and are designed to improve the cross-border data management system. Their objectives are threefold: to safeguard personal information rights, to ensure the compliant and transparent use of data, and to provide a clear legal foundation for the growth of the digital economy.
Scope and Key Provisions
The Measures specify that they apply to personal information processors transferring data outside China through the certification mechanism. This primarily covers entities that are not critical information infrastructure operators but that process significant volumes of personal data. Certification applies when the amount of personal information provided overseas exceeds 100,000 individuals or when sensitive information involving fewer than 10,000 individuals is transferred, provided that the data does not include information classified as important data.
The Measures define the certification process, including how personal information processors must apply, the role of accredited professional certification bodies, and the three-year validity period of certification. Renewal applications must be submitted six months before expiry. Certification bodies are responsible for ensuring that all activities comply with national standards and must promptly report any violations to the relevant authorities.
Compliance Obligations for Data Exporters
Before applying for certification, organizations intending to export personal information must fulfill a series of legal obligations. These include obtaining informed consent from individuals, conducting a personal information protection impact assessment (PIPIA), and evaluating the risks associated with data transfers.
The impact assessment must examine the legality and necessity of processing activities, assess the scope and sensitivity of exported data, and evaluate potential risks to national security, public interests, and individual rights. It must also determine whether overseas recipients have the technical and management capabilities to protect the data. In addition, the assessment should analyze potential threats such as data tampering, leakage, or misuse, as well as the legal and regulatory environment of the recipient’s country.
Requirements for Certification Institutions
Professional certification bodies play a critical role in implementing the Measures. They must conduct certification activities in accordance with national standards and issue certificates to qualifying organizations. These bodies are required to report certification details, such as certificate numbers, scope, and validity, to the national certification and accreditation information service platform within five working days.
If a data transfer falls outside the certified scope or fails to meet certification requirements, certification bodies must suspend or revoke the certification. They must also report any violations of laws or regulations to the relevant government departments. Certification institutions are further obligated to protect the confidentiality of personal information, trade secrets, and other sensitive business information obtained during the certification process.
Supervision and Enforcement Mechanisms
The Measures establish a robust supervisory framework led by the State Cyberspace Administration and the State Administration for Market Regulation. These authorities are tasked with overseeing certification activities, conducting both regular and ad hoc inspections, and reviewing certification processes and outcomes.
When potential risks or violations are identified, such as security incidents involving certified organizations, authorities may summon companies for corrective action. The Measures also enable individuals and organizations to report violations related to cross-border data transfers. Any breaches will be handled under the Personal Information Protection Law and other relevant regulations, with criminal penalties applicable where warranted.
Integration into China’s Cross-Border Data Framework
The introduction of the Measures marks a significant milestone in the full implementation of China’s cross-border data governance system. Together with the Cybersecurity Law, Data Security Law, Personal Information Protection Law, and accompanying regulations such as the Measures for Security Assessment of Cross-Border Data Transfer and the Standard Contract for Cross-Border Personal Information Transfer, the certification framework completes a three-pronged approach to data export compliance: security assessment, standard contract, and certification.
This framework provides a structured legal pathway for data flows while ensuring that data leaving China remains protected under consistent regulatory oversight. It also supports the country’s broader objective of building a secure, open, and globally integrated digital economy.
Toward a Secure and Transparent Digital Future
The Measures for the Certification of Cross-Border Personal Information Export demonstrate China’s commitment to developing a comprehensive, rules-based system for international data management. By clarifying procedures, responsibilities, and oversight mechanisms, the policy enhances transparency for domestic and foreign enterprises alike.
As digital globalization continues, companies engaged in cross-border operations must ensure strict compliance with data governance standards. The new certification system provides them with a clearer, legally supported framework to conduct international data exchanges while maintaining trust, accountability, and security in the global marketplace.