China’s Cyberspace Administration (CAC) and State Administration for Market Regulation (SAMR) have jointly issued the “Measures for the Authentication of Personal Information Exported Abroad,” establishing a new certification framework for cross-border data transfers. The measures, published on October 17 and effective January 1, 2026, aim to strengthen oversight of how personal information is shared internationally while facilitating “efficient and secure” data flows.
Approved at the CAC’s 17th executive meeting and signed by CAC Director Zhuang Rongwen and SAMR Director Luo Wen, the new rules mark a significant expansion of China’s regulatory framework under the Personal Information Protection Law (PIPL) and Network Data Security Management Regulations.
Under the measures, companies seeking to export personal information abroad must undergo certification by an accredited professional body authorized for personal information protection. To qualify, organizations must not be critical information infrastructure operators and must have transferred data on more than 100,000 but fewer than 1 million individuals—or fewer than 10,000 individuals if the data is classified as sensitive—since January 1 of the current year.
The certification process requires organizations to complete a detailed personal information protection impact assessment evaluating legal compliance, risks to national security, and the ability of overseas recipients to safeguard data. The rules prohibit companies from evading higher-level security reviews by dividing datasets into smaller portions.
Certification will be valid for three years and must be renewed six months before expiration. Accredited certification bodies must report all issued or revoked certifications to a national public information platform within five working days, ensuring transparency and traceability.
The CAC and SAMR will jointly supervise implementation, conduct audits, and enforce penalties for violations. The measures emphasize confidentiality, mandating that certification agencies and government departments protect personal and trade secrets obtained during the process.
Officials said the framework will “standardize outbound certification activities” and reinforce China’s position as a leader in data governance while promoting trusted, rule-based cross-border data flows.
Need Help?
If you have questions or concerns about how to navigate the global AI regulatory landscape, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.
