China has introduced a certification program to regulate the transfer of personal information overseas to bolster data security while facilitating cross-border flows under a clear legal framework. The rules will take effect on Jan 1, 2026.

The Cyberspace Administration of China, the country's top internet regulator, and the State Administration for Market Regulation jointly released the measures on Friday, detailing the requirements for entities that send personal data abroad.

According to a CAC official, the program offers a legal pathway for data exporters that comply with the national certification standards, as outlined in the Personal Information Protection Law.

The certification is available to personal information processors that are not critical information infrastructure operators. It applies to those who, since the start of a calendar year, have transferred non-sensitive personal data of between 100,000 and fewer than 1 million individuals, or sensitive personal data of fewer than 10,000 people. Important data is excluded.

The measures explicitly prohibit data processors from splitting large data transfers into smaller batches to avoid mandatory security assessments.

Under the new framework, data processors must submit applications to accredited certification bodies. The validity period of each certificate is three years.

Certifying institutions are required to upload certification details to a national public service platform for certification accreditation.

If a certified entity is found to have discrepancies between its actual data exports and the scope of its certification, or no longer meets certification criteria, the institution will be allowed to suspend or revoke the certificate. Any violations of laws or regulations related to data exports must be promptly reported to regulators.

Certification bodies should also file records with the CAC within 10 working days after being accredited. Both the CAC and the State Administration for Market Regulation will oversee certification activities.

Provincial-level or higher cyberspace authorities and relevant departments may summon certified data processors for talks if major risks or data security incidents are detected.