China’s Cyberspace Administration of China (CAC) and the State Administration for Market Regulation (SAMR) have released the Measures for the Certification of Outbound Transfer of Personal Information, creating a clearer “certification” pathway for certain cross-border personal information transfers. The Measures take effect on 1 January 2026.
In practical terms, this adds another operational option to China’s outbound data transfer toolkit under the Personal Information Protection Law (PIPL), alongside security assessments and standard contract filings. For organizations that routinely share personal information with overseas affiliates, vendors, or service centers, certification may become a more repeatable compliance mechanism—provided the scenario fits the scope.
Key points to note:
- Scope and thresholds: The Measures target transfers that fall within specific annual volume thresholds (counted from 1 January each year), including large-scale transfers of ordinary personal information and smaller-scale transfers of sensitive personal information. The text also emphasizes that “important data” is not covered by this certification route.
- Who should not rely on certification: The Measures indicate that Critical Information Infrastructure Operators (CIIOs) are not within this certification pathway, and the framework reinforces that organizations should not “split” transfers to avoid a required security assessment.
- Compliance prerequisites remain: Processors are still expected to complete baseline obligations such as clear notices, separate consent where required, and a Personal Information Protection Impact Assessment (PIPIA) that evaluates necessity, risks, overseas recipient safeguards, and related compliance factors.
- How certification works: Applications are handled by qualified certification bodies. Certificates are valid for three years, and renewals should be initiated in advance (the Measures reference a six-month window). Certification bodies must also disclose issuance and status changes via a national public information platform and can suspend or revoke certifications if conditions are no longer met.
What to watch next:
Implementation details will depend on supporting standards, technical specifications, and the roster of accredited certification bodies, which will shape timelines and practical requirements for applicants.
