On January 3, 2025, the Cyberspace Administration of China released the "Certification Measures for Personal Information Protection in Cross-Border Data Transfers (Draft for Comments)" (hereinafter referred to as the "Draft for Comments"), seeking public opinions.

According to the Personal Information Protection Law of PRC, there are three compliance pathways for cross-border data transfers: security assessment for data export, recordal of standard contracts for cross-border personal information transfer, and personal information protection certification. In recent years, the Cyberspace Administration of China has successively issued guidelines related to standard contracts for cross-border personal information transfer and security assessment for data export. However, the specific details for personal information protection certification in cross-border data transfers has yet to be released. The publication of this Draft for Comments marks a further improvement in the regulatory framework for cross-border personal information management and will provide significant guidance for enterprises in ensuring compliance with cross-border personal information transfer regulations.

The scope and circumstances for personal information protection certification in cross-border data transfers are fundamentally similar to those for standard contracts for cross-border personal information transfer. Specifically, it applies to personal information processors that are not critical information infrastructure operators and have cumulatively provided personal information of more than 100,000 individuals but less than 1 million individuals (excluding sensitive personal information) or less than 10,000 individuals’ sensitive personal information to overseas recipients since January 1 of the current year. However, there are some differences in their focus. The filing of standard contracts emphasizes the assessment of the personal information being transmitted, focusing on the purpose, scope, type, sensitivity, method, and storage location of the cross-border personal information transfer. In contrast, personal information protection certification emphasizes the assessment of the personal information processors (including domestic personal information processors and overseas recipients). Besides evaluating the purpose, scope, and method of the cross-border personal information transfer, the assessment also considers the personal information protection policies and laws, network and data security environment of the country or region where the overseas recipient is located, as well as whether the organizational structure, management system, and technical measures of the domestic personal information processor and the overseas recipient can effectively ensure data security and protect personal information rights.

The Draft for Comments is still in the consultation phase, pending further revisions and formal release. As one of the compliance pathways for cross-border personal information transfer under the Personal Information Protection Law, the implementation of personal information protection certification for cross-border data transfers remains in its exploratory and developmental stages. With the continuous enhancement of data security and personal information-related laws and national standards, it is anticipated that cross-border data activities and related regulations in China will become more standardized and streamlined. For enterprises with cross-border data transfer needs, especially multinational corporations, it is advisable to consider the distinct characteristics of both personal information protection certification and the filing of standard contracts. By aligning these options with their specific data compliance requirements, enterprises can proactively plan and select the most appropriate method for cross-border data transfer. This approach will further optimize and strengthen their data compliance systems and strategies.