The Cyberspace Administration of China (CAC) released the draft Measures for Cross-Border Data Transfer which clarify Personal Information Protection Certification.

On January 3, 2025, the Cyberspace Administration of China (CAC) released a draft document titled “Measures for the Certification of the Protection of Personal Information Exported Abroad” (hereinafter, draft measures). These measures, comprising 20 articles, are open for public consultation until February 3, 2025, marking a critical step in China’s data governance framework. The draft measures aim to clarify the certification process for safeguarding personal information during cross-border data transfers (CBDT). By outlining eligibility criteria, procedural requirements, and compliance mechanisms, the CAC seeks to enhance privacy protection and promote secure international data flows.

Personal information protection certification is a SAMR-authorized evaluation of processors’ cross-border data transfer security, which ensures compliance and builds public trust.

Under Article 3 of the draft measures, personal information protection certification refers to a formal evaluation process conducted by certification bodies authorized by the State Administration for Market Regulation (SAMR). These bodies assess whether personal information processors comply with stringent standards for secure cross-border data transfers. Certification not only ensures regulatory compliance but also instills public trust in the certified entities’ ability to manage sensitive data securely.

Scenarios Covered Under Cross-Border Data Transfers

The draft measures define the scope of cross-border data transfers to include the following:

1. Transfers from China to foreign entities: Any movement of data collected in China to organizations outside the country.
2. Access by foreign entities to data stored in China: Remote interactions, such as queries or downloads, involving data housed within Chinese borders.
3. Data handling under the Personal Information Protection Law (PIPL): Processing of data related to Chinese citizens by foreign entities, regardless of where the data is stored.

Eligibility Criteria for Certification of the Protection of Personal Information Exported Abroad

Not all entities are eligible for certification under the draft measures. Article 4 outlines the following prerequisites for domestic processors seeking certification:

• Non-Critical Information Infrastructure Operators (CIIOs): Companies classified as CIIOs are not eligible for certification.
• Data volume thresholds: Processors must have handled personal information of between 100,000 and one million people or sensitive information of more than 10,000 individuals within the current year.
• Exclusion of important data: The personal information being transferred must not fall under the category of “important data.”

These thresholds ensure that certification focuses on entities managing significant volumes of personal information, minimizing burdens on smaller processors.

For foreign entities, certification is mandatory for any activity involving the handling of personal information of Chinese individuals. Such entities must designate a local representative in China to act as a compliance liaison.

Certification Process and Requirements

Entities applying for certification must submit a range of materials, including:

• Risk mitigation plans: Detailed strategies for addressing potential security threats.
• Legal agreements: Contracts ensuring the recipient abroad upholds China’s data protection obligations.
• Compliance strategies: Documentation showing adherence to certification standards.

Certification bodies assess applications based on several criteria:

• Legitimacy and necessity: Evaluating whether data transfers are essential for business purposes.
• Recipient country’s laws: Ensuring that the foreign jurisdiction offers adequate data protection.
• Security measures: Verifying encryption, access controls, and other technical safeguards.

According to Articles 10 and 13, certified entities are subject to ongoing monitoring through periodic audits by certification bodies to ensure continued compliance.

Reporting Violations and Government Action

The draft measures establish mechanisms for reporting non-compliance and addressing data security concerns. Key provisions include:

1. Public reporting: Organizations and individuals can report violations to local or higher authorities.
2. Government intervention: In cases of significant risks or breaches, regulators can mandate corrective actions, suspend data transfers, or conduct compliance interviews.

The draft measures focus on strengthening data protection through confidentiality requirements, international cooperation, and strict penalties for non-compliance.

The draft measures emphasize a comprehensive approach to data protection through confidentiality obligations, international cooperation, and penalties for non-compliance. Certification bodies and their personnel must uphold strict confidentiality to protect sensitive personal data and trade secrets, fostering trust throughout the certification process.  To deter non-compliance, the measures outline penalties such as fines, certification suspension, or criminal liability in severe cases, ensuring entities prioritize data protection responsibilities. In addition, Article 13 of the draft measures states “Where a professional certification body discovers that a certified personal information handler has exported personal information that is inconsistent with the scope of certification and no longer meets the certification requirements, it shall promptly suspend or revoke the relevant certification certificate and make it public.” The introduction of these measures also promotes global collaboration by encouraging mutual recognition of certification standards with other countries, facilitating secure international data flows and aligning with global practices.

The draft measures require compliance investments but offer enhanced market trust, regulatory alignment, and streamlined international data transfers.

The draft measures on certification for cross-border data transfers present both challenges and opportunities for businesses, requiring investment in compliance strategies, such as risk mitigation plans, legal agreements, and technical safeguards to meet stringent data protection standards. While these efforts entail additional costs and administrative burdens, achieving certification enhances market trust and competitiveness, particularly in jurisdictions with strict data protection laws. Non-compliance risks severe penalties, including financial sanctions, certification suspension, and reputational damage, which can hinder multinational operations. However, the measures also promote international cooperation and alignment with global standards, facilitating secure and streamlined data transfers across borders, allowing businesses to expand their operations more effectively.

For professional assistance in navigating China’s data laws and achieving compliance, Aphaia‘s team of experts can provide tailored solutions to help improve your practices through our Telecommunications Regulation and Policy and outsourced DPO services. Contact Aphaia today to find out more.