Measures for the Certification of Cross-Border Personal Information Transfers

Summary

Overview & Analysis

The Measures for the Certification of Cross-Border Personal Information Transfers establish one of three compliance pathways under China's personal information export framework — alongside security assessment and standard contracts — allowing qualifying personal information processors to transfer personal data overseas by obtaining certification from an accredited professional certification body. The Measures apply specifically to non-CII operators transferring personal information at mid-range volume thresholds: more than 100,000 but fewer than 1,000,000 individuals' non-sensitive personal information, or fewer than 10,000 individuals' sensitive personal information, cumulatively in a calendar year. Important data is explicitly excluded from this pathway. Processors must complete notice obligations, obtain separate individual consent, and conduct a personal information protection impact assessment before applying for certification. Certificates are valid for three years and require renewal applications six months before expiry.

This regulation is highly important for AI development, particularly when AI projects involve cross-border data flows. AI projects often rely on global data sharing, especially for large-scale data exchanges in model training and inference processes. The certification route ensures that cross-border AI projects comply with China's personal information protection laws while reducing compliance risks compared to the full security assessment pathway. This approach helps companies overcome obstacles in cross-border data transfer and provides a legal framework for the operation of global AI platforms — which is particularly crucial for AI applications that handle personal and sensitive data across multiple jurisdictions. The Measures also clarify that processors cannot circumvent higher-threshold security assessment requirements by splitting data volumes to artificially fall within certification thresholds.

Three Cross-Border PI Transfer Pathways — At a Glance

These Measures govern the certification pathway only. Understanding where it sits relative to the other two pathways is essential for route selection in AI projects:

Pathway	When Required / Available	Key Trigger Thresholds
Security Assessment	CII operators; or processors reaching higher volume thresholds; or important data	≥1M individuals' PI; or ≥100K sensitive PI; or any important data; or CII operators
Certification (this document)	Non-CII operators within mid-range thresholds; no important data	>100K but <1M individuals' PI; or <10K sensitive PI (cumulative in calendar year)
Standard Contract	Non-CII operators within lower thresholds	<100K individuals' PI; or <10K sensitive PI (cumulative in calendar year)

Relevant AI Scenarios

In AI applications, scenarios involving cross-border data transfers are the most relevant, especially when AI projects rely on global data sharing for model training, inference, business optimization, and so on. Any AI project involving the cross-border flow of personal or sensitive information that meets the conditions set out in these Measures must transfer the data via the certification pathway.

1. Global AI Model Training and Inference

AI systems require large amounts of data for training and inference, making cross-border data transfer essential. If the data involves personal or sensitive information and falls within the certification thresholds, companies must obtain certification for data transfer and ensure that data processing complies with China's personal information protection standards. The certification pathway provides a structured but more flexible route compared to the security assessment for AI teams operating at mid-range data volumes.

2. Using Overseas Cloud Services and Cross-Border Technology Platforms

When AI projects use overseas cloud computing resources or technology platforms, personal or sensitive information involved must follow an approved cross-border transfer pathway. The certification route provides a clear compliance path for multinationals using global cloud platforms, ensuring secure and lawful data transfers while avoiding the heavier burden of full security assessment where thresholds permit.

3. Sharing Customer Data in Cross-Border Business Operations

Cross-border AI applications — particularly in multinational marketing, customer service, and data analytics scenarios — inevitably involve cross-border customer data transfers. For data volumes within the certification thresholds, this pathway allows organizations to ensure that personal information is protected during transfer through a professionally certified conformity assessment rather than a government-led security review.

4. Cross-Border HR Management and Employee Data

Multinational companies often rely on AI for human resources management, which involves transferring employee data across borders. Companies need to assess whether employee personal information (including sensitive categories such as health data, biometrics, or financial account information) falls within the certification threshold or triggers higher-level security assessment requirements, and design their HR data architecture accordingly.

5. International R&D Collaborations and AI Data Sharing

Cross-border collaborations and joint R&D projects involving AI technologies typically require sharing sensitive data and technologies. The certification route allows companies to ensure that data shared with international partners complies with security requirements, safeguarding compliance with China's data protection laws while maintaining the flexibility needed for international research partnerships — provided data volumes stay within the prescribed thresholds.

Practical Advice for Managers at Multinational Companies

These Measures provide multinational companies with a simplified compliance pathway, transforming cross-border data flow from a complex legal barrier into an operational issue that can be managed flexibly through professional certification. For AI project managers, this policy clarifies the compliance requirements for cross-border data transfer, especially when handling personal and sensitive data.

Map Your Data Volumes to the Right Pathway Before Project Design

The three pathways — security assessment, certification, and standard contract — are triggered by cumulative annual data volumes and data type. Before selecting a pathway, map out all personal information flows that will cross the border in a calendar year: non-sensitive PI volume, sensitive PI volume, and whether any important data is involved. The certification pathway covers the mid-range band. Do not assume the same pathway applies to all transfers; different project streams may fall into different categories.

Complete Pre-Application Obligations Before Seeking Certification

Before applying for certification, processors must fulfill three prerequisites: provide notice to individuals, obtain separate individual consent for the specific transfer, and conduct a personal information protection impact assessment (PIPIA). The PIPIA must address the legality and necessity of the processing, data sensitivity and national security risks, the overseas recipient's obligations and security capabilities, risk of post-transfer data incidents, and the overseas jurisdiction's legal framework. Do not treat these as post-certification items — they must be done first.

Build a Data Flow Monitoring and Record-Keeping System

Establish monitoring and recording systems for all cross-border data transfers — including the destination, data type, volume, purpose, and security measures for each transfer. Certification does not eliminate ongoing obligations: if the certified processor's outbound activities become inconsistent with the certification scope, the certification body must suspend and ultimately revoke the certificate. Real-time awareness of actual transfer volumes against declared certification scope is essential to avoid triggering suspension.

Design Flexible Compliance Pathways Based on Data Type and Sensitivity

Do not treat all cross-border data flows the same. Low-risk data that does not involve personal or sensitive information may not require any of the three pathways. Standard contract covers the lower band. Certification covers the mid-range band. Security assessment covers CII operators, high volumes, or important data. Companies should design appropriate compliance paths based on data nature, scale, and sensitivity — and review these classifications whenever AI project scope expands.

Strengthen Compliance Review with Overseas Recipients and Vendors

The PIPIA specifically requires assessment of the overseas recipient's obligations, management and technical security measures, and capabilities to protect the transferred data. For multinational companies, this means vendor due diligence for cloud services, technology platforms, external data processors, and model providers must address their ability to meet Chinese personal information protection standards. Include binding compliance clauses in all cross-border data transfer agreements and ensure recipients understand and can support China certification requirements.

These Measures offer a streamlined compliance framework for mid-range cross-border personal information flows. By completing the required pre-application steps, selecting the right certification body, conducting rigorous impact assessments, and maintaining ongoing monitoring, multinational companies can effectively reduce legal risks and build sustainable cross-border data pipelines for AI projects in China — while preserving the flexibility needed for global operations.

Full Text

Complete Regulatory Text

Promulgated October 14, 2025 · Effective January 1, 2026 · Order No. 20 · Source: Cyberspace Administration of China

Jointly Issued By (2 Authorities) Cyberspace Administration of China (CAC) · State Administration for Market Regulation (SAMR)

Article Index

Articles 1–4 — Purpose, Scope, Definitions & Standards
Articles 5–7 — Eligibility Conditions, Pre-Application Obligations & Application Procedure
Articles 8–11 — Certification Process, Certificate Management & Reporting
Articles 12–13 — Certification Body Filing & Supervision
Articles 14–19 — Confidentiality, Complaints, Supervision Interviews, Liability & Effective Date

Articles 1–4 — Purpose, Scope, Definitions & Standards

Article 1 — Purpose and Legal Basis

In order to protect personal information rights and interests, regulate certification activities for cross-border personal information transfers, and promote the efficient and secure cross-border flow of personal information, these Measures are formulated in accordance with the Personal Information Protection Law of the People's Republic of China, the Regulation on Network Data Security Management, the Regulations on Certification and Accreditation of the People's Republic of China, and other relevant laws and regulations.

Article 2 — Scope of Application

These Measures shall apply where personal information processors provide personal information outside the territory of the People's Republic of China through personal information protection certification.

Article 3 — Definition of Certification

"Certification of cross-border personal information transfers" refers to conformity assessment activities whereby a professional certification body that has lawfully obtained qualifications for personal information protection certification certifies that personal information processing activities — such as providing personal information outside the territory of the People's Republic of China — comply with relevant laws, administrative regulations, departmental rules, standards, and technical specifications, in accordance with Article 38(1)(2) of the Personal Information Protection Law of the People's Republic of China.

Article 4 — Standards and Certification Rules

The national cyberspace administration, together with the national data administration and other relevant departments, shall formulate standards and technical specifications related to certification for cross-border personal information transfers. The state market supervision and administration department, together with the national cyberspace administration, shall formulate certification rules for personal information protection, as well as unified certification certificates and marks.

Articles 5–7 — Eligibility, Pre-Application Obligations & Application

Article 5 — Eligibility Conditions for the Certification Pathway

Where a personal information processor provides personal information overseas through certification, it shall simultaneously meet the following conditions:

(1) It is not a critical information infrastructure operator;

(2) Since January 1 of the current year, it has cumulatively provided: more than 100,000 but fewer than 1,000,000 individuals' personal information (excluding sensitive personal information) overseas; or fewer than 10,000 individuals' sensitive personal information overseas.

The personal information provided overseas as referred to in the preceding paragraph does not include important data.

Where laws, administrative regulations, or provisions of the national cyberspace administration provide otherwise, such provisions shall prevail.

Personal information processors shall not adopt methods such as splitting quantities to provide personal information overseas through certification where they are legally required to undergo a security assessment for outbound data transfers.

Article 6 — Pre-Application Obligations and Impact Assessment

Before applying for certification to provide personal information overseas, a personal information processor shall fulfill obligations such as providing notice, obtaining separate consent from individuals, and conducting a personal information protection impact assessment in accordance with laws and administrative regulations. The impact assessment shall focus on the following:

(1) The legality, legitimacy, and necessity of the purpose, scope, and method of personal information processing by the personal information processor and the overseas recipient;

(2) The scale, scope, type, and sensitivity of the personal information to be transferred overseas, and the risks such transfer may pose to national security, public interests, and personal information rights and interests;

(3) Whether the obligations undertaken by the overseas recipient, as well as its management and technical measures and capabilities, can ensure the security of the personal information transferred overseas;

(4) The risks of tampering, destruction, leakage, loss, or illegal use of personal information after it is transferred overseas, and whether channels for safeguarding personal information rights are smooth;

(5) The impact of the personal information protection policies and regulations of the country or region where the overseas recipient is located on the security of outbound personal information and on personal information rights and interests;

(6) Other matters that may affect the security of outbound personal information.

Article 7 — Application Procedure

Where a personal information processor provides personal information overseas through certification, it shall apply to a professional certification body for certification of cross-border personal information transfers.

Where a personal information processor located outside the territory of the People's Republic of China applies for certification, the application shall be assisted by its dedicated institution established within China or its designated representative.

Articles 8–11 — Certification Process & Certificate Management

Article 8 — Certification Process and Certificate Validity

Professional certification bodies shall carry out certification activities in accordance with basic certification specifications and personal information protection certification rules. Where certification requirements are met, the certification body shall promptly issue a certification certificate.

The validity period of a certification certificate shall be three years. Where continued use is required upon expiration, the personal information processor shall apply for certification six months before the expiration of the validity period.

Article 9 — Certificate Information Submission and Sharing

Within five working days after issuing a certification certificate or upon any change in the status of the certificate, the professional certification body shall submit relevant certification information to the National Certification and Accreditation Information Public Service Platform, including the certificate number, the name of the certified personal information processor, the scope of certification, and changes in certificate status.

The state market supervision and administration department and the national cyberspace administration shall establish a mechanism for sharing certification information.

Article 10 — Suspension and Revocation of Certificates

Where a professional certification body finds that a certified personal information processor's outbound personal information activities are inconsistent with the scope of certification or no longer meet certification requirements, it shall suspend the use of the certification until the certification certificate is revoked.

Where the national cyberspace administration or relevant departments discover such circumstances in the course of personal information protection supervision, the certification body shall cooperate in suspending use until revocation.

The circumstances described in the preceding two paragraphs shall be publicly disclosed through the National Certification and Accreditation Information Public Service Platform.

Article 11 — Reporting Violations

Where a professional certification body discovers during certification activities that outbound personal information activities violate laws, administrative regulations, or relevant national provisions, it shall promptly report to the national cyberspace administration and relevant departments.

Articles 12–13 — Certification Body Filing & Supervision

Article 12 — Certification Body Filing Requirements

A professional certification body conducting certification of cross-border personal information transfers shall, within 10 working days from obtaining certification qualifications in the field of personal information protection approved by the state market supervision and administration department, complete filing procedures with the national cyberspace administration. The following materials shall be submitted for filing:

(1) Certification qualifications obtained in the field of personal information protection;
(2) Professional work experience in data security and personal information protection over the past three years;
(3) Security background check materials for certification personnel;
(4) Implementation rules and work plans for personal information protection certification;
(5) Mechanisms for preventing personal information security risks;
(6) Ongoing supervision mechanisms to ensure that certified personal information processors' outbound activities comply with certification standards;
(7) Complaint handling and dispute resolution mechanisms;
(8) Other required materials.

The certification body shall be responsible for the authenticity of the filed materials.

After receiving the filing materials, the national cyberspace administration shall, together with the national data administration, review the materials. Where materials are complete, filing shall be completed within 30 working days and publicly disclosed; where incomplete, filing shall not be accepted, and the certification body shall be notified within 30 working days with reasons provided.

Article 13 — Oversight of Certification Activities

The state market supervision and administration department and the national cyberspace administration shall supervise certification activities for cross-border personal information transfers, conduct periodic or ad hoc inspections, carry out spot checks on certification processes and results, and evaluate certification bodies.

Articles 14–19 — Confidentiality, Complaints, Liability & Effective Date

Article 14 — Confidentiality Obligations

State authorities, professional certification bodies, and other institutions engaged in certification activities, as well as their staff, shall keep confidential any personal privacy, personal information, trade secrets, or confidential business information obtained during the performance of their duties, and shall not disclose or illegally provide or use such information.

Article 15 — Public Complaints and Reports

Any organization or individual discovering that a certified personal information processor has violated these Measures by providing personal information overseas may file complaints or reports with certification bodies, cyberspace administrations, or relevant departments.

Article 16 — Supervisory Interviews

Where cyberspace administrations at or above the provincial level or relevant departments discover that certified personal information processors' outbound activities involve significant risks or that personal information security incidents have occurred, they may, in accordance with the law, summon the processors for interviews. The processors shall rectify issues as required and eliminate risks.

Article 17 — Legal Liability

Violations of these Measures shall be handled in accordance with the Personal Information Protection Law of the People's Republic of China, the Regulation on Network Data Security Management, the Regulations on Certification and Accreditation of the People's Republic of China, and other relevant laws and regulations; where a crime is constituted, criminal liability shall be pursued in accordance with the law.

Article 18 — Superseding Provisions

Where provisions on certification of cross-border personal information transfers formulated prior to the implementation of these Measures are inconsistent with these Measures, these Measures shall prevail.

Article 19 — Effective Date

These Measures shall come into force on January 1, 2026.

↑ Back to top

个人信息出境认证办法
（2025年10月14日公布，自2026年1月1日起施行，第20号令）
来源：中国网信网

联合发布机构（2个） 国家互联网信息办公室 · 国家市场监督管理总局

第一条至第四条 — 目的、适用范围、定义与标准

第一条

为了保护个人信息权益，规范个人信息出境认证活动，促进个人信息高效安全跨境流动，根据《中华人民共和国个人信息保护法》、《网络数据安全管理条例》、《中华人民共和国认证认可条例》等法律法规，制定本办法。

第二条

个人信息处理者通过个人信息保护认证的方式向中华人民共和国境外提供个人信息，适用本办法。

第三条

本办法所称个人信息出境认证，是指按照《中华人民共和国个人信息保护法》第三十八条第一款第二项规定，由依法取得个人信息保护认证资质的专业认证机构，证明个人信息处理者向中华人民共和国境外提供个人信息等个人信息处理活动符合相关法律、行政法规、部门规章、标准、技术规范的合格评定活动。

第四条

国家网信部门会同国家数据管理部门和其他有关部门制定个人信息出境认证相关标准、技术规范。国家市场监督管理部门会同国家网信部门制定个人信息保护认证规则、统一认证证书及标志。

第五条至第七条 — 适用情形、申请前义务与申请程序

第五条

个人信息处理者通过个人信息出境认证的方式向境外提供个人信息的，应当同时符合下列情形：

（一）非关键信息基础设施运营者；
（二）自当年1月1日起累计向境外提供10万人以上、不满100万人个人信息（不含敏感个人信息）或者不满1万人敏感个人信息。

前款所称向境外提供的个人信息，不包括重要数据。

法律、行政法规或者国家网信部门另有规定的，从其规定。

个人信息处理者不得采取数量拆分等手段，将依法应当通过出境安全评估的个人信息通过个人信息出境认证的方式向境外提供。

第六条

个人信息处理者在申请认证向境外提供个人信息前，应当按照法律、行政法规的规定履行告知、取得个人单独同意、进行个人信息保护影响评估等义务。个人信息保护影响评估重点评估以下内容：

（一）个人信息处理者和境外接收方处理个人信息的目的、范围、方式等的合法性、正当性、必要性；
（二）出境个人信息的规模、范围、种类、敏感程度，个人信息出境可能对国家安全、公共利益、个人信息权益带来的风险；
（三）境外接收方承诺承担的义务，以及履行义务的管理和技术措施、能力等能否保障出境个人信息的安全；
（四）个人信息出境后遭到篡改、破坏、泄露、丢失、非法利用等的风险，个人信息权益维护的渠道是否通畅等；
（五）境外接收方所在国家或者地区的个人信息保护政策和法规对出境个人信息安全和个人信息权益的影响；
（六）其他可能影响个人信息出境安全的事项。

第七条

个人信息处理者通过认证方式向境外提供个人信息的，应当向专业认证机构申请个人信息出境认证。

中华人民共和国境外的个人信息处理者申请个人信息出境认证的，应当由其在境内设立的专门机构或者指定代表协助进行申请。

第八条至第十一条 — 认证流程与证书管理

第八条

专业认证机构应当按照认证基本规范、个人信息保护认证规则开展个人信息出境认证活动。符合认证要求的，专业认证机构应当及时出具认证证书。

认证证书的有效期为3年。证书到期需继续使用的，个人信息处理者应当在有效期届满前6个月提出认证申请。

第九条

专业认证机构应当在出具认证证书或者认证证书状态发生变化后5个工作日内，向全国认证认可信息公共服务平台报送个人信息出境认证证书相关信息，包括认证证书编号、获证个人信息处理者名称、认证范围以及证书状态变化信息等。

国家市场监督管理部门与国家网信部门建立认证信息共享机制。

第十条

专业认证机构发现获证个人信息处理者存在个人信息出境情况与认证范围不一致等情形，不再符合认证要求的，应当暂停其使用直至撤销相关认证证书。

国家网信部门和有关部门在个人信息保护监督管理工作中发现获证个人信息处理者存在前款情形的，专业认证机构应当配合暂停其使用直至撤销相关认证证书。

前两款规定的情形，应当通过全国认证认可信息公共服务平台予以公布。

第十一条

专业认证机构在开展认证活动中，发现个人信息出境活动违反法律、行政法规和国家有关规定的，应当及时向国家网信部门和有关部门报告。

第十二条至第十三条 — 认证机构备案与监督

第十二条

开展个人信息出境认证的专业认证机构应当自国家市场监督管理部门批准取得个人信息保护认证资质之日起10个工作日内向国家网信部门办理备案手续。办理备案时，应当提交下列材料：

（一）取得的个人信息保护领域的认证资质情况；
（二）近3年从事数据安全、个人信息保护领域专业工作情况；
（三）专业认证机构人员安全背景审查材料；
（四）个人信息保护认证实施细则及工作计划；
（五）个人信息安全风险防范机制；
（六）对获证个人信息处理者进行的个人信息出境活动符合认证标准情况的持续监督机制；
（七）投诉受理和争议解决机制；
（八）其他需要提交的材料。

专业认证机构应当对所备案材料的真实性负责。

国家网信部门收到专业认证机构提交的备案材料后，会同国家数据管理部门对备案材料进行审核。材料齐全的，应当在30个工作日内予以备案并进行公示；材料不齐全的，不予备案，应当在30个工作日内通知专业认证机构并说明理由。

第十三条

国家市场监督管理部门和国家网信部门对个人信息出境认证活动进行监督，开展定期或者不定期的检查，对认证过程和认证结果进行抽查，对专业认证机构进行抽查和评价。

第十四条至第十九条 — 保密、投诉、约谈、法律责任与施行日期

第十四条

国家机关、专业认证机构等从事认证活动的机构及其工作人员对在履行职责中知悉的个人隐私、个人信息、商业秘密、保密商务信息等应当依法予以保密，不得泄露或者非法向他人提供、非法使用。

第十五条

任何组织和个人发现获证个人信息处理者违反本办法规定向境外提供个人信息的，可以向专业认证机构、网信部门和有关部门投诉、举报。

第十六条

省级以上网信部门和有关部门发现获证个人信息处理者个人信息出境活动存在较大风险或者发生个人信息安全事件的，可以依法对获证个人信息处理者进行约谈。获证个人信息处理者应当按照要求整改，消除隐患。

第十七条

违反本办法规定的，依据《中华人民共和国个人信息保护法》、《网络数据安全管理条例》、《中华人民共和国认证认可条例》等法律法规处理；构成犯罪的，依法追究刑事责任。

第十八条

本办法施行前制定的关于个人信息出境认证的相关规定与本办法不一致的，按照本办法执行。

第十九条

本办法自2026年1月1日起施行。

↑ 返回顶部

No account yet?