- within Transport topic(s)
- with readers working within the Consumer Industries industries
Background
Cross border transfer of personal information is increasingly a
necessity and becomes fundamental to modern global business
operation. Multinational companies often manage employment and
customer relationships centrally while providing services
worldwide. The rise of cloud computing means that data is often
stored on servers located in different countries. E-commerce
platforms serve international customers to SaaS providers offering
global solutions. Cross border personal information transfer is
therefore a key element of data protection laws.
Chinese personal information is regulated by Personal Information Protection Law (PIPL). Article 38 of PIPL requires that if a personal information processor truly needs to provide personal information to any party outside the territory of the People's Republic of China for business or other needs, it or he must meet any of the following conditions: (i) passing the security assessment by Cyberspace Administration of China ("CAC"); (ii) completing the CAC standard contract filing ("Standard Contract Filing"); or (iii) obtaining personal information protection certification by specialized institutions ("Certification").
Over the past few years, CAC together with other supervisory authorities have issued series of regulations and guidelines on the security assessment and standard contract filing, such as Security Assessment Measures for Data Provision Abroad, Measures on the Standard Contract for Outbound Transfer of Personal Information, Provisions on Promoting and Regulating Cross-border Data Flows, which clarifies the requirements for CAC Security Assessment and Standard Contract Filing. However, both "security assessment" and "standard contract filing" are time-consuming and costly.
On 14 October 2025, CAC issued the Announcement on the Implementation of Certification for Personal Information Protection ("Announcement") which has now completed its guidance on all three measures for compliance of PIPL regarding cross border personal information transfer.
Based on the Announcement, the Measures for Certification of Outbound Personal Information Transfer ("New Certification Measure") will come into effect on 1 January 2026.
Key Points to Note in New Certification Measure
1. Applicable Thresholds
A personal information processor may transfer personal information cross border based on Certification if all the following circumstances are met simultaneously:
- It is not a critical information infrastructure operator;
- The personal information (excluding sensitive personal information) transferred is of more than 100,000 but less than one million persons, or the sensitive personal information 1 of less than 10,000 persons a year calculated from 1 January 1 of the current year; and
- Personal information provided abroad referred to in the preceding paragraph does not include important data 2.
2. Comparing with CAC Security Assessment and Standard Contract Filing
CAC Security Assessment focuses on official assessment by CAC.
Standard Contracts akin to customized agreements, establishing rights and obligations between domestic information processors and overseas parties through government-prescribed standard-form contracts.
Certification represents a comprehensive evaluation and accreditation of personal information processors' ongoing, systematic compliance capabilities across their entire process of cross-border data processing activities. Certification allows enterprises to decide independently whether to use this pathway for cross-border personal information transfer based on their own business needs and conditions.
This model particularly benefits complex operations involving multiple overseas data recipients, without the process of negotiating separate standard contracts for each recipient.
3. Certification Certificates and Validity Period
Accredited certification agency ("Agency") shall conduct certification activities for cross-border transfer of personal information in accordance with the National Standard and New Certification Measure and issue a certification certificate valid for 3 years upon satisfaction of requirements. Personal Information processors are obliged to submit a certification application 6 months prior to the expiration date for renewal.
Our Observations
The issuance of New Certification Measure completes the regulatory
guidance on safeguard personal information transfer protection and
is undoubtedly good news to international companies which have
transactional data, employee data, client data and any other data
restored centrally in digital form, and which are seeking clearer
guidance and easier pathways to ensure compliance.
Having a Certificate proves sound management and compliance of data security and protection.
However, it may take time before it is fully implemented, and it also remains to be seen how the market will respond and evolve.
Footnotes
1 Article 28 of PIPL: Sensitive personal information refers to the personal information that is likely to result in damage to the personal dignity of any natural person or damage to his or her personal or property safety once disclosed or illegally used, including such information as biometric identification, religious belief, specific identity, medical health, financial account and whereabouts and tracks, as well as the personal information of minors under the age of 14. Only for a specific purpose and sufficient necessity, and strict protection measures have been taken, may a personal information handler handle sensitive personal information.
2 Article 19 of Security Assessment Measures for Data Provision Abroad: Important data refers to the data that, once tampered with, destroyed, leaked, illegally obtained or illegally used, may endanger national security, economic operation, social stability, public health and security, etc.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
