[China] Draft Measures for Certification of PI Protection for Cross-Border Transfer of PI

What

On 3 Jan 2025, the Cyberspace Administration of China (CAC) issued for public consultation the draft Measures for Certification of Personal Information (PI) Protection for Cross-Border Transfer of PI.

The deadline for submitting feedback is 3 Feb.

What’s this about again?

Article 38 of the Personal Information Protection Law (PIPL) provides for three data transfer mechanisms: security assessment, certification, and contract.

The Measures for Security Assessment and Contract were issued in 2022 and 2023 respectively. There were none for certification, but in 2022, PI Protection Certification Implementation Rules were issued. These Rules set out specifications to be complied with for cross-border processing activities, and had a specific certification mark that certified PI handlers to use. Were these the requirements for the certification transfer mechanism? No one seemed to know.

But with the issuance of the draft Certification Measures, we now know for sure that the PI Protection Certification Implementation Rules wasn’t it. [But what does the cross-border processing activities certification do then?]

Correction 7/1/25: I noticed a mistake in relation to dates and corrected them. Previously I had written that the Measures for Security Assessment and Contract were both issued in 2023. The former was actually released in 2022. The Certification Implementation Rules were also issued in 2022.

Who can apply for certification?

PI handlers in China. In alignment with the CBDF Regulations issued last year, these conditions must be met before these PI handlers can apply for certification to export PI out of China:¹

1. The PI handler is not a CIIOs

2. From 1 Jan of the current year, the PI handler must:

   1. cumulatively export =>100k individuals’ PI (excluding sensitive PI), but <1m individuals’ PI, and

   2. cumulatively export <10k individuals’ sensitive PI

3. The data to be exported doesn’t include Important Data

Separately and curiously, Article 5 says that overseas entities that analyse/assess the activities of persons in China² and in so doing, handle their PI, “may engage in cross-border [PI] transfer activities upon obtaining certification”.