China Strengthens Compliance in Cross-Border Data Flows

China’s Cyberspace Administration and the State Administration for Market Regulation have jointly issued the Measures for the Certification of Cross-Border Personal Information Export. This new regulatory framework establishes a standardized system for the certification of personal information transfers beyond China’s borders. The Measures aim to enhance data protection, strengthen compliance mechanisms, and support the secure and lawful flow of information in an increasingly interconnected digital economy.

For international businesses operating in China, this means cross-border personal data transfers are now subject to formal certification requirements, with clear thresholds and compliance obligations that must be integrated into core data governance practices. Companies should assess whether their transfer volumes trigger certification, invest in the required compliance processes, and stay prepared for active regulatory oversight that carries penalties including criminal liability for serious breaches.

Executive Summary

• China’s Cyberspace Administration and the State Administration for Market Regulation have jointly issued the Measures for the Certification of Cross-Border Personal Information Export, establishing a standardized national framework for certifying personal information transfers beyond China’s borders.
• The Measures build upon earlier 2022 guidance and are grounded in China’s Personal Information Protection Law (PIPL), formalizing certification as one of three legal pathways for cross-border data export alongside security assessment and standard contracts.
• Certification is required when personal information transferred overseas involves more than 100,000 individuals, or when sensitive personal information involving fewer than 10,000 individuals is exported, excluding data classified as important data.
• Prior to applying for certification, data exporters must obtain informed consent from individuals, conduct a personal information protection impact assessment (PIPIA), and evaluate risks to national security, public interests, and individual rights in the recipient country.
• Accredited certification bodies are responsible for verifying compliance with national standards, reporting certification details to the national platform within five working days, and suspending or revoking certificates where transfers fall outside the certified scope.
• Supervision is jointly led by the State Cyberspace Administration and the State Administration for Market Regulation, with powers to conduct inspections, summon companies for corrective action, and impose penalties including criminal liability for serious breaches.
• The Measures complete China’s three-pronged cross-border data compliance framework and signal a clear expectation that both domestic and foreign enterprises handling significant volumes of personal data must integrate robust certification processes into their data governance systems.

Background and Objectives of the New Measures

With the rapid globalization of the digital economy, cross-border data exchange has become integral to international business operations. Recognizing the importance of secure data governance, China’s Personal Information Protection Law (PIPL) outlines several legal channels for transferring personal data abroad. Certification through professional institutions is one such channel.

The newly issued Measures build upon earlier guidance released in 2022 and are designed to improve the cross-border data management system. Their objectives are threefold: to safeguard personal information rights, to ensure the compliant and transparent use of data, and to provide a clear legal foundation for the growth of the digital economy.

Scope and Key Provisions

The Measures specify that they apply to personal information processors transferring data outside China through the certification mechanism. This primarily covers entities that are not critical information infrastructure operators but that process significant volumes of personal data. Certification applies when the amount of personal information provided overseas exceeds 100,000 individuals or when sensitive information involving fewer than 10,000 individuals is transferred, provided that the data does not include information classified as important data.

The Measures define the certification process, including how personal information processors must apply, the role of accredited professional certification bodies, and the three-year validity period of certification. Renewal applications must be submitted six months before expiry. Certification bodies are responsible for ensuring that all activities comply with national standards and must promptly report any violations to the relevant authorities.

Compliance Obligations for Data Exporters

Before applying for certification, organizations intending to export personal information must fulfill a series of legal obligations. These include obtaining informed consent from individuals, conducting a personal information protection impact assessment (PIPIA), and evaluating the risks associated with data transfers.

The impact assessment must examine the legality and necessity of processing activities, assess the scope and sensitivity of exported data, and evaluate potential risks to national security, public interests, and individual rights. It must also determine whether overseas recipients have the technical and management capabilities to protect the data. In addition, the assessment should analyze potential threats such as data tampering, leakage, or misuse, as well as the legal and regulatory environment of the recipient’s country.

Requirements for Certification Institutions

Professional certification bodies play a critical role in implementing the Measures. They must conduct certification activities in accordance with national standards and issue certificates to qualifying organizations. These bodies are required to report certification details, such as certificate numbers, scope, and validity, to the national certification and accreditation information service platform within five working days.

If a data transfer falls outside the certified scope or fails to meet certification requirements, certification bodies must suspend or revoke the certification. They must also report any violations of laws or regulations to the relevant government departments. Certification institutions are further obligated to protect the confidentiality of personal information, trade secrets, and other sensitive business information obtained during the certification process.

Supervision and Enforcement Mechanisms

The Measures establish a robust supervisory framework led by the State Cyberspace Administration and the State Administration for Market Regulation. These authorities are tasked with overseeing certification activities, conducting both regular and ad hoc inspections, and reviewing certification processes and outcomes.

When potential risks or violations are identified, such as security incidents involving certified organizations, authorities may summon companies for corrective action. The Measures also enable individuals and organizations to report violations related to cross-border data transfers. Any breaches will be handled under the Personal Information Protection Law and other relevant regulations, with criminal penalties applicable where warranted.

Integration into China’s Cross-Border Data Framework

The introduction of the Measures marks a significant milestone in the full implementation of China’s cross-border data governance system. Together with the Cybersecurity Law, Data Security Law, Personal Information Protection Law, and accompanying regulations such as the Measures for Security Assessment of Cross-Border Data Transfer and the Standard Contract for Cross-Border Personal Information Transfer, the certification framework completes a three-pronged approach to data export compliance: security assessment, standard contract, and certification.

This framework provides a structured legal pathway for data flows while ensuring that data leaving China remains protected under consistent regulatory oversight. It also supports the country’s broader objective of building a secure, open, and globally integrated digital economy.

Toward a Secure and Transparent Digital Future

The Measures for the Certification of Cross-Border Personal Information Export demonstrate China’s commitment to developing a comprehensive, rules-based system for international data management. By clarifying procedures, responsibilities, and oversight mechanisms, the policy enhances transparency for domestic and foreign enterprises alike.

As digital globalization continues, companies engaged in cross-border operations must ensure strict compliance with data governance standards. The new certification system provides them with a clearer, legally supported framework to conduct international data exchanges while maintaining trust, accountability, and security in the global marketplace.

What This Means for Business

For businesses operating in China or engaging with Chinese markets, the new Measures for the Certification of Cross-Border Personal Information Export establish a standardized national framework that will directly shape how companies handle personal data transfers across borders.

• Companies transferring personal data overseas now have a formally recognized certification pathway alongside security assessment and standard contracts. This completes China’s three-pronged cross-border data compliance framework and gives businesses greater legal clarity on how to structure international data flows.
• Certification applies when personal information transferred overseas involves more than 100,000 individuals, or when sensitive personal information involving fewer than 10,000 individuals is exported. Businesses should assess whether their data transfer volumes trigger these thresholds and plan accordingly.
• Before applying for certification, businesses must obtain informed consent from individuals, conduct a Personal Information Protection Impact Assessment, and evaluate risks to national security, public interests, and individual rights in the recipient country. This will require investment in compliance processes and internal data governance systems.
• Certification is valid for three years, with renewal applications required six months before expiry. Businesses must treat certification as an ongoing compliance commitment rather than a one-time approval.
• Accredited certification bodies will verify compliance, issue certificates, and report details to the national platform within five working days. They also hold the authority to suspend or revoke certification where transfers fall outside the certified scope, making it essential for businesses to stay within the boundaries of their approved certification.
• Supervision is jointly led by the Cyberspace Administration of China and the State Administration for Market Regulation, with powers to inspect, summon companies for corrective action, and impose penalties including criminal liability for serious breaches. Businesses should ensure their data governance practices are well-documented and audit-ready at all times.

Overall, the Measures signal a clear expectation from Chinese regulators that both domestic and foreign enterprises handling significant volumes of personal data must integrate robust certification processes into their data governance systems as a core operational and compliance priority.