Cross-Border Data Transfers – New Draft Measures Clarify Personal Information Protection Certification

Posted by Written by Giulia Interesse Reading Time: 7 minutes

China’s new draft measures provide clarity on the certification process for personal information protection in cross-border data transfers (CBDT). Aimed at enhancing data governance, safeguarding privacy, and ensuring regulatory compliance, the draft measures outline eligibility criteria for applying the certification mechanism, specify the requirements, and detail the certification procedures.

On January 3, 2025, the Cyberspace Administration of China (CAC) issued a draft document titled Measures for the Certification of Personal Information Protection for Cross-Border Data Transfers (hereinafter, draft measures) for public consultation. The draft measures, comprising 20 detailed articles, outline a comprehensive framework for certifying the security and compliance of personal data transfers beyond China’s borders.

With the feedback deadline set for February 3, 2025, the draft measures represent a crucial step in China’s broader strategy to strengthen data governance, ensure cybersecurity, and address global concerns over the safety of cross-border information flows.

The draft measures serve as a crucial component of China’s broader data governance strategy, as the government aims to address the challenges associated with the cross-border flow of personal information while safeguarding individual privacy rights and ensuring data security.

The definition of “personal information protection certification” in CBDT

Article 3 of the draft measures defines “PI protection certification” in cross-border data transfers as the formal evaluation process carried out by bodies authorized by the State Administration for Market Regulation (SAMR).

Find Business Support
Make sure your IT infrastructure is compliant with Chinese data laws - contact our professionals for help

These certification bodies are responsible for assessing the compliance of personal information processors with the requirements of secure cross-border data transfers. The certification ensures that processors—whether domestic or foreign—adhere to the stringent criteria set out in the regulations, thereby protecting individuals’ personal information while enabling international data exchanges. Certified entities must demonstrate their capacity to manage cross-border data transfers in compliance with the standards laid out by the CAC and SAMR.

The certification process not only verifies compliance but also serves as an assurance to the public and regulatory authorities that the certified processors meet the required data protection measures.

Moreover, the scope of “cross-border data transfers” encompasses several scenarios where personal information moves across national boundaries. These include:

  • Transfers from China to foreign entities: This refers to the situation where personal data collected in China is transferred to entities or organizations outside of the country. This includes a wide range of activities such as transferring customer data, employee data, or other types of personal information from China to foreign destinations for processing or storage.
  • Access by foreign entities to data stored in China: The draft measures also cover cases where foreign entities, based outside of China, are granted access to data stored within Chinese borders. This could involve situations where foreign entities remotely query, download, or otherwise interact with data that is physically housed in servers or data centers located in China.
  • Handling of data by foreign entities under PIPL: In line with the Personal Information Protection Law (PIPL), cross-border data transfers also include cases where foreign entities handle personal information of individuals located in China. This might occur if a foreign company processes data related to Chinese citizens, even if the data is stored outside of China. The measures extend the scope of the regulations to ensure that foreign processors comply with the data protection principles outlined for cross-border transfers.

Who can undergo a personal information protection certification for CBDT?

Not all companies are allowed to undergo a personal information protection certification for cross-border data transfer. Article 38 of the PIPL offers the following procedures for companies in order to get clearance to transfer the PI of subjects based in China overseas:

  1. Undergo a security review organized by the CAC, except where exempted by relevant laws and regulations.
  2. Undergo personal information protection certification by a professional institution in accordance with the regulations of the CAC.
  3. Sign a standard contract with a foreign party stipulating the rights and obligations of each party in accordance with standards set by the CAC.
  4. Meet other conditions set by the CAC or relevant laws and regulations.

Article 4 of the draft measure stipulates that domestic personal information processors wishing to transfer their data overseas by the means of personal information protection certification must meet specific eligibility criteria. These include:

  • The company is not being classified as Critical Information Infrastructure Operators (CIIOs);
  • The company has provided personal information of between 100,000 and one million people, or sensitive personal information of than 10,000 people to overseas parties since January 1 of the current year;
  • The personal information to be exported does not belong to important data.

These thresholds are designed to focus certification on entities with a significant role in handling personal data, ensuring that smaller or less impactful data processors are not burdened by the certification process. The thresholds are in line with those set in the Regulations to Promote and Standardize Cross-Border Data Flows.

Foreign entities are required to obtain certification before they can legally handle personal data of individuals within China. This certification can be achieved through:

  • A local representative or entity in China that acts as a liaison for compliance; and
  • Certification for foreign processors is mandatory for any data handling activity involving Chinese individuals, whether the data is processed within or outside of China.

Certification process and requirements

Entities seeking certification must submit a comprehensive set of materials for evaluation. These materials will typically include:

  • Risk mitigation plans outlining how the processor intends to address any potential security threats.
  • Legal agreements that ensure the recipient of the data abroad will uphold the required data protection obligations.
  • Detailed compliance strategies that show how the processor will adhere to certification standards.

Certification bodies will assess applications based on several key factors:

  • Legitimacy, necessity, and reasonableness: Each data transfer must be evaluated for its purpose, necessity, and proportionality, ensuring that only essential data is transferred and that the transfer is necessary for the intended business purposes.
  • Evaluation of data protection laws: Certification bodies will assess the data protection laws and regulatory environment in the recipient country, ensuring that personal data will continue to be protected once it leaves China.
  • Legal agreements: The certification process requires clear and enforceable agreements that outline the data protection obligations of the receiving party, ensuring compliance with China’s legal standards.
  • Security measures: Certification bodies will evaluate technical and organizational measures in place to secure the data during transfer and processing, including encryption and access controls.

According to Article 10 and Article 13 of the draft measures, once certified, entities will be subject to ongoing monitoring by certification bodies. These bodies will perform periodic audits to ensure continued compliance with the certification standards and regulations. This process helps maintain a high level of security and accountability throughout the lifespan of cross-border data transfers.

Reporting, complaints, and government action

Find Business Support
Gain intelligence about diversifying your Asia supply chain ⟶

The draft measures establish clear channels for reporting violations and addressing data security concerns, ensuring that individuals and organizations can actively engage in the regulatory process. These provisions help ensure transparency and accountability in the certification process and across cross-border data transfers. The draft measures allow for public reporting of violations related to cross-border data transfers.

Organizations and individuals can report any breaches or non-compliance with data protection standards to local or higher-level authorities. This mechanism ensures that concerns are raised promptly, allowing regulators to take appropriate actions to mitigate risks or rectify breaches.
 

Moreover, in response to significant risks or data security incidents, authorities can intervene to safeguard personal data. This includes conducting interviews with certified entities suspected of non-compliance or high-risk activities. If necessary, authorities can mandate corrective actions, which may include remediation plans or temporary suspensions of data transfer activities until compliance is restored. These procedures ensure that potential risks to data security are addressed swiftly and effectively.

Confidentiality obligations, international cooperation, and legal penalties

The draft measures also emphasize the importance of confidentiality, encourage international collaboration, and outline penalties for non-compliance, ensuring a comprehensive approach to data protection.

  • Confidentiality obligations: Certification bodies and their personnel are required to uphold strict confidentiality obligations. They must protect sensitive personal data and trade secrets from unauthorized disclosure or misuse. These obligations extend not only to the certified entities but also to those involved in the certification process, reinforcing trust and security throughout the system.
  • International cooperation: The draft measures highlight the importance of global collaboration in data protection. The document encourages mutual recognition of certification standards between China and other countries, facilitating smoother international data flows. By aligning with international data protection practices, China seeks to enhance cooperation with foreign regulators and businesses, ensuring data security across borders while promoting global trade and communication.
  • Penalties and legal liability: The draft measures outline administrative penalties for entities that violate the regulations, ensuring that non-compliance is met with appropriate consequences. These penalties could include fines, suspension of certification, or other sanctions depending on the severity of the breach. In extreme cases, where violations result in significant harm, criminal liability may be pursued. This creates a strong deterrent against non-compliance and ensures that entities take their data protection responsibilities seriously.

Implications for businesses

The certification-related measures outlined in the draft measures are a critical step towards strengthening data security and building trust in cross-border data flows. For businesses, these regulations present both opportunities and challenges.

  • Compliance costs and administrative burdens: Businesses, especially those handling large volumes of personal data or engaging in international data transfers, will need to invest in compliance strategies. This may include developing risk mitigation plans, entering into legal agreements, and implementing technical measures to secure data. While the certification process offers a clear path to legal compliance, it also represents an additional cost and administrative burden.
  • Market access and trust: Obtaining certification offers businesses a competitive advantage in the global market by demonstrating their commitment to robust data protection practices. Companies that comply with these standards may attract more customers and partners, particularly those in jurisdictions with strict data protection regulations, as they will be seen as trustworthy custodians of personal data.
  • Penalties for non-compliance: The penalties for failing to comply with the certification requirements highlight the importance of maintaining rigorous data protection standards. Businesses that neglect to adhere to these regulations risk facing financial penalties, suspension of their certification, and damage to their reputation. For multinational companies, this could impact their ability to operate in China or other jurisdictions with similar regulations.
  • International data flows: The encouragement of international cooperation and mutual recognition of certification standards presents opportunities for businesses to streamline their data operations. By aligning with global standards, businesses can facilitate the smooth and secure transfer of data across borders, enhancing their ability to operate in diverse markets without encountering significant regulatory hurdles.

Also read:

DOING BUSINESS IN CHINA EXPLORE IN-DEPTH INVESTMENT AND BUSINESS GUIDES.
Explore vital economic, geographic, and regulatory insights for business investors, managers, or expats to navigate China’s business landscape. Our Online Business Guides offer explainer articles, news, useful tools, and videos from on-the-ground advisors who contribute to the Doing Business in China knowledge. Start exploring

About Us

China Briefing is one of five regional Asia Briefing publications, supported by Dezan Shira & Associates. For a complimentary subscription to China Briefing’s content products, please click here.

Dezan Shira & Associates assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Haikou, Zhongshan, Shenzhen, and Hong Kong. We also have offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Dubai (UAE) and partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh, and Australia. For assistance in China, please contact the firm at china@dezshira.com or visit our website at www.dezshira.com.