On January 3, 2025, the Cyberspace Administration of China issued the draft Measures for Personal Information Protection Certification for Cross-Border Transfers of Personal Information (“Draft Measures”) for public consultation. The Draft Measures will make available a certification which can be used as a mechanism for lawfully transferring personal information outside of China.
Scope of Cross-border Transfers
The following cross-border transfers could be made pursuant to the Draft Measures:
- Transfer of personal information collected and generated in China outside of China.
- Remote access, i.e., personal information collected and generated by data handlers is stored in China but is made available for query, retrieval, download, or export by overseas institutions, organizations, or individuals.
- Direct transfer of personal information outside of China without domestic storage with respect to:
- an overseas data handler processing personal information of individuals located in China in order to provide a product or service to that individual located within China; or
- an overseas data handler analyzing or assessing the behavior of individuals located within China.
Eligibility for Application for the Certification
Under the Draft Measures, a data handler in China may apply for the certification if:
- it is not a critical information infrastructure operator;
- no important data is transferred outside of China; and
- it has cumulatively transferred out of China personal information of between 100,000 and 1 million individuals or sensitive personal information of less than 10,000 individuals.
Evaluation Focus of the Certification
Under the Draft Measures, the certification shall focus on evaluating the following:
- the legality, legitimacy and necessity of the purpose, scope, method and other details of the cross-border transfer;
- the impact of personal information protection policies and laws, as well as the cyber and data security environment, of the country or region where the overseas data handler or overseas recipient is located, on the security of the personal information transferred outside of China;
- whether the personal information protection level of the overseas data handler or overseas recipient meets the requirements of laws, administrative regulations and mandatory national standards of China;
- whether the legally binding agreement between the data handler and the overseas recipient stipulates personal information protection obligations; and
- whether the organizational structure, management systems and technical measures of the data handler and the overseas recipient can fully and effectively ensure data security and personal information rights and interests.
Application for Certification by an Overseas Data Handler
Where an overseas data handler wishes to pursue certification pursuant to the Draft Measures, it is required to designate an institution established by it in China or a representative in China to assist in the application for the certification. In addition to the overseas data handler, such domestic institution or representative shall bear the corresponding legal liability, commit to complying with the relevant laws and regulations on personal information protection and to accepting supervision and regulation, and be subject to ongoing supervision by the professional certification institution during the certification validity period.