On January 3, 2025, the Cyberspace Administration of China (the “CAC”) released the Draft Measures for Personal Information Protection Certification for Cross-Border Data Transfers (the “Draft Measures”) for public comment. Following the Implementation Rules for Personal Information Protection Certification (the “Implementation Rules”) and the Cybersecurity Standards Practice Guidelines – Security Certification Specifications for Cross-Border Processing of Personal Information V2.0 (TC260-PG-20222A) in 2022, the Draft Measures provides additional details with respect to key aspects of the certification process, including its applicability, evaluation criteria, implementation process, use of certification results, and post-certification supervision. 

Under China’s Personal Information Protection Law (“PIPL”), to transfer personal information (“PI”) abroad in a compliant manner requires the relevant data processor to (1) obtain certification; (2) conduct security assessment; or (3) execute standard contract in accordance with the requirements of the PIPL. The Draft Measures outlines details of the certification process. The Security Assessment for Cross-Border Data Transfers (effective September 2022) provides guidelines for conducting the security assessment. The Standard Contract for Cross-Border Transfers of Personal Information (effective June 2023) presents forms of the standard contract.

Below is a brief overview of the key provisions of the Draft Measures.

1. When a Data Processor Should Obtain Certification

According to Article 4 of the Draft Measures, if the following conditions are met, a data processor can transfer PI abroad in a compliant manner by obtaining certification:

 A notable addition in the Draft Measures is the explicit inclusion of foreign personal information processors under Article 3(2) of PIPL as eligible entities for the certification mechanism. This means when a foreign entity collects PI directly from individuals within China and wants to transfer and store such PI overseas, it can apply for the certification. Specifically such entity can authorize a designated representative or establish a specialized entity in China to assist with the certification process.

However, the Draft Measures do not clarify the specific requirements for these designated representatives or specialized entities, such as whether they must be an affiliate of the foreign PI processor.

We have prepared the following table to help a data processer/ exporting entity to determine which one of the three mechanism it needs to undergo to stay compliant when transferring PI overseas:

2. Certification Standards and Rules

Article 7 of the Draft Measures stipulates that CAC, in coordination with relevant authorities, will formulate standards, technical rules, and assessment procedures for PI protection certification for cross-border data transfers.

According to the Implementation Rules, currently such standards and technical rules include:

3. Key Certification Requirements 

Article 10 of the Draft Measures outlines the key assessment criteria for PI protection certification for cross-border data transfers. These criteria fall into three categories: 

4. Certification Bodies 

Under Article 8 of the Draft Measures, professional certification bodies that meet the required qualifications to conduct PI protection certification for cross-border data transfers must complete a record-filing procedure with CAC. 

Currently, China Cybersecurity Review, Certification and Market Regulation Big Data Center (the “CCRC”) is the only officially recognized PI protection certification body in China. However, as the regulatory framework continues to develop, more certification bodies may become available in the future. 

According to a report issued by CCRC, as of February 2025, CCRC had received over 100 certification applications and had issued PI protection certification certificates to 7 entities. [i]

The Draft Measures are still open for public comment. We will continue monitoring regulatory developments with respect to the certification mechanism.

FOOTNOTES

[i] https://www.isccc.gov.cn/xwdt/tpxw/12/909546.shtml

Leave a Reply

Your email address will not be published. Required fields are marked *