The State Internet Information Office promulgates the "Measures for the Certification of Personal Information Outbound Transfer".

Individual Information Exit Certification Measures Article 1 In order to protect the rights and interests of personal information, regulate the activities of personal information exit certification, promote efficient and secure cross-border flow of personal information, in accordance with the "Personal Information Protection Law of the People's Republic of China", the "Regulations on the Management of Network Data Security", the "People's Republic of China Certification and Accreditation Regulations" and other laws and regulations, these measures are formulated. Article 2 These measures apply to personal data processors who provide personal information to countries outside the People's Republic of China through personal information protection certification. Article 3 The term "personal information exit certification" in these measures refers to the verification activity of personal data processors providing personal information to countries beyond the People's Republic of China in accordance with Article 38(1)(2) of the "Personal Information Protection Law of the People's Republic of China". This verification is conducted by professional certification bodies that have obtained the qualification for personal information protection certification, and confirms that the activities of personal data processors providing personal information to countries beyond the People's Republic of China comply with relevant laws, regulations, departmental rules, standards, and technical specifications. Article 4 The Cyberspace Administration of China, in conjunction with the National Data Management Department and other relevant departments, will develop relevant standards and technical specifications for personal information exit certification. The State Market Regulatory Administration, in conjunction with the Cyberspace Administration of China, will establish rules for personal information protection certification, unified certification certificates, and logos. Article 5 Personal data processors who provide personal information to countries outside the People's Republic of China through personal information exit certification must meet the following conditions: (1) They are non-operators of critical information infrastructure; (2) Since January 1 of the current year, they have provided personal information to countries outside the People's Republic of China to more than 100,000 but less than one million individuals, excluding sensitive personal information, or to less than 10,000 individuals of sensitive personal information. The personal information provided to countries outside the People's Republic of China in the preceding paragraph does not include important data. If there are provisions in laws, regulations, or by the Cyberspace Administration of China, they shall comply with those provisions. Personal data processors shall not use methods such as splitting quantities to provide personal data that should undergo outbound security assessment through personal information exit certification to countries outside the People's Republic of China. Article 6 Before applying for certification to provide personal information to countries outside the People's Republic of China, personal data processors must fulfill obligations as stipulated by laws and regulations, including informing, obtaining individual consent, conducting personal information protection impact assessments, etc. The impact assessment focuses on assessing the legality, legitimacy, and necessity of the purposes, scope, and methods of personal information processing by the personal data processors and the overseas recipients, the scale, scope, types, and sensitivity of the outbound personal information, risks that the outbound personal information may pose to national security, public interests, and individual information rights, the obligations undertaken by the overseas recipients and whether the obligations can guarantee the security of the outbound personal information, risks of modification, destruction, leakage, loss, unlawful use, etc. after the outbound personal information, and whether the channels for safeguarding individual information rights are unblocked, the impacts of the personal information protection policies and regulations of the overseas recipients' countries or regions on the security of outbound personal information and the rights of personal information, and other matters that may affect the security of outbound personal information. Article 7 Personal data processors who provide personal information to countries outside the People's Republic of China through certification must apply for personal information exit certification from professional certification bodies. If personal data processors outside the People's Republic of China apply for personal information exit certification, they should have a dedicated organization established within the country to assist in the application. Article 8 Professional certification bodies should conduct personal information exit certification activities in accordance with basic certification norms and personal information protection certification rules. If the certification requirements are met, professional certification bodies should issue certification certificates promptly. The validity period of the certification certificate is three years. If the certificate needs to be renewed, the personal data processors should apply for recertification six months before the expiration of the validity period. Article 9 Professional certification bodies should report relevant information about personal information exit certification certificates to the National Certification and Accreditation Information Public Service Platform within five working days after issuing the certification certificate or when the status of the certification certificate changes. This information should include the certification certificate number, the name of the certified personal data processor, the scope of certification, and information on changes in certificate status. The State Market Regulatory Administration and the Cyberspace Administration of China have established a mechanism for sharing certification information. Article 10 If a professional certification body discovers that a certified personal data processor no longer meets the certification requirements due to inconsistencies between the personal information exit situation and the certification scope, they should suspend its use until the relevant certification certificate is revoked. If the Cyberspace Administration of China and other relevant departments find in the course of personal information protection supervision and management that a certified personal data processor is in the situation mentioned above, the professional certification body should cooperate in suspending its use until the relevant certification certificate is revoked. The situations mentioned in the previous two paragraphs should be made public through the National Certification and Accreditation Information Public Service Platform. Article 11 In conducting certification activities, if a professional certification body discovers that the personal information exit activities violate laws, regulations, or relevant provisions of the state, they should promptly report to the Cyberspace Administration of China and other relevant departments. Article 12 Professional certification bodies engaged in personal information exit certification should complete filing procedures with the Cyberspace Administration of China within ten working days from the date of obtaining the qualification for personal information protection certification approved by the State Market Regulatory Administration. When filing, the following materials should be submitted: (1) Certification qualifications obtained in the field of personal information protection; (2) Professional work experience in data security and personal information protection in the past three years; (3) Personnel background security check materials for professional certification bodies; (4) Detailed rules for personal information protection certification and work plans; (5) Personal information security risk prevention mechanisms; (6) Continuous monitoring mechanisms of personal data processors for personal information exit activities that comply with certification standards; (7) Complaint handling and dispute resolution mechanisms; (8) Other materials that need to be submitted. Professional certification bodies are responsible for the authenticity of the materials they submit. After receiving the filing materials submitted by professional certification bodies, the Cyberspace Administration of China, in conjunction with the National Data Management Department, will review the filing materials. If the materials are complete, they should be filed and publicized within 30 working days; if the materials are incomplete, they will not be filed, and professional certification bodies should be notified within 30 working days with reasons. Article 13 The State Market Regulatory Administration and the Cyberspace Administration of China shall supervise personal information exit certification activities, conduct regular or irregular inspections, spot checks on the certification process and results, and spot checks and evaluations of professional certification bodies. Article 14 Government agencies, professional certification bodies, etc., involved in certification activities and their staff must keep personal privacy, personal information, trade secrets, and confidential business information confidential in accordance with the law, and must not disclose, provide, or use them illegally. Article 15 Any organization or individual that finds a certified personal data processor violating the provisions of these measures by providing personal information to countries outside the People's Republic of China can lodge a complaint or report to professional certification bodies, the Cyberspace Administration of China, and other relevant departments. Article 16 Provincial-level and above Cyberspace Administration and relevant departments that find a certified personal data processor engaged in personal information exit activities at risk or experiencing personal information security incidents can conduct interviews with the certified personal data processor in accordance with the law. The certified personal data processor shall rectify according to the requirements and eliminate the hazards. Article 17 For violations of these measures, the relevant laws and regulations such as the "Personal Information Protection Law of the People's Republic of China", the "Regulations on the Management of Network Data Security", and the "People's Republic of China Certification and Accreditation Regulations" shall be enforced; if they constitute a crime, criminal responsibility shall be pursued in accordance with the law. Article 18 In cases where the relevant provisions on personal information exit certification enacted before the implementation of these measures are inconsistent with these measures, these measures shall prevail. Article 19 These measures shall come into effect on January 1, 2026. "Personal Information Exit Certification Measures" Q&A Recently, the Cyberspace Administration of China and the State Market Regulatory Administration jointly announced the "Personal Information Exit Certification Measures" (referred to as the "Measures" below). A relevant official from the Cyberspace Administration of China answered questions from journalists about the "Measures". Question 1: Please introduce the background of the issuance of the "Measures". With the rapid development of the global digital economy, cross-border data flow has become a key driver for global allocation of data elements, high-level international cooperation, and competition. The "Personal Information Protection Law" stipulates that obtaining personal information protection certification through a professional organization designated by the Cyberspace Administration of China is one of the statutory ways to provide personal information to countries outside the People's Republic of China. To implement the requirements of the law, in November 2022, the State Market Regulatory Administration and the Cyberspace Administration of China issued a regulatory document titled "Announcement on the Implementation of Personal Information Protection Certification." Based on this, the "Measures" were formulated to improve China's management system for cross-border flow of personal information, protect the rights and interests of individuals, promote the compliant use of personal information, and provide legal guarantees for the high-quality development of the digital economy. Question 2: What are the main contents of the "Measures"? The "Measures" mainly stipulate the following: Firstly, clarifying the legislative purpose and scope of application. It is prescribed that personal data processors who provide personal information to countries outside the People's Republic of China through personal information protection certification are subject to these measures. Secondly, it specifies the applicable situations for personal information exit certification. It is stipulated that personal data processors providing personal information to countries outside the People's Republic of China through personal information exit certification must meet the following conditions: they are non-operators of critical information infrastructure; since January 1 of the current year, they have provided personal information to countries outside the People's Republic of China to more than 100,000 but less than one million individuals, excluding sensitive personal information, or to less than 10,000 individuals of sensitive personal information; the personal information provided to countries outside the People's Republic of China does not include important data. Thirdly, it clarifies the application method, certification requirements, and the validity period of the certificate for personal information exit certification. It is specified that personal data processors must apply for personal information exit certification from professional certification bodies, and personal data processors outside the People's Republic of China must have a dedicated organization established in the country to assist in the application. Professional certification bodies should conduct certification activities in accordance with basic certification norms and personal information protection certification rules. It is clarified that the validity period of the certification certificate is three years, and if the certificate needs to be renewed, personal data processors should apply for recertification six months before the expiration of the validity period. Fourthly, it specifies the obligations that professional certification bodies must fulfill. Professional certification bodies are required to report relevant information about personal information exit certification certificates to the National Certification and Accreditation Information Public Service Platform, and in case of personal information exit activities violating laws, regulations, or relevant provisions of the state, they should report to the Cyberspace Administration of China and other relevant departments promptly. Fifthly, it specifies the supervision requirements. It is stipulated that professional certification bodies must file with the Cyberspace Administration of China within ten working days from the date of obtaining the qualification for personal information protection certification approved by the State Market Regulatory Administration and must be responsible for the authenticity of the filing materials. Question 3: What are the applicable situations for providing personal information to countries outside the People's Republic of China through personal information exit certification? The "Measures" clearly state that personal data processors providing personal information to countries outside the People's Republic of China through personal information exit certification must simultaneously meet the following conditions: they are non-operators of critical information infrastructure; since January 1 of the current year, they have provided personal information to countries outside the People's Republic of China to more than 100,000 but less than one million individuals, excluding sensitive personal information, or to less than 10,000 individuals of sensitive personal information; the personal information provided to countries outside the People's Republic of China does not include important data. It is also specified that personal data processors must not use methods such as splitting quantities to provide personal data that should undergo outbound security assessment through personal information exit certification to countries outside the People's Republic of China. Question 4: What obligations must personal data processors fulfill before applying for certification to provide personal information to countries outside the People's Republic of China? In order to implement the requirements stipulated in the "Personal Information Protection Law" and the "Regulations on the Management of Network Data Security", the "Measures" detail the obligations that personal data processors must fulfill before applying for certification to provide personal information to countries outside the People's Republic of China. It is stipulated that they must fulfill obligations in accordance with the law, including informing, obtaining individual consent, conducting personal information protection impact assessments, etc. The impact assessment focuses on assessing the legality, legitimacy, and necessity of the purposes, scope, and methods of personal information processing by the personal data processors and the overseas recipients, the risks of the outbound personal information to national security, public interests, and individual information rights, the abilities of the overseas recipients to safeguard the security of the outbound personal information, the risks of modification, destruction, leakage, loss, unlawful use, etc. after the outbound personal information, the impact of the personal information protection policies and regulations of the overseas recipients' countries or regions on the security of outbound personal information, and other matters that may affect the security of outbound personal information. Question 5: What requirements does the "Measures" set for professional certification bodies? The "Measures" set the following requirements for professional certification bodies: they must conduct personal information exit certification activities in accordance with the certification basic norms and personal information protection certification rules. If the certification requirements are met, professional certification bodies must issue certification certificates promptly. Professional certification bodies should report relevant information about personal information exit certification certificates to the National Certification and Accreditation Information Public Service Platform within five working days after issuing the certification certificate or when the status of the certification certificate changes. If a professional certification body discovers that a certified personal data processor no longer meets the certification requirements due to inconsistencies between the personal information exit situation and the certification scope, they should suspend its use until the relevant certification certificate is revoked. If a professional certification body finds that the personal information exit activities violate laws, regulations, or relevant provisions of the state, they should promptly report to the Cyberspace Administration of China and other relevant departments. Professional certification bodies should file with the Cyberspace Administration of China within ten working days from the date of obtaining the qualification for personal information protection certification approved by the State Market Regulatory Administration, and they must be responsible for the authenticity of the filing materials. They must also keep personal privacy, personal information, trade secrets, and confidential business information confidential when performing their duties. Question 6: How does the "Measures" supervise and manage professional certification bodies and certified personal data processors? The "Measures" provide the following regulations for the supervision and management of professional certification bodies and certified personal data processors: The State Market Regulatory Administration and the Cyberspace Administration of China shall supervise personal information exit certification activities, conduct regular or irregular inspections, spot checks on the certification process and results, and spot checks and evaluations of professional certification bodies. Provincial-level and above Cyberspace Administration and relevant departments that find a certified personal data processor engaging in personal information exit activities at risk or experiencing personal information security incidents can conduct interviews with the certified personal data processor in accordance with the law. Any organization or individual that finds a certified personal data processor violating the provisions of the "Measures" by providing personal information to countries outside the People's Republic of China can lodge a complaint or report to professional certification bodies, the Cyberspace Administration of China, and other relevant departments. For violations of the "Measures", the relevant laws and regulations such as the "Personal Information Protection Law", the "Regulations on the Management of Network Data Security", the "Certification and Accreditation Regulations", etc., shall apply; if constituting a crime, criminal responsibility shall be pursued in accordance with the law. Question 7: How is China's system for cross-border data flow designed? The "Network Security Law", "Data Security Law", "Personal Information Protection Law", and "Regulations on the Management of Network Data Security" provide basic provisions on cross-border data flow. According to these laws, personal data processors who, due to business needs or other reasons, must provide personal information to countries outside the People's Republic of China, must meet one of the following conditions: (1) undergo a security evaluation organized by the Cyberspace Administration of China; (2) obtain personal information protection certification through a professional organization designated by the Cyberspace Administration of China; (3) enter into a standardized contract with the overseas recipients according to the standards developed by the Cyberspace Administration of China, specifying the rights and obligations of both parties; (4) other conditions stipulated by laws, regulations, or the Cyberspace Administration of China. The Cyberspace Administration of China has successively issued the "Data Outbound Security Assessment Measures", "Personal Information Outbound Standard Contract Measures", and "Regulations on the Promotion and Regulation of Data Cross-Border Flow", which clarify the implementation paths of the management systems for data outbound security assessment, personal information outbound standard contracts, and establish a negative list system for data outbound in the Free Trade Zone. The issuance of the "Measures" clarifies the specific implementation path for providing personal information to countries outside the People's Republic of China through certification, marking the comprehensive implementation of the outbound system design specified in the "Personal Information Protection Law", including data outbound security assessment, personal information protection certification, personal information outbound standard contracts, etc., and marks the full establishment of China's system for cross-border data flow. This article is selected from the "Net Information China" WeChat public account, edited by GMTEight: Chen Xiaoyi.