China's Data Outbound Rules Update: Measures for the Certification

The Cyberspace Administration of China, jointly with the State Administration for Market Regulation, officially released the Measures for the Certification of Outbound Personal Information Transfer on October 17, 2025. This marks the completion of the regulatory framework for the "three pillars" governing personal information outbound transfers: security assessment, standard contracts, and certification.

The Measures for the Certification of Outbound Personal Information Transfer (the Measures) will take effect on January 1, 2026.

This LawFlash summarizes the key content of the Measures and practical recommendations.

COMPLETION OF THE LEGISLATIVE FRAMEWORK FOR THE THREE OUTBOUND PATHS

With the introduction of the Measures, the regulatory system for data outbound transfers is now fully established:

• Security Assessment: This pillar is applicable to critical information infrastructure operators (CIIOs) or processors meeting specific volume thresholds:
  • Having transferred personal information of more than 1 million individuals abroad since January 1 of the current year
  • Having transferred sensitive personal information of more than 10,000 individuals abroad since January 1 of the current year
• Standard Contract Filing: This pillar is applicable to the majority of enterprises that do not meet the thresholds for the mandatory security assessment but meet either of the following thresholds:
  • Having transferred personal information of more than 100,000 but less than 1 million individuals abroad since January 1 of the current year
  • Having transferred sensitive personal information of less than 10,000 individuals abroad since January 1 of the current year
• Certification: This pillar serves as an alternative compliance path to Standard Contract Filing, providing enterprises with another option to fulfill their obligations.

CORE VALUE AND APPLICABLE SCENARIOS OF THE CERTIFICATION PATH

Certification is one of the compliance pathways under China's Personal Information Protection Law. It offers a standardized mechanism for organizations to legitimize the cross-border transfer of personal information, presenting unique advantages for specific business structures.

Special Value for Overseas Handlers

This pathway addresses a critical compliance dilemma faced by certain overseas data handlers (a Chinese concept equivalent to data controller under EU GDPR). Many overseas data handlers (e.g., foreign ecommerce platforms, software-as-a-service (SaaS) providers, or app developers) collect personal information directly from individuals within China. However, if these companies lack a registered subsidiary or legal entity in China, they have no domestic "transferor" to sign the Standard Contract with the overseas "receiver."

The certification path resolves this by allowing such overseas handlers to apply for certification through a dedicated entity or an authorized representative within China. This process effectively creates a compliant path for the purpose of information export, circumventing the eligibility issue posed by the Standard Contract path.

Applicability Conditions

The certification path is primarily designed for non-Critical Information Infrastructure Operators (non-CIIOs) and is subject to specific information volume thresholds calculated on an annual cumulative basis.

• Applicable entity type: Must be a non-CIIO
• Information volume thresholds: The annual outbound transfer involves:
  • 100,000 to 1 million individuals’ non-sensitive personal information
  • Less than 10,000 individuals’ sensitive personal information

COMPARATIVE ANALYSIS OF CERTIFICATION AND STANDARD CONTRACT PATHS

The certification and standard contract paths have highly overlapping applicability conditions. The choice between them is not automatic and should be a strategic decision based on an organization's specific circumstances.

Below are key pros and cons of each path:

Standard contracts:

• Ideal for: Most domestic enterprises that have a legal entity in China
• Pros:
  • Cost-effectiveness: There are no direct filing fees, making it less expensive upfront.Duration: Once successfully filed with the authorities, the contract is valid for the term agreed upon by the parties within the contract.
• Cons:
  • The filing of the signed contract with the relevant government cyberspace authority (e.g., the local CAC office) is required.
  • The core clauses of the Standard Contract template are mandatory and cannot be altered.

Certification:

• Ideal For:
  • Overseas handlers without domestic subsidiaries directly collecting personal information
  • Intra-group information transfers: For multinational corporations frequently transferring information within their global group, certification can establish a unified, long-term compliance mechanism that is more efficient than managing multiple individual contracts.
• Pros:
  • No government filing; only authorized certification institution is involved.
• Cons:
  • Validity: The certification is typically valid for a period of three years, after which renewal is necessary.
  • Cost: Involves certification fees for certification and renewal.

OBSERVATIONS AND RECOMMENDATIONS

It is critical to assess and implement the appropriate cross-border data transfer mechanism, and to establish a robust internal management system for overseeing outbound personal information transfers.

Enterprises should also proactively fulfill core legal obligations. These include conducting a Personal Information Protection Impact Assessment (PIPIA) and securing valid informed consent from individuals.

For further assistance in evaluating the suitable outbound transfer path or preparing relevant materials, Morgan Lewis is available to provide continuous support.