Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts.
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS China
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in Focus View all
Insights by type
CMS News
Stay up to date with our growth, evolution and our many successes.
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
English 简体中文
Legal Update

China issues Measures for the Certification of the Cross-Border Transfer of Personal Information

20 Nov 2025 China 5 min read

On 14 October 2025, the Cyberspace Administration of China (CAC) and the State Administration for Market Regulation of the People’s Republic of China (PRC) jointly released the Measures for the Certification of Cross-Border Transfer of Personal Information (Certification Measures), which will take effect on 1 January 2026.

Compliance channels for cross-border transfers of personal information

Pursuant to Article 38 of the PRC Personal Information Protection Law (PIPL) and Article 7 and Article 8 of the Provisions on Promoting and Regulating the Cross-border Data Transfer (Promoting CBDT Provisions), cross-border transfers of personal information abroad must adopt one of the following channels:

  • Security assessment: for cross-border transfers of personal information and important data by critical information infrastructure operators (CIIOs), and for non-CIIO data handlers exporting important data, or, within one calendar year, transferring 1 million or more individuals’ personal information (excluding sensitive personal information) or 10,000 or more individuals’ sensitive personal information abroad.
     
  • Certification of personal information protection: for non-CIIO data handlers exporting 100,000 or more but less than 1 million individuals’ personal information (excluding sensitive personal information), or less than 10,000 individuals’ sensitive personal information within one calendar year.
     
  • Standard contract with the overseas recipient: same as the above certification of personal information protection channel.

Under this structure, certification and the standard contract operate as alternative channels for mid-tier cross-border transfers of personal information while the security assessment remains the mandatory route for larger-scale or high-risk transfers.

Following the Measures on the Standard Contract for Cross-Border Transfer of Personal Information effective 1 June 2023 (Standard Contract Measures), the Certification Measures complete the framework for compliance requirements on the middle-tier pathway.

Key requirements under the Certification Measures

The Certification Measures generally align with the requirements set out in the PIPL and the Promoting CBDT Provisions and emphasise the following requirements:

  • Scope and thresholds: The Certification Measures mirror the requirements under Article 8 of Promoting CBDT Provisions and apply only to non‑CIIO data handlers exporting personal information within the above numerical range. In addition, under the Certification Measures, which are similar to Standard Contract Measures, it is strictly prohibited to circumvent the security assessment requirements by artificially splitting data volumes.
     
  • Notification and obtaining separate consent: The Certification Measures reinstate the requirements on notifying data subjects of relevant information about the overseas recipient and processing activities and obtaining separate consent for the cross-border transfer of personal information in accordance with the PIPL.
     
  • Personal information protection impact assessment (PIA): In addition to the requirements under Article 56 of the PIPL, the Certification Measures further highlight key factors to be assessed during PIA, including:
    • the legality, legitimacy and necessity of the purposes, scope and methods of personal information processing by the personal information handler and the overseas recipient;
    • the scale, scope, types and sensitivity of the personal information to be exported, and the relevant risks may arise on national security, public interests and personal rights and interests;
    • overseas recipient’s obligations, and whether its management and technical measures, capabilities, etc. can ensure the security of the personal information transferred abroad;
    • risks of tampering, damage, leakage, loss or illegal use of personal information after export, and the effectiveness of channels for safeguarding personal information rights and interests;
    • the impact of the personal information protection laws and regulations of the overseas recipient’s country or region on the security of the transferred personal information and the related rights and interests;
    • other matters that may affect the security of cross‑border transfers of personal information.
  • Certification process: Application of certification must be submitted to a professional certification body. For data handlers outside the territory of the PRC, such application must be made with the assistance of their specialised institution established within the territory of the PRC or their designated representative. Upon review, the certification body will issue the certificate to those that meet the requirements. The certificate will be valid for three years, and the data handler may apply for certification renewal six months prior to the expiry date if continued use is required.

Options between certification and standard contract

Although certification and the standard contract provide parallel compliance options, certification may be more suitable in certain circumstances, such as for those involving ongoing, repeated, or multi-scenario data flows by a specific data handler with multiple overseas recipients rather than a single, transaction-specific transfer, or where it is difficult to enter into appropriate standard contracts with suitable contracting party overseas. In addition, certification in which an external assessment is carried out by professional bodies may be more helpful for enterprises seeking greater public recognition and trust in their data protection practices.

Summary

The Certification Measures mark another step in the refinement of China’s personal information regulatory regime. Together with the existing security assessment and standard contract channels, certification provides businesses with greater flexibility and clarity in selecting the appropriate compliance pathway for cross-border personal information transfers. Businesses are encouraged to assess their data flows, operational structures and long-term compliance needs in determining the mechanism that best suits their circumstances.

The original publication can be found here (Chinese only).

For more information on the Certification Measures and personal information regulations in China, contact your CMS client partner or the CMS experts who wrote this article.

More insights

Explore more

Event China

IP Insights webinar series 2026

28 Apr 2026
Expert Guide International

International arbitration law and rules in China

86 min read
Newsletter China

China Released Provisions on the Protection of Trade Secrets

23 Mar 2026 10 min read
Back to top Back to top
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.