Alarm Bells For Multinationals On Data Compliance: China Issue The 1st Administrative Penalty Case For Unlawful Personal Information Outbound Transfer

Recently, China's Ministry of Public Security Cybersecurity Bureau announced the first administrative penalty case concerning the unlawful outbound transfer of personal information, drawing significant attention. In this case, a well-known multinational company faced administrative penalties for failing to utilize any of the three legally prescribed pathways – security assessment, standard contract, or protection certification – when transferring personal information data to its headquarters. It also failed to adequately inform users about the processing methods of the overseas recipient and obtain "separate consent," and did not implement security technical measures such as encryption or de-identification for the personal information.

The publication of this case signals that China's regulation of cross-border personal data transfers is progressively moving from the phase of establishing a regulatory system to the phase of practical enforcement. Going forward, oversight of data export activities by Chinese regulators is expected to become more routine and detailed. Simultaneously, this case serves as a reminder for multinational corporations to attach great importance to data compliance requirements within China.

At the regulatory level, China has now established a governance framework for cross-border personal information transfers centered on the Cybersecurity Law, Data Security Law, and Personal Information Protection Law. These core laws are complemented by departmental regulations such as the Measures for Security Assessment of Outbound Data Transfers, the Measures for Standard Contracts for Outbound Personal Information Transfers, the Provisions on Promoting and Regulating Cross-Border Data Flows, and the Announcement on Implementing Personal Information Protection Certification.

Two recently introduced regulations have further refined the handling of the cross-border transfer of personal information. The first is the Measures for the Certification of Outbound Personal Information (the Measures), jointly issued by the Cyberspace Administration of China (CAC) and the State Administration for Market Regulation (SAMR), which will take effect on January 1, 2026. The Measures establish the full-process regulatory responsibilities of relevant national authorities, including the formulation of standards, supervision and inspections, the revocation of institutional certificates, etc. They clarify the responsibilities of professional certification bodies, encompassing qualifications filing, obligations to report illegal activities, and submitting certification records. The Measures also stipulate the responsibilities of personal information processors, defining the conditions, requirements, and procedures for obtaining certification. The second is the first national standard for cross-border personal information security - Security Certification Requirements for Cross-Border Personal Information Processing Activities – issued by the SAMR, which will take effect on March 1, 2026. It lays out core principles, fundamental requirements, and requirements for protecting individuals' rights and interests that relevant parties must adhere to. The standard details the rights of individuals regarding being informed, consent, and seeking remedies. It requires both the data processors and overseas recipients to fulfill corresponding obligations, facilitating the exercise of rights by personal information subjects.

The newly issued Measures and standard provide multinational companies with clearer compliance requirements, establish a basis for regulatory oversight by authorities and certifications by third-party bodies, and promote the comprehensive implementation of all three legally defined lawful data transfer pathways.

In light of the latest case and the new provisions, international companies should focus on strengthening data export compliance in the following aspects. First, companies need to accurately select standardized and appropriate transfer pathways based on the specific data export scenario and data type. The Measures and the national standard provide a more specific technical basis for the certification path, which companies can leverage to enhance compliance efficiency. Second, companies should enhance organizational management by establishing personal information protection institutions and appointing responsible personnel, continuously updating transfer paths according to business circumstances, and tracking and monitoring data flows. Additionally, multinational companies cannot simply apply globally unified privacy policies directly but must develop localized plans in accordance with Chinese law.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.