Privacy & Information Security Law Blog

On Oct 14, 2025, the Cyberspace Administration of China and the State Administration for Market Regulation issued Measures for the Certification for Outbound Cross-Border Transfer of Personal Information (“the Measures”), effective Jan 1, 2026.

There are four mechanisms for cross-border transfers of personal information under Chinese laws, namely: (1) a security assessment; (2) the filing of the standard contract for cross-border transfer (“SC”); (3) a personal information protection certification; and (4) exempted scenarios.

Under the Measures, if the data handler meets the following conditions, it is eligible to rely on either an SC filing or a personal information protection certification for cross-border transfer of personal information:

• the data handler is not a critical information infrastructure operator;
• the transfer is of personal information (excluding sensitive personal information) of more than 100,000 but fewer than 1 million individuals, or of sensitive personal information of fewer than 10,000 individuals; and
• the transfer only includes non-important data.

If a data handler decides to rely on certification, it may also refer to these two guidelines for more details: Cybersecurity Standard Practice Guide—Security Certification Specification for Cross-Border Processing of Personal Information (V2.0) (TC260-PG-20222A)( 关键信息安全标准使用指南), and Data Security Technology - Security Certification Requirements for Cross-border Processing Activities of Personal Information (GB/T 46068—2025) (国家标准|GB/T 46068-2025).  

The certification is valid for three years. The applicant may re-apply for certification for continual use of such certification six months before its expiration