what we think

By Matthew Ding and Fabian Knopf

Background: Completing the Puzzle

Since the enactment of the Personal Information Protection Law (PIPL) in 2021, China has introduced three distinct compliance mechanisms for cross-border personal information transfers:

1. Security Assessment – the most stringent and regulator-led approach;
2. Certification – a middle-ground compliance path;
3. Standard Contract – the most procedural and self-executed option.

While Security Assessment and Standard Contract measures were issued in 2022 and 2023 respectively, certification has remained the missing piece—until now.

On 14 October, 2025, the Cyberspace Administration of China (CAC) and the State Administration for Market Regulation (SAMR) jointly released the Measures for the Certification of Cross-Border Provision of Personal Information. These Measures will take effect on 1 January, 2026, completing the long-awaited compliance framework.

Who Can Use the Certification Route?

The Certification route is designed for mid-scale personal information exporters that do not qualify for the Standard Contract route but fall short of Security Assessment thresholds.

Under Article 5 of the Measures, a personal information handler may apply for certification if it meets all of the following:

• Not a critical information infrastructure operator (CIIO);
• Since January 1 of the current year, has transferred abroad either:
  • Personal information (excluding sensitive PI) of ≥100,000 but <1,000,000 individuals; or
  • Sensitive personal information of <10,000 individuals.

Importantly, this route does not apply to the export of important data, which remains subject to the Security Assessment mechanism. Additionally, the Measures make clear that data handlers may not circumvent these thresholds by artificially splitting export volumes—a practice expressly prohibited to prevent avoidance of stricter regulatory procedures.

Compliance Requirements Before Applying

Before starting a certification application, the data handler must conduct a Personal Information Protection Impact Assessment (PIA) that evaluates, among others:

• Legitimacy and necessity of data processing activities;
• Sensitivity and scale of data exported;
• Security capabilities of overseas recipients;
• Risks of leakage, misuse, or regulatory conflicts abroad;
• Cross-border enforcement and complaint mechanisms;
• Foreign jurisdiction's legal impact on rights protection.

Additionally, personal information handlers must fulfill obligations such as obtaining separate consent, informing individuals, and appointing a domestic representative if located outside of China.

Procedure and Oversight

The Certification Measures also outline a clear procedural framework and oversight mechanism to ensure that certification activities are carried out with accountability and regulatory transparency. Once a company determines it meets the eligibility thresholds for certification, the following steps and obligations apply:

• Certification must be conducted by a licensed professional body, which must be approved by the State Administration for Market Regulation (SAMR) and duly filed with the Cyberspace Administration of China (CAC).
• Certificates are valid for three years, and companies wishing to continue certification must apply for renewal at least six months before expiry.
• Certification bodies are required to report any issuance or change in the status of certificates within five working days to the National Certification and Accreditation Information Public Service Platform.
• If any violations, inconsistencies, or mismatches between actual practices and the certified scope are discovered, the certificate may be suspended or revoked. Oversight authorities may also initiate enforcement or corrective measures.

Quick Reference: Comparing China's Three Cross-Border Transfer Mechanisms

With the release of the Certification Measures, companies now have a complete set of options for cross-border personal information transfers under China's data protection regime. The table below summarizes key differences among the three transfer mechanisms, along with updates from the 2024 Provisions on Promoting and Regulating Cross-Border Data Flows:

The 2024 Provisions aligned the non-sensitive PI threshold for Standard Contracts with Certification by shifting it to "as of 1 January of the current year". Additionally, under the 2024 Provisions, data handlers exporting ≤100,000 individuals' non-sensitive PI (as of current year) are exempt from all three procedures, provided they fulfill PIPL duties such as consent, PIAs, and notification.

While the differing reference periods for SPI thresholds under the Standard Contract (previous year) and Certification (current year) may appear inconsistent, they do not create a regulatory gap. Rather, companies that exceed one threshold are expected to shift to the next appropriate mechanism, and should ensure accurate tracking of data volumes under each framework's defined time window.

Conclusion

With the Certification Measures now in place, China's cross-border data transfer framework is finally complete. Together with the Security Assessment and Standard Contract routes, the certification path provides companies with a calibrated set of options that reflect the scale and sensitivity of their data exports.

R&P's data privacy team advises and supports clients to ensure compliance with China's complex data privacy regulatory framework. The starting point is often to support with baseline data compliance plan tailored to your company's operations and business needs. If you would like a clearer understanding of whether your business could be impacted, or need support planning for future compliance, please reach out the authors at [email protected], [email protected] or your trusted contact at R&P China Lawyers.