Introduction
On January 3, 2025, the Cyberspace Administration of China (CAC) released the Draft Measures for the Protection and Certification of Outbound Personal Information (Draft Certification Measures) for public consultation. These Draft Certification Measures, aligned with the Personal Information Protection Law (PIPL) and related regulations, aim to standardize the certification and secure cross-border transfer of personal data. Under Article 38 of the PIPL, businesses transferring personal data overseas must meet strict requirements, including passing a security assessment, signing a standard contract, or obtaining certification. The Draft Certification Measures expand on the certification mechanism, providing a pathway for non-CII businesses to comply with cross-border data transfer rules. They do not modify the exemptions established under the CAC’s Regulations on Promoting and Regulating Outward Data Flows (Regulation), issued in March 2024. Businesses will continue to be exempt from any Cross-Border Data Transfer (CBDT) legal mechanisms if their data transfer scenarios fall within the scope of the relaxed provisions of the Regulation.
Applicability
Territorial Scope
As per Article 3 of the Draft Certification Measures, there are specific scenarios where personal information is transferred outside China for legitimate business or operational needs, including:
- Direct Transfer of Data:
- A Chinese business sends personal information to an overseas recipient for processing.
- Example: A Chinese e-commerce business shares customer data with an overseas provider for order fulfillment.
- Indirect Access to Data Stored in China:
- Personal data stays in China, but entities outside can access it for various purposes like querying or exporting.
- Example: A global marketing team accesses a Chinese business’s customer database remotely for analysis.
- Other Cross-Border Processing Activities:
- This covers situations where data about Chinese individuals is processed abroad, even if not transferred from within China.
- Example: A foreign tech business processes data from Chinese users via an app hosted outside China.
Material Scope
Material Scope
The Draft Certification Mechanism does not apply to:
- Transfers of important data.
- In the context of Data Security Law (DSL) and PIPL, "important data" is a term used to signify data that, if leaked, tampered with, lost, or illegally accessed, could pose risks to national security, economic interests, public interests, or other significant societal interests.
- Data transfers by Critical Information Infrastructure (CII) operators
- The Cybersecurity Law of China (CSL) defines CII as information infrastructure that, if destroyed, disabled, or exposed, could severely harm national security, the national economy, people's livelihoods, or the public interest.
It is intended for non-CII businesses transferring:
- Sensitive personal data of fewer than 10,000 individuals
- Non-sensitive personal data of between 100,000 and 1 million individuals
These transfers must have occurred since January 1 of the current year.
The newly introduced Draft Certification Measures ensure personal information transferred outside China complies with the PIPL. Under the Draft Certification Measures, CBDT is conducted by professional certification institutions that are:
- Established under Chinese law (specifically PIPL) and;
- Approved by the National Market Supervision and Administration Department
The certification confirms that outbound data transfers are secure and compliant with Chinese regulations, ensuring proper safeguards are in place to protect personal data.
Certification for Domestic Processors
The personal information certification under the Draft Certification Measures process for outbound data transfers is voluntary. Businesses can choose to seek certification to meet the requirements outlined in Article 3 of the PIPL. The certification process is designed to align with principles of voluntariness, marketization, and socialization, allowing flexibility for businesses to comply based on their specific needs.
Certification for Foreign Processors
Foreign personal information processors must collaborate with a designated local representative or a specialized institution within China to apply for certification. This ensures foreign entities are subject to Chinese legal and regulatory frameworks. To qualify, foreign applicants must:
- Collaborate with a designated local representative or a specialized institution established within China for assistance.
- Comply with the PIPL and related regulations.
- Submit to supervision and management by Chinese authorities.
- Undergo ongoing monitoring by professional certification institutions for the duration of their certification period.
Key Criteria for Certification
Article 10 of the Draft Certification Measures specifies the factors certification bodies will assess during the certification process:
- Legality, legitimacy, and necessity
- Impact assessment of the recipient’s jurisdiction
- Compliance with Chinese standards
- Legally binding agreements
- Organizational and technical safeguards
- Certification bodies will review whether the applicant has sufficient organizational frameworks, management systems, and technical measures to ensure personal data security.
- Other necessary evaluations
- Certification agencies retain discretion to conduct additional assessments, based on the specific requirements of the applicable certification standards.
Under the Draft Certification Measures:
- The State Network Information Department (CAC), in coordination with other relevant agencies, is responsible for creating the standards, technical regulations, and assessment procedures for personal information certification.
- The State Market Supervision and Administration Department, together with the CAC, will develop implementation rules, including guidelines for the certification certificates (both physical and digital) and logos.
Penalties and Administrative Measures
If cross-border personal information transfer activities threaten national security, and public interests, or seriously harm individuals' data and rights, certification agencies can report such activities to the National Network Information Department (CAC) and other relevant authorities.
If certified processors violate certification standards or operate outside their approved scope, certification agencies can suspend or revoke certificates and publicly announce the changes. The CAC and other authorities can also intervene during supervision, requiring cooperation from the certifying agency. Certification details, including certificate numbers, processor names, and status changes (e.g., suspension or revocation), must be submitted to the National Public Information Platform within five working days.
The CAC and the State Market Supervision and Administration Department oversee certification activities, conducting spot checks and evaluations. Agencies found violating regulations may face penalties, including warnings, required corrections, or suspension and revocation of qualifications.
Certification records obtained through false information may result in the revocation of certification and additional penalties. Organizations or individuals can report violations to relevant authorities, who may intervene if significant risks or security incidents occur.
How Securiti Can Help
Navigating evolving privacy requirements can be complex. Fortunately, Securiti’s suite of automation modules offers a comprehensive solution for organizations seeking to ensure compliance with the China’s evolving regulatory landscape.
Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. Securiti provides unified data intelligence, controls, and orchestration across hybrid multi-cloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.
Request a demo to learn more.