Connect with us
Cross-Border Data Transfers: New Draft Guidelines Clarify Certification for Personal Information Protection Cross-Border Data Transfers: New Draft Guidelines Clarify Certification for Personal Information Protection

China

Cross-Border Data Transfers: New Draft Guidelines Clarify Certification for Personal Information Protection

Published

on

China’s draft measures for personal information protection in cross-border data transfers clarify certification procedures, eligibility, and requirements. Released by the Cyberspace Administration, they aim to enhance data governance and privacy, ensuring compliance and safeguarding personal information in international exchanges.


China’s new draft measures provide clarity on the certification process for personal information protection in cross-border data transfers (CBDT). Aimed at enhancing data governance, safeguarding privacy, and ensuring regulatory compliance, the draft measures outline eligibility criteria for applying the certification mechanism, specify the requirements, and detail the certification procedures.

On January 3, 2025, the Cyberspace Administration of China (CAC) issued a draft document titled Measures for the Certification of Personal Information Protection for Cross-Border Data Transfers (hereinafter, draft measures) for public consultation. The draft measures, comprising 20 detailed articles, outline a comprehensive framework for certifying the security and compliance of personal data transfers beyond China’s borders.

With the feedback deadline set for February 3, 2025, the draft measures represent a crucial step in China’s broader strategy to strengthen data governance, ensure cybersecurity, and address global concerns over the safety of cross-border information flows.

Article 3 of the draft measures defines “PI protection certification” in cross-border data transfers as the formal evaluation process carried out by bodies authorized by the State Administration for Market Regulation (SAMR).

These certification bodies are responsible for assessing the compliance of personal information processors with the requirements of secure cross-border data transfers. The certification ensures that processors—whether domestic or foreign—adhere to the stringent criteria set out in the regulations, thereby protecting individuals’ personal information while enabling international data exchanges. Certified entities must demonstrate their capacity to manage cross-border data transfers in compliance with the standards laid out by the CAC and SAMR.

The certification process not only verifies compliance but also serves as an assurance to the public and regulatory authorities that the certified processors meet the required data protection measures.

Moreover, the scope of “cross-border data transfers” encompasses several scenarios where personal information moves across national boundaries. These include:


This article was first published by China Briefing , which is produced by Dezan Shira & Associates. The firm assists foreign investors throughout Asia from offices across the world, including in in ChinaHong KongVietnamSingapore, and India . Readers may write to info@dezshira.com for more support.

Read the rest of the original article.