Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · MEASURES FOR THE CERTIFICATION OF THE CROSS-BORDER PROVISION OF PERSONAL INFORMATION

Measures for the Certification of the Cross-border Provision of Personal Information.

个人信息出境认证办法

Promulgated by: Cyberspace Administration of China (CAC) and State Administration for Market Regulation (SAMR).
Document No.: Order No. 20 of CAC and SAMR (jointly).
Adopted at the 17th executive meeting of the CAC in 2025 on July 21, 2025. Effective January 1, 2026.


Article 1. In order to protect personal information rights and interests, regulate certification activities for the cross-border provision of personal information, and promote the efficient and secure cross-border flow of personal information, these Measures are formulated in accordance with the Personal Information Protection Law of the People’s Republic of China, the Regulations on the Administration of Network Data Security, the Regulations of the People’s Republic of China on Certification and Accreditation, and other laws and regulations.

Article 2. Where a personal information processor provides personal information to outside the territory of the People’s Republic of China by means of personal information protection certification, these Measures shall apply.

Article 3. For the purposes of these Measures, certification of cross-border provision of personal information refers to the conformity assessment activities conducted, in accordance with Item (2) of Paragraph 1 of Article 38 of the Personal Information Protection Law of the People’s Republic of China, by professional certification bodies that have lawfully obtained personal information protection certification qualifications, to attest that personal information processing activities such as the provision of personal information by personal information processors to outside the territory of the People’s Republic of China conform to relevant laws, administrative regulations, departmental rules, standards, and technical specifications.

Article 4. The National level cyberspace administration department, together with the National level data administration department and other relevant departments, shall formulate relevant standards and technical specifications for the certification of cross-border provision of personal information. The State Administration for Market Regulation, together with the National level cyberspace administration department, shall formulate personal information protection certification rules and unified certification certificates and marks. 1 1 10 100 1

Article 5. Where a personal information processor provides personal information to outside the territory by means of certification of cross-border provision of personal information, it shall simultaneously meet the following conditions: (1) It is not an operator of critical information infrastructure;

(2) Since January 1 of the current year, it has cumulatively provided abroad personal information of 100,000 persons or more but less than 1,000,000 persons (excluding sensitive personal information), or sensitive personal information of less than 10,000 persons. The personal information provided abroad as referred to in the preceding paragraph does not include important data. Where laws, administrative regulations, or the National level cyberspace administration department provide otherwise, such provisions shall prevail. Personal information processors shall not adopt means such as quantity splitting to provide, by means of certification of cross-border provision of personal information, to outside the territory personal information that, according to law, shall be provided abroad only after passing a security assessment for data export.

Article 6. Prior to applying for certification to provide personal information abroad, personal information processors shall perform the obligations of notification, obtaining separate consent of individuals, conducting personal information protection impact assessment, etc., in accordance with the provisions of laws and administrative regulations. The personal information protection impact assessment shall focus on evaluating the following: (1) The legality, legitimacy, and necessity of the purposes, scope, methods, etc., of personal information processing by the personal information processor and the overseas recipient;

(2) The scale, scope, types, and sensitivity of the personal information to be exported, and the risks that the cross-border provision of personal information may pose to national security, public interests, and personal information rights and interests;

(3) Whether the obligations the overseas recipient undertakes to assume, and the management and technical measures and capabilities to perform such obligations, can ensure the security of the personal information provided abroad;

(4) The risks of personal information being tampered with, damaged, leaked, lost, illegally used, etc., after being provided abroad, and whether the channels for safeguarding personal information rights and interests are smooth;

(5) The impact of personal information protection policies and regulations of the country or region where the overseas recipient is located on the security of the personal information provided abroad and the personal information rights and interests;

(6) Other matters that may affect the security of cross-border provision of personal information.

Article 7. Where a personal information processor provides personal information abroad by means of certification, it shall apply to a professional certification body for certification of cross-border provision of personal information. Where a personal information processor outside the territory of the People’s Republic of China applies for certification of cross-border provision of personal information, the application shall be assisted by its specially established institution or designated representative within the territory.

Article 8. Professional certification bodies shall carry out certification activities for cross-border provision of personal information in accordance with basic certification norms and personal information protection certification rules. Where certification requirements are met, professional certification bodies shall promptly issue certification certificates. The validity period of a certification certificate shall be three years. Where the certificate needs to continue to be used upon expiry, the personal information processor shall file an application for certification six months prior to the expiration of the validity period. 5

Article 9. Professional certification bodies shall, within five working days after issuing certification certificates or after the status of certification certificates changes, submit relevant information on certification certificates for cross-border provision of personal information to the National level Certification and Accreditation Information Public Service Platform, including the certification certificate number, the name of the certified personal information processor, the scope of certification, and information on changes in certificate status, etc. The State Administration for Market Regulation and the National level cyberspace administration department shall establish a mechanism for sharing certification information.

Article 10. Where professional certification bodies discover that a certified personal information processor has circumstances such as inconsistency between the cross-border provision of personal information and the certification scope, and is no longer in conformity with certification requirements, they shall suspend its use until revoking the relevant certification certificate. Where the National level cyberspace administration department and relevant departments discover, in the course of supervision and administration over personal information protection, that a certified personal information processor has the circumstances set out in the preceding paragraph, professional certification bodies shall cooperate to suspend its use until revoking the relevant certification certificate. The circumstances set out in the preceding two paragraphs shall be published via the National level Certification and Accreditation Information Public Service Platform.

Article 11. Where, in the course of carrying out certification activities, professional certification bodies discover that cross-border provision of personal information violates laws, administrative regulations, or relevant national provisions, they shall promptly report to the National level cyberspace administration department and relevant departments.

Article 12. Professional certification bodies that carry out certification for cross-border provision of personal information shall, within ten working days from the date on which they are approved by the State Administration for Market Regulation to obtain personal information protection certification qualifications, complete filing procedures with the National level cyberspace administration department. When handling filing, the following materials shall be submitted: (1) The circumstances of the obtained certification qualifications in the field of personal information protection;

(2) The professional work circumstances engaged in the field of data security and personal information protection during the past three years;

(3) Security background check materials of the personnel of the professional certification body;

(4) Implementation rules and work plan for personal information protection certification;

(5) Mechanisms for preventing personal information security risks;

(6) Continuous supervision mechanisms regarding the conformity of the certified personal information processor’s cross-border provision of personal information with certification standards;

(7) Complaint handling and dispute resolution mechanisms;

(8) Other materials required to be submitted. Professional certification bodies shall be responsible for the authenticity of the filed materials. Upon receipt of the filing materials submitted by the professional certification bodies, the National level cyberspace administration department, together with the National level data administration department, shall review the filing materials. Where the materials are complete, filing shall be completed within thirty working days and made public; where the materials are incomplete, filing shall not be completed, and the professional certification body shall be notified within thirty working days with reasons explained.

Article 13. The State Administration for Market Regulation and the National level cyberspace administration department shall supervise certification activities for cross-border provision of personal information, conduct regular or ad hoc inspections, carry out spot checks on certification processes and certification results, and conduct spot checks and evaluations of professional certification bodies.

Article 14. State organs, professional certification bodies, and other institutions engaged in certification activities and their staff shall, in accordance with law, keep confidential the personal privacy, personal information, trade secrets, and confidential business information that they become aware of in the performance of their duties, and shall not disclose, illegally provide to others, or illegally use such information.

Article 15. Where any organization or individual discovers that a certified personal information processor provides personal information abroad in violation of these Measures, they may lodge complaints or report to professional certification bodies, cyberspace administration departments, and relevant departments.

Article 16. Where cyberspace administration departments at the provincial level or above and relevant departments discover that the certified personal information processor’s cross-border personal information activities pose significant risks or that personal information security incidents have occurred, they may, in accordance with law, conduct interviews with the certified personal information processor. The certified personal information processor shall make rectifications as required and eliminate hidden dangers.

Article 17. Where these Measures are violated, disposition shall be made in accordance with the Personal Information Protection Law of the People’s Republic of China, the Regulations on the Administration of Network Data Security, the Regulations of the People’s Republic of China on Certification and Accreditation, and other laws and regulations; where a crime is constituted, criminal liability shall be pursued according to law.

Article 18. Where relevant provisions on certification of cross-border provision of personal information formulated prior to the implementation of these Measures are inconsistent with these Measures, these Measures shall prevail.

Article 19. These Measures shall come into force on January 1, 2026.

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

2 briefs reference this law.

  • § 01 · CROSS-BORDER

    The Negative-List Map, Region by Region: Ten Zones, Two Models, and the Year Data Export Went Province-Wide

    As of July 2026, ten Chinese regions — nine free-trade zones plus the Hainan Free Trade Port — have published data-export negative lists under Article 6 of the 2024 Cross-border Data Flows Provisions, and this year Beijing and Shanghai took the mechanism province- and city-wide, off the FTZ footprint entirely. DCC's roundup maps the full set: which sectors each zone lists (from Tianjin's 13 commodity categories to Guangdong's smart-manufacturing and personal-credit fields, Chongqing's intelligent-connected-vehicle chain, and Jiangsu's biopharma-only list), the two management models that have crystallized — pre-export filing versus Shanghai and Guangdong's 'transfer-first, report-after' — and how an overseas team should read the map. Compiled from the CAC's national negative-list index and each region's official notice, and paired with DCC's new downloadable negative-list registry.

    cross-border · negative-list · ftz-negative-list
  • § 02 · ENFORCEMENT

    Ctrip's ¥10 Million Fine: China's First Publicly Disclosed Cross-Border Data Penalty — and the 'Necessity' Doctrine Behind Four Cases

    In June 2026 Shanghai's cyberspace authority fined Shanghai Ctrip Commerce ¥10 million for unlawfully exporting personal information without implementing data-export security-assessment requirements — the first time a Chinese cross-border data penalty amount has been made public. DCC reads the fine against the three earlier Shanghai / MPS cross-border cases compiled by HexCode in 数据何规 (a hotel company that exported fields the CAC assessment had rejected, a property company that exported accommodation and financial-account data with no approval at all, and the Dior breach case) to surface the doctrine all four share: building a CRM or central-reservation system offshore does not make the bulk transfer of customer PI to headquarters 'necessary,' so it cannot escape the security-assessment / standard-contract / certification gate or PIPL's separate-consent and individual-notification requirements. The enforcement gradient — the assessment-rejected exporter was fined while the no-approval exporter was only warned — signals that subjective culpability is weighing on penalty severity.

    enforcement · cross-border-data · pipl
§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.

SUPPORT DCC

Keep the publication free to read. Suggested support is $19.99, or choose your own amount.

Support →