China Finalizes Cross-Border Data Transfer Framework with New Certification Measures

New Measures Issued for Cross-Border Data Transfers

Beijing, China – On October 14, 2025, China's Cyberspace Administration of China (CAC) and the State Administration for Market Regulation (SAMR) jointly released the 'Measures for Certification of Cross-Border Personal Information Transfer'. These new regulations are set to take effect on January 1, 2026, marking a significant development in the country's data governance landscape. The issuance of these Measures completes the three-pathway framework for cross-border personal information transfers established under China's Personal Information Protection Law (PIPL).

Completing the PIPL Regulatory Framework

The 'Measures for Certification of Cross-Border Personal Information Transfer' represent the final piece in China's comprehensive regulatory system for outbound personal information transfers. Under Article 38 of PIPL, personal information processors in China have three primary mechanisms to legally transfer personal data overseas: a security assessment organized by the CAC, signing a standard contract with a foreign party, or obtaining certification for cross-border personal information transfer by a professional institution.

This certification pathway is designed to provide a structured compliance option, particularly for businesses that do not meet the thresholds for mandatory security assessments or prefer an alternative to standard contractual clauses. It aims to protect the rights and interests of personal information, regulate outbound data certification activities, and facilitate the efficient and secure cross-border flow of personal information.

Scope and Application of the Certification

The new certification program applies to personal information processors that are not critical information infrastructure operators (CIIOs). Specifically, it targets entities that, since January 1 of the current year, have transferred:

• Non-sensitive personal data of between 100,000 and fewer than 1 million individuals out of China.
• Sensitive personal data of fewer than 10,000 individuals out of China.

It is important to note that 'important data' is explicitly excluded from this certification pathway, as its transfer is strictly limited to the security assessment pathway to safeguard national security and public interest.

Under the new framework, data processors must submit applications to accredited certification bodies. Each certification will be valid for a period of three years. These certifying institutions are mandated to upload certification details to a national public service platform for certification and accreditation information and file records with the CAC within 10 working days of their accreditation.

Supervision and Compliance

The national market supervision and management department and the national cyberspace administration will oversee activities related to personal information outbound transfer certification. Provincial-level or higher cyberspace authorities and relevant departments are empowered to conduct interviews with certified personal information handlers if significant risks or personal information security incidents are detected. The Measures also explicitly prohibit data processors from splitting large data transfers into smaller batches to circumvent mandatory security assessments.

The introduction of these Measures is seen as enhancing legal certainty for businesses and offering another structured compliance pathway, which may prove especially beneficial for multinational corporations engaged in frequent or large-scale data transfers. It reflects China's ongoing efforts to balance data security with the needs of cross-border data flow.