The Personal Information Protection Law and the Network Data Security Management Regulation, among other laws and regulations, stipulate the methods for transferring personal information overseas, including: a data transfer security assessment, a standard contract, and certification. Additionally, other conditions may permit the personal information overseas transfer.

Recently, the Cyberspace Administration of China (“CAC”) released the Measures for the Certification of Personal Information Protection for Overseas Transfers (Draft for Public Comment, “the Draft”) in the form of administrative regulation. This document specifically outlines the requirements and procedures for personal information protection certification in overseas transfers.

Scope of the application

The scope of personal information protection certification is already outlined by the Provisions to Facilitate and Regulate Cross-Border Data Flow, and the Draft largely follows these provisions. The certification applies to activities involving the overseas transfer of personal information that meet all the following conditions:

  • The entities that are not operators of critical information infrastructure;
  • Since January 1, 2025, they have cumulatively transferred overseas either:
    • More than 100,000 but fewer than 1 million individuals’ personal information (excluding sensitive personal information), or
    • Fewer than 10,000 individuals’ sensitive personal information.

Certification Agencies

Article 3 of the Draft emphasizes that only professional certification bodies legally established and approved by the State Administration for Market Regulation with qualifications for personal information protection certification are authorized to implement the certification process.

As of January 14, 2025, the National Certification and Accreditation Information Public Service Platform lists the only entity authorized to conduct such certifications is China Cybersecurity Review Certification and Market Regulation Big Data Center.

Certification Content

Article 10 of the Draft outlines the key factors for assessing overseas personal information protection certification:

  • Proportionate processing: Legality, legitimacy, and necessity of the transfer.
  • Impact assessment: Effect of the recipient’s country/region’s laws and environment on data
  • Equivalent protection: Alignment with China’s legal and regulatory standards.
  • Contractual agreements: Inclusion of personal information protection obligations in agreements.
  • Safeguards: Adequacy of organizational, managerial, and technical measures to protect personal information.
  • Other matters: Additional assessments as needed per certification standards.

Post-Certification Supervision

Articles 11 and 13 through 16 of the Draft detail the responsibilities for post-certification supervision. The following entities are involved:

  • Cyberspace Administration Departments: At the national level, the CAC and State Administration for Market Regulation have the authority to direct the suspension or revocation of certifications. At the provincial level, cyberspace administration departments can require corrective actions through measures such as interviews to address risks.
  • Professional Certification Bodies: Authorized to suspend or revoke certifications at their discretion or based on instructions from relevant authorities.
  • The Public: Individuals may report issues or violations to the relevant authorities.

Conclusion

As stated in the official interpretation, personal information protection certification provides a market-oriented and standardized compliance approach for enterprises with overseas personal information transfer needs. Enterprises can leverage the expertise of professional certification bodies to enhance their own compliance capabilities and efficiency in overseas data transfers. For enterprises with such needs, it is advisable to plan ahead and seek more efficient and suitable overseas data transfer methods that align with their specific business circumstances.