Multinational companies have long complained about China’s excessive, overbearing, and rigid rules on data protection. Numerous organizations, notably law and consulting firms, chose to close their China offices rather than have to deal with the rules. In response, Chinese policymakers ordered issuance of new rules in consultation with those companies’ executives, aimed at resolving those complaints.
In January 2025, the China Cyberspace Commission issued the Personal Data Export Protection Certification Administrative Procedures with request for public comment, with the stated intent of providing a consistent and efficient framework for cross-border transfers of personal data. The center of this plan is a data protection certification process. Now, in combination with the China Personal Information Protection Act and the Internet Data Security Regulations, there are three compliance pillars for personal for data transfers outside China:
- Data export security assessments
- Model contract terms
- Data export compliance certification
Several other rules were announced jointly by cyberspace and market regulators that impose a number of other requirements: the Data Protection Certification Implementation Circular. The Procedures provide detailed rules describing the legal requirements for personal data export certifications. This article will provide an explanation of the current state of Chinese law on data export certification.
Contents
Overview of the Export Procedures
Post-Certification Requirements
Model Contracts on Data Protection Certification
Selecting the Appropriate Approach
Overview of the Export Procedures
Export Activities. The Procedures describe three ways in which locally collected personal information is transferred outside mainland China: sending, providing remote access, or outsourced data processing. In each of these cases, a business must use a security assessment, model contract, or certification. Under a long-arm jurisdiction provision, the law applies to companies outside China which process individuals’ data. This is important because a 2024 Guangzhou Internet Court case imposed long-arm jurisdiction on a defendant who was a company registered in France that has no presence in China.
Since the defendant processed data taken from individuals within mainland China, that the court had jurisdiction over the company under the Act § 3(b) rules defining cross-border processing, the company’s activities constitute cross-border processing. The results reached by courts are highly consistent with those of administrative agencies. The Export Procedures apply to providers of non-critical infrastructure, where the entity has accumulated exports of over 100,000 persons but fewer than 1,000,000 persons, or sensitive personal information exports of under 10,000 persons.
The Act and Cross Border Data Export Standardization Rules require operators of critical data infrastructure and other data controllers who provide important data outside the country to declare their Security Assessment. The data protection certification requirements only apply to a limited number of data export use cases. The Act and Rules require that critical infrastructure providers and data controllers providing data outside China must make declarations in the form of their Security Assessment; only a few contexts with significant volume require getting a data protection certification.
Certifying Bodies. The Procedures provide that the data protection certification process must be voluntary, private sector, and socially beneficial. The data controller voluntarily requests a data protection certification, thus is a data export method that provides for more autonomy. The law provides that once a certain transfer threshold is reached, the model contract or the data protection certification approach are required to lawfully transfer local data outside of China. The law requires the organization providing the data protection certification be a “professional certification body.” Similar to the existing Data Protection Certification Implementation Circular, the Export Procedures required the organization to have professional qualifications and be registered with the CAC.
Data Protection Certification. Under the Circular and Personal Data Protection Administrative Rules, a personal data protection certification is obtained by getting technical verification, on-site audits, and post-certification inspections. A business processing data outside China must also comply with the following two standards:
- GB/T 35273 Information Security Technology – Personal Information Security Standards
- TC260-PG-20222 Cross Border Personal Data Processing Security Processing Standards
These standards require evaluating the personal data export purpose, scope, method, legality, legitimacy, and necessity; and, additionally, whether the country or region where that business processes that data has a cybersecurity environment or has policies or laws that could impact personal information security.
The data controller or recipient outside China must offer an equal level of data protection as required within China. The Data Processing Agreement for a recipient outside of China must have binding data protection obligations, and the processor must have an adequate organizational structure and technology to safeguard individuals’ data security rights. The professional certification body must complete an evaluation for all of the above standards, and anything else it believes essential to meet the overall personal information protection rights.
Post-Certification Requirements
Under the Personal Data Export Protection Certification Administrative Procedures at § 9, data controllers applying for a data protection certification must obtain oversight from a professional certification body throughout the certification period. While the Procedures are silent on the validity period, the Personal Data Protection Certification Supplemental Rules § 9 provide a period of three years. The Procedures provide additional Personal Data Export Certification Rules, and a standard certification mark will be issued jointly by two government agencies, the National Administration for Market Regulation, and the Cyberspace Affairs Commission of China. Therefore, different rules could be forthcoming that change the cross-border current requirements under the Personal Data Protection Administrative Rules. Nonetheless, the certification will have a definite valid term and data controllers will be subject to oversight.
Once certified, you must ensure your operations are fully covered by the certified matters, continuously update data processing lists, and maintain audit logs for inspection by market and cyberspace regulators. A professional services firm that discovers discrepancies, security incidents, or data breaches must make a report to the CAC; the agency may decide to suspend the certification, and also may be ordered by regulators to do so, in which case your staff must meet with officials and correct violations.
All personal data transfers must cease during the time the certification is not in effect and resuming them is illegal. To avoid compliance program failures, your tech, data, and legal staff should apply circular process methodology to assess the security measures of any recipient outside of China and maintain compliance logs.
General Public’s Role. Any individual member of the general public is empowered to report violations of these data transfer rules by a data controller or processor to the Internet regulator’s provincial headquarters office or to the central government office.
A professional certification body has discretion to suspend or revoke a certificate or if directed to do so by the Internet regulator. In sum, you will be subject to oversight by the Internet regulator, professional certification body, and general public. The central government Internet regulatory headquarters has authority revoke a certificate, but the provincial department may only demand correction to eliminate hazards.
Model Contracts on Data Protection Certification
The Cross Border Data Export Standardization Rules require that unless subject to an exemption, the controller must either “enter into the model contract for data export” or “obtain personal information protection certification”; a data export declaration and certification is also required.
The Procedures have a few differences from its sister regulation, the Personal Data Export Model Contract Procedures.
Processing Activities. Both require legality, legitimate grounds, and necessity for person information processing purpose, scope, and methods. wherein the model contract establishes obligations to each of these by the recipient outside of China, and the data protection certification focuses on the requirements for the entity in China.
There are two competing interpretations of the rules; one is that the certification requirements apply to the recipient outside of China. The other interpretation is that these requirements apply to data processing contracting where the processing purpose of both controller and processor is identical. Support for this position is reflected in how regulations provide they apply to “multinational corporations and their subsidiary or affiliates within the same business enterprise.” (See TC260-PG-20222A Cross-Border Data Information Processing Activity Security Certification Standards)
Equivalent Protection. Model contracts and certifications require an equivalent level of protection globally, looking at both the personal information protection capability of the recipient outside of China and the law and policy of its host country or region. The model contract rules are more subjective, with requirements for “obligations of the recipient outside of China,” whereas the data protection certification requires the “recipient outside of China must have capabilities satisfactory to Chinese law.” They both look at the negative impacts of the host country’s policies and regulations on personal information protection, with a difference being the data protection certification examines the local “Internet and data security environment.”
Agreement Provisions. The data protection certification requires entering into a binding agreement with any recipient outside of China that imposes data protection obligations, and these can be achieved where the data controller enters into the model contract with them. Both options are a means by which an agreement exercises control over a recipient outside of China to ensure data protection obligations are performed.
The Procedures Section 10(b) provides Data Processing Agreement requirements are applicable only to a recipient outside of China and not a data controller outside China. The underlying reasoning here recognizes that given data controller outside China technically should have a local subsidiary or representative office, requiring entities within the enterprise to enter into contracts with each other is not necessary to achieve control.
To contrast the approaches, the data protection certification requires the data controller and recipient to in advance have an adequate organizational structure, management, and technical measures sufficient to assure personal information security and rights are protected. The model contract is focused on ability to impose liability for consequences arising for data protection failures after the data is transmitted outside China, in particular tampering, destruction, breach, loss, or illegal use.
Selecting the Appropriate Approach
Party Identity. Regulations state that multinational corporations and their subsidiaries/affiliates operating together within a business enterprise should primarily use data protection certification. (See TC260-PG-20222A Cross-Border Personal Data Processing Activity Security Certification Standards). The Procedures § 10(d) exempt companies from having to sign a contract in such situations, offering an alternative approach for the model contract. For businesses that need to perform data processing outside of China, such as in the Guangzhou Internet Court case, the data protection certification approach is a good option.
Data Exports. The data protection certification and model contract have similar overall similar but have different requirements. The data protection certification has the additional requirement for data controllers and recipient outside of China to describe their organizational structure, management, and cybersecurity measures such as to “effectively safeguard data security and personal information protection rights.” (See Procedures § 10(e))
The model contract focuses on compliance for exporting a particular type of personal data outside China. The data protection certification is focused on whether the organization has effective capability to ensure personal data processing fulfills legal requirements. Thus, data protection certification is a better choice for long term, high frequency data processing and model contracts are better for short term or infrequent data processing.
Oversight Capability
A model contract is a private agreement that uses enforceable provisions, whereas data protection certification is a third-party verification by a professional certification body of an organization’s capability. A model contract should be used if the parties have equal bargaining power, but otherwise if bargaining power is unequal, it’s better to use a professional certification body to meet the compliance requirements.
Chinese Public’s Trust. An organization can export personal data upon filing its model contract, and these are often part of a larger business contract where no public disclosures are made, meaning that it’s not auditable. A data protection certification is by contrast a quasi-regulatory function providing oversight of the organization’s ability to perform cross-border transfers. This is an effective way of demonstrating personal data protection capability to the Chinese public, so a business model that needs high public trust in their ability to protect personal data, can use the external public certification body’s endorsement to increase customer satisfaction with how well they are protecting personal information.
Compliance Insights. In China’s regulatory landscape, temporary regulations seeking public comment like these are important for businesses because they reflect a codification of regulatory best practices. Regulators currently recognize that for future versions, additional rules are needed on how organizational charts and management process documentation relevant to personal data security are needed, as are rules on how data controllers can file applications for data protection certification with the Chinese government. The government intends that the Procedures are intended to provide personal data protection certifications that standardize and facilitate the data export process. Businesses working with China should ensure their business practices to conform to the anticipated final version of the rules.
FURTHER READING