China Finalizes Certification Route for Cross-Border Personal Data Transfers: New Measures Effective January 2026

On 14th October 2025, the Cyberspace Administration of China (CAC) and the State Administration for Market Regulation (SAMR) jointly issued the Measures for Personal Information Cross-Border Transfer Certification (Order No. 20), which will take effect on 1st January 2026. These Measures establish the operational framework for the certification pathway under Article 38 of China's Personal Information Protection Law (PIPL), completing the country's three-tiered data export compliance regime. This development marks a significant milestone for multinational organizations conducting business in China, particularly those handling moderate volumes of personal data that fall below the thresholds requiring security assessments.

I. Background and Regulatory Context

China's data cross-border transfer framework has evolved through multiple legislative instruments since 2021. The PIPL, which came into force in November 2021, established three primary pathways for lawful cross-border personal data transfers: (1) security assessments conducted by the CAC; (2) professional certification by qualified institutions; and (3) standard contractual arrangements. While the CAC previously issued implementing rules for security assessments (2022) and standard contracts (2023), the certification pathway remained operationally undefined—until now.

The new Measures respond to calls from the business community for clearer, more proportionate compliance mechanisms for entities that transfer personal data internationally but do not meet the higher-risk thresholds triggering mandatory security assessments. The certification route is designed to balance data protection with facilitating legitimate cross-border data flows, particularly for non-critical information infrastructure operators (non-CIIOs) processing moderate data volumes.

II. Scope of Application

1. Eligible entities and volume thresholds

The certification pathway applies exclusively to non-critical information infrastructure operators that meet specific volume criteria. Data controllers may utilize certification if they cumulatively transfer, from 1st January of the current year:

• 100,000 or more, but fewer than 1 million individuals' personal information (excluding sensitive personal information), OR
• Fewer than 10,000 individuals' sensitive personal information

Critically, the Measures explicitly prohibit data transfers involving "important data"—a category defined under China's Data Security Law and related regulations to encompass data that, if tampered with, destroyed, leaked, or illegally obtained, may endanger national security, economic operations, social stability, or public health and safety. Organizations must carefully assess whether their datasets include important data, as such data requires security assessment rather than certification.

2. Anti-circumvention provisions

The Measures include an anti-avoidance rule prohibiting data controllers from artificially splitting transfer volumes to evade security assessment requirements. Data controllers that would otherwise be required to undergo security assessments (e.g., those transferring data of 1 million or more individuals) cannot use the certification pathway by fragmenting their data flows. This provision underscores Chinese regulators' intent to maintain strict oversight of higher-risk transfers.

III. Key Obligations Before Certification

1. Personal Information Protection Impact Assessment (PIPIA)

Before applying for certification, data controllers must conduct a comprehensive PIPIA. This assessment must rigorously evaluate six core areas:

• Legality, legitimacy, and necessity of processing purposes, scope, and methods by both the data controller and foreign recipient
• Scale, scope, type, and sensitivity of transferred personal information, and associated risks to national security, public interest, and individual rights
• Foreign recipient's obligations and capabilities, including management and technical measures to safeguard data security
• Risks of unauthorized alteration, destruction, leakage, loss, or misuse post-transfer, and effectiveness of rights protection channels
• Foreign jurisdiction's data protection laws and policies, and their impact on transferred data and individuals' rights
• Other security-related factors that may affect cross-border transfers

2. Individual consent and notification

In addition to the PIPIA, data controllers must notify affected data subjects and obtain separate consent for cross-border transfers, as mandated by PIPL Articles 13 and 39. Consent must be freely given, specific, informed, and unambiguous, meeting the heightened standards for cross-border data movements.

IV. Certification Process and Certificate Management

1. Application procedures

Data controllers must apply directly to professional certification institutions that have obtained personal information protection certification qualifications from SAMR and filed with CAC. Foreign data controllers lacking a physical presence in China must designate a Chinese representative or establish a specialized entity within China to facilitate the application process.

Certification institutions evaluate applications against certification standards and technical specifications jointly developed by CAC and the State Data Administration. Institutions must issue certificates promptly upon determining compliance and report certificate issuance to the National Certification and Accreditation Information Public Service Platform within 5 working days.

2. Certificate validity and renewal

Certification certificates remain valid for 3 years. Data controllers wishing to continue using the certification pathway after expiration must submit renewal applications at least 6 months prior to certificate expiry. This advance timeline allows adequate time for re-assessment and prevents compliance gaps.

3. Suspension and revocation

Certification institutions bear ongoing monitoring obligations and must suspend or revoke certificates if certified data controllers:

• Transfer personal data in a manner inconsistent with the certified scope
• Fail to maintain compliance with certification requirements
• Violate applicable laws and regulations

CAC and relevant authorities may also require institutions to suspend or revoke certificates upon identifying non-compliance during supervisory activities. All suspensions and revocations must be publicly disclosed via the National Platform.

V. Obligations of Certification Institutions

The Measures impose substantial responsibilities on certification institutions to ensure the integrity of the certification regime:

• Registration and filing: Institutions must file with CAC within 10 working days of obtaining certification qualifications from SAMR, submitting detailed documentation including qualification certificates, work experience in data security and personal information protection, personnel background checks, implementation guidelines, risk prevention mechanisms, and dispute resolution procedures.
• Information reporting: Certificate-related information (certificate number, certified entity name, certification scope, and status changes) must be reported to the National Platform within 5 working days of issuance or status changes.
• Violation reporting: Institutions discovering that certified entities' cross-border data activities violate laws or regulations must promptly report to CAC and relevant authorities.
• Confidentiality obligations: Institutions and their personnel must maintain strict confidentiality regarding personal privacy, personal information, trade secrets, and confidential business information obtained during certification activities.

VI. Supervision and Enforcement

1. Regulatory oversight

CAC and SAMR jointly supervise certification activities through regular and ad hoc inspections, spot checks on certification processes and results, and evaluations of certification institutions. Provincial-level CAC offices may interview certified data controllers when cross-border activities present significant risks or security incidents occur, requiring immediate remediation.

2. Whistleblower mechanisms

The Measures establish formal channels for organizations and individuals to report suspected violations by certified data controllers to certification institutions, CAC, and other competent authorities. This multi-layered complaint system enhances accountability and public oversight.

3. Penalties

Violations of the Measures trigger penalties under the PIPL, Regulations on Network Data Security Management, and Regulations on Certification and Accreditation. Depending on severity, sanctions may include administrative fines, suspension or revocation of certificates, and—in cases constituting criminal offenses—criminal liability.

VII. Practical Implications for Multinational Organizations

1. Completing the compliance toolkit

The issuance of these Measures finalizes China's three-pathway framework for cross-border personal data transfers, giving organizations greater flexibility in selecting compliant mechanisms based on their specific circumstances:

• Security Assessment: Mandatory for CIIOs and data controllers transferring personal data of 1 million or more individuals, or sensitive personal data of 100,000 or more individuals since 1st January of the current year
• Certification (new Measures): Available to non-CIIOs transferring 100,000 to <1 million individuals' personal data (non-sensitive) or <10,000 individuals' sensitive personal data, excluding important data
• Standard Contracts: Available under separate CAC rules for eligible transfers

2. Strategic considerations

Organizations should assess which pathway best suits their operational needs, considering factors such as:

• Data volume and sensitivity: Certification provides a streamlined alternative for moderate-volume transfers but requires maintaining volumes within defined thresholds.
• Important data classification: Organizations transferring important data cannot use certification and must undergo security assessment.
• Timeline and administrative burden: Certification may offer faster processing compared to security assessments but requires engagement with qualified certification institutions and ongoing compliance monitoring.
• Operational flexibility: Certificates valid for 3 years provide medium-term certainty, though renewal obligations necessitate periodic reassessment.

3. Preparing for implementation

With the 1st January 2026 effective date approaching, organizations should:

1. Conduct data mapping exercises to identify personal data flows and determine applicable thresholds
2. Perform preliminary PIPIAs to evaluate cross-border transfer risks and readiness
3. Identify qualified certification institutions and initiate preliminary consultations
4. Review and update data subject consent mechanisms to ensure compliance with separate consent requirements
5. Establish internal monitoring systems to track data transfer volumes and prevent threshold breaches