China Unveils Measures for Certification of Cross-Border Personal Information
Published 21 October 2025
Xia Yu
On 17 October 2025, the Cyberspace Administration of China (“CAC”) promulgated the Personal Information Cross-Border Certification Measures (“Measures”), which shall take effect on 1 January 2026. Article 38 of the Personal Information Protection Law of China (“PIPL”) establishes a personal information protection certification mechanism (“PIPC Mechanism”), allowing personal information processors to transfer personal information outside China by obtaining certification from accredited institutions. Comprising 19 articles, the Measures specify detailed implementation rules for the PIPC Mechanism, covering application scenarios, certification procedures, obligations of certification bodies, and regulatory requirements.
Formulated in accordance with the PIPL, the Regulations on Network Data Security Management, and the Regulations of China on Certification and Accreditation, the Measures apply to personal information processors that transfer personal information outside China through the PIPC Mechanism. The purposes of it include protecting personal information, regulating the certification of cross-border personal information (“CPI Certification”), and facilitating the efficient and secure cross-border flow of personal information. The CPI Certification refers to a conformity assessment conducted by accredited certification bodies with personal information protection certification qualifications, which verifies that a personal information processor’s activities related to transferring personal information outside China comply with relevant legal and regulatory requirements.
The Measures specify the applicable scenarios for the CPI Certification. According to the Measures, personal information processors utilizing the PIPC Mechanism for outbound data transfers must simultaneously satisfy three conditions. Firstly, the personal information processor must not qualify as a critical information infrastructure operator. Secondly, the volume of personal information (excluding sensitive personal information) transferred abroad since 1 January of the current year must reach a cumulative total of no less than 100,000 individuals but not exceed 1 million individuals. Where the information constitutes sensitive personal information, the cumulative threshold shall be limited to 10,000 individuals. Thirdly, the data transferred abroad must not include important data. Additionally, the Measures emphasize that personal information processors shall not circumvent applicable requirements by employing methods such as data volume segmentation to improperly substitute certification for the mandatory cross-border security assessment mechanism (“CSS Mechanism”).
The Measures specify the application procedures, certification requirements, and validity period for the CPI Certification. Prior to submitting a certification application, personal information processors shall fulfill obligations including providing explicit notice, obtaining separate consent from relevant data subjects, and conducting personal information protection impact assessments. Key assessment components include: 1) the legality, legitimacy, and necessity of the purposes, scope, and methods of personal information processing by both the data processor and overseas recipient; 2) the scale, scope, type, and sensitivity of exported data, alongside potential risks to national security, public interests, and personal information rights; 3) the obligations committed to by the overseas recipient, and the adequacy of their managerial, technical measures, and capabilities to safeguard exported data; 4) risks of alteration, destruction, leakage, loss, or illegal use post-transfer, and the accessibility of channels for protecting data subjects’ rights; 5) the impact of the recipient country’s personal information protection policies and regulations on the security of exported data and data subjects’ rights. Applications for the certification shall be submitted to accredited certification bodies. Foreign personal information processors shall apply through their established domestic entities or designated representatives. Certification validity is set at three years. For renewal, processors must reapply at least six months prior to expiration.
The Measures specify the obligations of accredited certification bodies. Within ten business days from obtaining accreditation, such bodies shall complete filing procedures with the national cyberspace authority. They are required to submit information concerning the CPI Certification—including certificate numbers, names of certified personal information processors, certification scope, and status changes—to the National Certification and Accreditation Information Public Service Platform, and promptly report any unlawful outbound personal information activities. The certification bodies must conduct the CPI Certification in accordance with established certification norms and rules. Where certification requirements are met, certification certificates shall be issued in a timely manner. If a certified processor is found to no longer satisfy certification requirements—such as discrepancies between actual data exports and certified scope—the certification body shall suspend the use of the certificate pending potential revocation.
The Measures expressly stipulate that the state market regulatory department and the state cyberspace administration shall exercise supervision over the CPI Certification, conduct regular or ad-hoc inspections, perform random checks on certification processes and outcomes, and implement sampling evaluations of accredited certification bodies. Where provincial-level or higher cyberspace authorities and relevant departments identify significant risks in certified personal information processors’ outbound data activities or the occurrence of personal information security incidents, they may conduct supervisory interviews with such certified processors. Any organization or individual may lodge complaints or reports regarding unlawful outbound transfers of personal information.
The PIPL stipulates that lawful channels for personal information processors to transfer personal information abroad include the CSS Mechanism, the PIPC Mechanism, and standard contracts for cross-border data transfers (“Standard Contract Mechanism”). The Measures for the Security Assessment of Outbound Data Transfer, the Measures for the Standard Contract for the Outbound Transfer of Personal Information and the Provisions on Promoting and Regulating Cross-border Data Flow have clarified the implementation rules for the CSS Mechanism and the Standard Contract Mechanism, while also establishing a negative list system for outbound data transfers in pilot free trade zones. The Measures specify the concrete implementation rules for the PIPC Mechanism. This signifies that all these three mechanisms for outbound personal information transfers are now supported by corresponding implementation rules, marking the fundamental establishment of China’s cross-border data flow regulatory system.
Formulated in accordance with the PIPL, the Regulations on Network Data Security Management, and the Regulations of China on Certification and Accreditation, the Measures apply to personal information processors that transfer personal information outside China through the PIPC Mechanism. The purposes of it include protecting personal information, regulating the certification of cross-border personal information (“CPI Certification”), and facilitating the efficient and secure cross-border flow of personal information. The CPI Certification refers to a conformity assessment conducted by accredited certification bodies with personal information protection certification qualifications, which verifies that a personal information processor’s activities related to transferring personal information outside China comply with relevant legal and regulatory requirements.
The Measures specify the applicable scenarios for the CPI Certification. According to the Measures, personal information processors utilizing the PIPC Mechanism for outbound data transfers must simultaneously satisfy three conditions. Firstly, the personal information processor must not qualify as a critical information infrastructure operator. Secondly, the volume of personal information (excluding sensitive personal information) transferred abroad since 1 January of the current year must reach a cumulative total of no less than 100,000 individuals but not exceed 1 million individuals. Where the information constitutes sensitive personal information, the cumulative threshold shall be limited to 10,000 individuals. Thirdly, the data transferred abroad must not include important data. Additionally, the Measures emphasize that personal information processors shall not circumvent applicable requirements by employing methods such as data volume segmentation to improperly substitute certification for the mandatory cross-border security assessment mechanism (“CSS Mechanism”).
The Measures specify the application procedures, certification requirements, and validity period for the CPI Certification. Prior to submitting a certification application, personal information processors shall fulfill obligations including providing explicit notice, obtaining separate consent from relevant data subjects, and conducting personal information protection impact assessments. Key assessment components include: 1) the legality, legitimacy, and necessity of the purposes, scope, and methods of personal information processing by both the data processor and overseas recipient; 2) the scale, scope, type, and sensitivity of exported data, alongside potential risks to national security, public interests, and personal information rights; 3) the obligations committed to by the overseas recipient, and the adequacy of their managerial, technical measures, and capabilities to safeguard exported data; 4) risks of alteration, destruction, leakage, loss, or illegal use post-transfer, and the accessibility of channels for protecting data subjects’ rights; 5) the impact of the recipient country’s personal information protection policies and regulations on the security of exported data and data subjects’ rights. Applications for the certification shall be submitted to accredited certification bodies. Foreign personal information processors shall apply through their established domestic entities or designated representatives. Certification validity is set at three years. For renewal, processors must reapply at least six months prior to expiration.
The Measures specify the obligations of accredited certification bodies. Within ten business days from obtaining accreditation, such bodies shall complete filing procedures with the national cyberspace authority. They are required to submit information concerning the CPI Certification—including certificate numbers, names of certified personal information processors, certification scope, and status changes—to the National Certification and Accreditation Information Public Service Platform, and promptly report any unlawful outbound personal information activities. The certification bodies must conduct the CPI Certification in accordance with established certification norms and rules. Where certification requirements are met, certification certificates shall be issued in a timely manner. If a certified processor is found to no longer satisfy certification requirements—such as discrepancies between actual data exports and certified scope—the certification body shall suspend the use of the certificate pending potential revocation.
The Measures expressly stipulate that the state market regulatory department and the state cyberspace administration shall exercise supervision over the CPI Certification, conduct regular or ad-hoc inspections, perform random checks on certification processes and outcomes, and implement sampling evaluations of accredited certification bodies. Where provincial-level or higher cyberspace authorities and relevant departments identify significant risks in certified personal information processors’ outbound data activities or the occurrence of personal information security incidents, they may conduct supervisory interviews with such certified processors. Any organization or individual may lodge complaints or reports regarding unlawful outbound transfers of personal information.
The PIPL stipulates that lawful channels for personal information processors to transfer personal information abroad include the CSS Mechanism, the PIPC Mechanism, and standard contracts for cross-border data transfers (“Standard Contract Mechanism”). The Measures for the Security Assessment of Outbound Data Transfer, the Measures for the Standard Contract for the Outbound Transfer of Personal Information and the Provisions on Promoting and Regulating Cross-border Data Flow have clarified the implementation rules for the CSS Mechanism and the Standard Contract Mechanism, while also establishing a negative list system for outbound data transfers in pilot free trade zones. The Measures specify the concrete implementation rules for the PIPC Mechanism. This signifies that all these three mechanisms for outbound personal information transfers are now supported by corresponding implementation rules, marking the fundamental establishment of China’s cross-border data flow regulatory system.