China’s New Measures for Cross-Border Data Transfer Certification

January 10, 2025

In a significant move towards strengthening data governance and addressing cybersecurity concerns, the Cyberspace Administration of China (CAC) introduced new draft measures for the certification process of personal information protection in cross-border data transfers (CBDT) on January 3, 2025. These measures consist of 20 articles that outline the eligibility criteria, requirements, and procedures for obtaining certification, marking a pivotal element in China’s strategy to secure data privacy and fortify compliance in transferring personal data across borders.

Certification Definition and Authority

The draft measures define “PI protection certification” as a formal evaluation process conducted by bodies authorized by the State Administration for Market Regulation (SAMR). These certification bodies are tasked with assessing whether personal information processors comply with the required security standards for cross-border data transfers. This process aims to ensure the protection of individuals’ personal information while enabling the smooth international transfer of data.

Scope of Cross-Border Data Transfers

The new measures cover a broad range of scenarios involving cross-border data transfers, including the transfer of personal data from China to foreign entities, foreign entities accessing data stored in China, and the handling of personal data by foreign entities under the Personal Information Protection Law (PIPL). By encompassing these various scenarios, the regulations aim to cover all potential avenues through which personal data may cross China’s borders.

Eligibility Criteria

Not all companies are eligible for certification under the new draft measures. Article 38 of the PIPL outlines different ways for companies to get clearance for cross-border data transfers. Article 4 of the draft measures further specifies the eligibility criteria, focusing on companies that handle substantial volumes of personal information or sensitive data. This targeted approach ensures that major data processors, which pose significant privacy risks, are subject to stringent scrutiny and regulation.

Certification Requirements for Foreign Entities

Foreign entities looking to process personal data of individuals in China must obtain certification. This includes having a local representative or entity in China to ensure compliance with the local regulations. Certification is mandatory regardless of the location where the data processing occurs, thereby placing a significant regulatory obligation on foreign companies involved with Chinese personal data.

Certification Process

Entities seeking certification need to submit comprehensive documentation, such as risk mitigation plans, legal agreements, and compliance strategies. The certification bodies will evaluate applications based on the legitimacy of data transfers, the adequacy of the recipient country’s data protection laws, and the security measures in place. This rigorous assessment process fortifies the overall security framework for cross-border data transfers.

Ongoing Monitoring and Compliance

Once certified, entities are subject to periodic audits to maintain compliance with the certification standards. Certification bodies are responsible for monitoring adherence to the regulations and ensuring a high level of security and accountability. This continuous oversight is critical for maintaining the integrity and effectiveness of the certification process.

Reporting and Government Action

The draft measures include provisions for reporting data security violations and addressing concerns promptly. Mechanisms for public reporting of breaches, authorities’ intervention during significant risks or incidents, and enforcement of corrective actions are detailed within the measures. This approach underscores the importance of transparency and accountability in the realm of data protection.

Confidentiality and Penalties

Confidentiality obligations are stressed for certification bodies and personnel involved in the certification process. The draft measures also promote international cooperation and detail penalties for non-compliance, such as fines, suspension of certification, and possible criminal liability. These stringent penalties reinforce the seriousness with which China is approaching cross-border data protection.

Key Findings

On January 3, 2025, the Cyberspace Administration of China (CAC) took a significant step toward bolstering data governance and addressing cybersecurity issues by introducing new draft measures for the certification process of personal information protection in cross-border data transfers (CBDT). This initiative, a major component of China’s strategy to enhance data privacy and compliance, includes 20 detailed articles. These articles specify the eligibility criteria, requirements, and procedures necessary for obtaining certification. As international data transfers become increasingly common, these measures aim to ensure the security of personal data and protect individual privacy. By establishing clear guidelines and standards, China aims to create a more secure framework for personal data moving across borders, thereby reducing risks associated with cybersecurity threats and non-compliance. These measures are expected to provide a detailed roadmap for organizations dealing with personal data, ensuring they adhere to stringent privacy and security norms, while fostering trust and confidence in the digital economy.

Subscribe to our weekly news digest.

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for Subscribing!
We'll be sending you our best soon!
Something went wrong, please try again later