Framework to secure overseas information transfers

China has introduced a certification program to regulate the transfer of personal information overseas, aiming to bolster data security while facilitating cross-border flows under a clearer legal framework. The rules will take effect on Jan 1.

The Cyberspace Administration of China, the country's top internet regulator, and the State Administration for Market Regulation jointly released the measures on Friday, outlining requirements for entities that send personal data abroad.

According to an official with the CAC, the program provides a legal pathway for data exporters that complies with national certification standards, as stipulated in the Personal Information Protection Law.

The certification applies to personal information processors that are not critical information infrastructure operators. It covers those who, since the start of a calendar year, have transferred non-sensitive personal data of between 100,000 and fewer than 1 million individuals, or sensitive personal data of fewer than 10,000 people. Important data is excluded.

The measures explicitly prohibit data processors from splitting large data transfers into smaller batches to avoid mandatory security assessments.

Under the new framework, data processors must submit applications to accredited certification bodies. Each certificate will be valid for three years.

Certifying institutions are required to upload certification details to a national public service platform for certification accreditation.

If a certified entity is found to have discrepancies between its actual data exports and the scope of its certification, or no longer meets certification criteria, the institution may suspend or revoke the certificate. Any violations of laws or regulations related to data exports must be promptly reported to regulators.

Certification bodies must also file records with the CAC within 10 working days after being accredited. Both the CAC and the State Administration for Market Regulation will oversee certification activities.

Provincial-level or higher cyberspace authorities and relevant departments may summon certified data processors for discussions if major risks or data security incidents are detected.