CAC and SAMR Jointly Issued the Measures for Certification of Outbound Personal Information Transfers
ISSUING AUTHORITIES:
Cyberspace Administration of China
State Administration for Market Regulation
DATE OF ISSUANCE:
October 14, 2025
EFFECTIVE DATE:
January 1, 2026
On October 14th, the Cyberspace Administration of China and the State Administration for Market Regulation jointly released the Measures for Certification of Outbound Personal Information Transfers (the “Measures”), which will come into effect on January 1, 2026.
According to the Measures, certification applies to personal information handlers that are not operators of critical information infrastructure and that, on an annual basis, provide to overseas recipients (i) personal information of 100,000 or more individuals but fewer than 1 million individuals (excluding sensitive personal information), or (ii) sensitive personal information of fewer than 10,000 individuals, and where no important data is involved. Personal information handlers must apply to a professional certification institution for certification, and the certification certificate will be valid for three years.
Professional certification institutions must submit certification information to the authorities and suspend or revoke certificates if non-compliance is identified. Within ten days of issuing a certificate, the certification institution must file with the cybersecurity authority. The Cyberspace Administration of China and the State Administration for Market Regulation will supervise certification activities.
Reference:
