On January 3, 2025, the Cyberspace Administration of China (the “CAC”) released the Draft Measures for Personal Information Protection Certification for Cross-Border Data Transfers (the “Draft Measures”) for public comment. Following the Implementation Rules for Personal Information Protection Certification (the “Implementation Rules”) and the Cybersecurity Standards Practice Guidelines – Security Certification Specifications for Cross-Border Processing of Personal Information V2.0 (TC260-PG-20222A) in 2022, the Draft Measures provides additional details with respect to key aspects of the certification process, including its applicability, evaluation criteria, implementation process, use of certification results, and post-certification supervision.
Under China’s Personal Information Protection Law (“PIPL”), to transfer personal information (“PI”) abroad in a compliant manner requires the relevant data processor to (1) obtain certification; (2) conduct security assessment; or (3) execute standard contract in accordance with the requirements of the PIPL. The Draft Measures outlines details of the certification process. The Security Assessment for Cross-Border Data Transfers (effective September 2022) provides guidelines for conducting the security assessment. The Standard Contract for Cross-Border Transfers of Personal Information (effective June 2023) presents forms of the standard contract.
Below is a brief overview of the key provisions of the Draft Measures.
1. When a Data Processor Should Obtain Certification
According to Article 4 of the Draft Measures, if the following conditions are met, a data processor can transfer PI abroad in a compliant manner by obtaining certification:
- The data processor is not a critical information infrastructure operator (the “CIIO”);
- The data being transferred does not involve important data;
- Since January 1 of the current year, the cumulative volume of PI transferred overseas:
- exceeds 100,000 individuals but is less than 1 million (excluding sensitive PI); or
- involves less than 10,000 individuals of sensitive PI.
A notable addition in the Draft Measures is the explicit inclusion of foreign personal information processors under Article 3(2) of PIPL as eligible entities for the certification mechanism. This means when a foreign entity collects PI directly from individuals within China and wants to transfer and store such PI overseas, it can apply for the certification. Specifically such entity can authorize a designated representative or establish a specialized entity in China to assist with the certification process.
However, the Draft Measures do not clarify the specific requirements for these designated representatives or specialized entities, such as whether they must be an affiliate of the foreign PI processor.
We have prepared the following table to help a data processer/ exporting entity to determine which one of the three mechanism it needs to undergo to stay compliant when transferring PI overseas:
2. Certification Standards and Rules
Article 7 of the Draft Measures stipulates that CAC, in coordination with relevant authorities, will formulate standards, technical rules, and assessment procedures for PI protection certification for cross-border data transfers.
According to the Implementation Rules, currently such standards and technical rules include:
- Information Security Technology—Personal Information Security Specification (GB/T 35273-2020)
- Cybersecurity Standards Practice Guidelines – Security Certification Specifications for Cross-Border Processing of Personal Information V2.0 (TC260-PG-20222A)
3. Key Certification Requirements
Article 10 of the Draft Measures outlines the key assessment criteria for PI protection certification for cross-border data transfers. These criteria fall into three categories:
- Compliance of Cross-Border PI Transfers – Evaluating whether the transfer of PI aligns with applicable laws and regulations.
- PI Protection Level of Overseas Processors and Recipients – Assessing the data protection capabilities of overseas PI processors and recipients, as well as the legal, policy, and cybersecurity environment in their respective countries or regions.
- Legally Binding Agreements and Organizational Safeguards – Reviewing the legally binding agreements between the PI processor and the overseas recipient, as well as their organizational structure, management systems, and technical measures to ensure PI protection.
4. Certification Bodies
Under Article 8 of the Draft Measures, professional certification bodies that meet the required qualifications to conduct PI protection certification for cross-border data transfers must complete a record-filing procedure with CAC.
Currently, China Cybersecurity Review, Certification and Market Regulation Big Data Center (the “CCRC”) is the only officially recognized PI protection certification body in China. However, as the regulatory framework continues to develop, more certification bodies may become available in the future.
According to a report issued by CCRC, as of February 2025, CCRC had received over 100 certification applications and had issued PI protection certification certificates to 7 entities. [i]
The Draft Measures are still open for public comment. We will continue monitoring regulatory developments with respect to the certification mechanism.
FOOTNOTES