Framework to secure overseas information transfers
China has introduced a certification program to regulate the transfer of personal information overseas, aiming to bolster data security while facilitating cross-border flows under a clearer legal framework. The rules will take effect on Jan 1.
The Cyberspace Administration of China, the country's top internet regulator, and the State Administration for Market Regulation jointly released the measures on Friday, outlining requirements for entities that send personal data abroad.
According to an official with the CAC, the program provides a legal pathway for data exporters that complies with national certification standards, as stipulated in the Personal Information Protection Law.
The certification applies to personal information processors that are not critical information infrastructure operators. It covers those who, since the start of a calendar year, have transferred non-sensitive personal data of between 100,000 and fewer than 1 million individuals, or sensitive personal data of fewer than 10,000 people. Important data is excluded.
The measures explicitly prohibit data processors from splitting large data transfers into smaller batches to avoid mandatory security assessments.
Under the new framework, data processors must submit applications to accredited certification bodies. Each certificate will be valid for three years.
Certifying institutions are required to upload certification details to a national public service platform for certification accreditation.
If a certified entity is found to have discrepancies between its actual data exports and the scope of its certification, or no longer meets certification criteria, the institution may suspend or revoke the certificate. Any violations of laws or regulations related to data exports must be promptly reported to regulators.
Certification bodies must also file records with the CAC within 10 working days after being accredited. Both the CAC and the State Administration for Market Regulation will oversee certification activities.
Provincial-level or higher cyberspace authorities and relevant departments may summon certified data processors for discussions if major risks or data security incidents are detected.
zoushuo@chinadaily.com.cn
- Former head of national forestry and grassland body under investigation
- A new lease of life: Providing dialysis access in rural China
- China's grain output hits new high in 2025
- Xinjiang ensures vegetable, fruit supply amid cold wave
- Chinese scientists develop self-powered device to speed up muscle repair
- Taiwan's leader Lai absent from first legislative review meeting of his impeachment
