refining certification rules for personal data cross-border transfer

context: From 2017, Beijing strengthened its data governance through a trio framework: Cybersecurity Law, Data Security Law and Personal Information Protection Law. Tightened cross-border data transfer vetting prompted multinational complaints about compliance costs and regulatory ambiguity. The Cyberspace Administration of China issued regulations clarifying security assessment exemptions. Latest developments include personal information outbound certification measures, detailing certification scenarios and agency reporting procedures.

Personal information outbound certification measures complete the outbound data transfer mechanism listed in the Personal Information Protection Law, marking the conclusion of the PRC regulatory framework for cross-border data transfer build-up, says a CAC (Cyberspace Administration of China) spokesperson.

The law stipulated multiple pathways for transferring personal information overseas

  • security assessment via authorities
  • personal information protection certification
  • standard contracts for cross-border transfers

The second pathway refers to receiving certification from professional institutions per national cyberspace regulations. An initial certification framework was provided in 2022, when SAMR (State Administration of Market Regulation) and CAC released implementation regulations for issuing personal information protection certificate.

The new measures build upon this foundation

  • applicable scope of the certification path
    • not critical information infrastructure operators
    • cumulatively provided personal information on at least 100,000 but under one million individuals since 1 January of the year
    • sensitive personal information of fewer than 10,000 individuals
    • information does not include ‘important data’
  • application procedures and certification requirements
    • overseas personal information handler: must apply through designated units or representatives established within the PRC
    • certification valid for three years: reapply six months before expiry
  • obligations of certification bodies
  • requirements for oversight and administration

Personal information handlers must inform individuals to obtain consent before transfer, while conducting personal information protection impact assessments on

  • legitimacy, propriety and necessity of transfer
  • scale, scope, categories and sensitivity of data: potential risk on state security
  • commitments and capabilities of overseas recipient: management and technical safeguards
  • risks of alteration, destruction, leakage, loss or illegal use of personal information after transfer
  • impact of the recipient’s national or regional personal information protection policies
  • other factors that may affect security

Certification bodies must

  • conduct activities per law and regulation
  • submit relevant certification information to the National Certification and Accreditation Information Public Service Platform within five working days of issuance
  • suspend or revoke a certificate if its cross-border data processing activities fall outside the certified scope or cease to meet requirements
  • report any violations of laws, regulations or national directives to CAC and authorities
  • file record with CAC within ten working days after obtaining certification qualifications approved by SAMR
  • ensure information confidentiality