ARTICLE
9 November 2025

China Finalizes Certification Route For Cross-Border Data Transfer

RC
R&P China Lawyers

Contributor

R&P China Lawyers logo
R&P is a unique Chinese law firm founded in 2010, offering trusted legal support for international businesses in China. They cover various sectors and have PRC-licensed lawyers representing clients in negotiations, dealings with government departments, and court proceedings. Their team combines local expertise with international experience, emphasizing integrity, communication, and responsiveness. With offices in Shanghai and Beijing, R&P engages in projects across China and collaborates with local firms for additional support, providing practical solutions for clients' legal challenges.
Explore Firm Details
Measures for the Certification of Cross-Border Provision of Personal Information.
China Technology
Matthew Ding and Fabian Knopf
Your Author LinkedIn Connections
Matthew Ding’s articles from R&P China Lawyers are most popular:
  • with Senior Company Executives, HR and Finance and Tax Executives
  • with readers working within the Accounting & Consultancy, Oil & Gas and Retail & Leisure industries

Background: Completing the Puzzle

Since the enactment of the Personal Information Protection Law (PIPL) in 2021, China has introduced three distinct compliance mechanisms for cross-border personal information transfers:

  1. Security Assessment – the most stringent and regulator-led approach;
  2. Certification – a middle-ground compliance path;
  3. Standard Contract – the most procedural and self-executed option.

While Security Assessment and Standard Contract measures were issued in 2022 and 2023 respectively, certification has remained the missing piece—until now.

On 14 October, 2025, the Cyberspace Administration of China (CAC) and the State Administration for Market Regulation (SAMR) jointly released the Measures for the Certification of Cross-Border Provision of Personal Information. These Measures will take effect on 1 January, 2026, completing the long-awaited compliance framework.

Who Can Use the Certification Route?

The Certification route is designed for mid-scale personal information exporters that do not qualify for the Standard Contract route but fall short of Security Assessment thresholds.

Under Article 5 of the Measures, a personal information handler may apply for certification if it meets all of the following:

  • Not a critical information infrastructure operator (CIIO);
  • Since January 1 of the current year, has transferred abroad either:
    • Personal information (excluding sensitive PI) of ≥100,000 but (1,000,000 individuals; or
    • Sensitive personal information of (10,000 individuals.

Importantly, this route does not apply to the export of important data, which remains subject to the Security Assessment mechanism. Additionally, the Measures make clear that data handlers may not circumvent these thresholds by artificially splitting export volumes—a practice expressly prohibited to prevent avoidance of stricter regulatory procedures.

Compliance Requirements Before Applying

Before starting a certification application, the data handler must conduct a Personal Information Protection Impact Assessment (PIA) that evaluates, among others:

  • Legitimacy and necessity of data processing activities;
  • Sensitivity and scale of data exported;
  • Security capabilities of overseas recipients;
  • Risks of leakage, misuse, or regulatory conflicts abroad;
  • Cross-border enforcement and complaint mechanisms;
  • Foreign jurisdiction's legal impact on rights protection.

Additionally, personal information handlers must fulfill obligations such as obtaining separate consent, informing individuals, and appointing a domestic representative if located outside of China.

Procedure and Oversight

The Certification Measures also outline a clear procedural framework and oversight mechanism to ensure that certification activities are carried out with accountability and regulatory transparency. Once a company determines it meets the eligibility thresholds for certification, the following steps and obligations apply:

  • Certification must be conducted by a licensed professional body, which must be approved by the State Administration for Market Regulation (SAMR) and duly filed with the Cyberspace Administration of China (CAC).
  • Certificates are valid for three years, and companies wishing to continue certification must apply for renewal at least six months before expiry.
  • Certification bodies are required to report any issuance or change in the status of certificates within five working days to the National Certification and Accreditation Information Public Service Platform.
  • If any violations, inconsistencies, or mismatches between actual practices and the certified scope are discovered, the certificate may be suspended or revoked. Oversight authorities may also initiate enforcement or corrective measures.

Quick Reference: Comparing China's Three Cross-Border Transfer Mechanisms

With the release of the Certification Measures, companies now have a complete set of options for cross-border personal information transfers under China's data protection regime. The table below summarizes key differences among the three transfer mechanisms, along with updates from the 2024 Provisions on Promoting and Regulating Cross-Border Data Flows:

1701278a.png

The 2024 Provisions aligned the non-sensitive PI threshold for Standard Contracts with Certification by shifting it to "as of 1 January of the current year". Additionally, under the 2024 Provisions, data handlers exporting ≤100,000 individuals' non-sensitive PI (as of current year) are exempt from all three procedures, provided they fulfill PIPL duties such as consent, PIAs, and notification.

While the differing reference periods for SPI thresholds under the Standard Contract (previous year) and Certification (current year) may appear inconsistent, they do not create a regulatory gap. Rather, companies that exceed one threshold are expected to shift to the next appropriate mechanism, and should ensure accurate tracking of data volumes under each framework's defined time window.

Conclusion

With the Certification Measures now in place, China's cross-border data transfer framework is finally complete. Together with the Security Assessment and Standard Contract routes, the certification path provides companies with a calibrated set of options that reflect the scale and sensitivity of their data exports.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Matthew Ding
Matthew Ding
Photo of Fabian Knopf
Fabian Knopf
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More