On January 3, 2025, as the landing documents of laws and regulations such as the Personal Information Protection Law, the Regulations on the Administration of Network Data Security, the National Internet Information Office (hereinafter referred to as "the Office") issued the Measures for the Protection and Certification of Personal Information Going Abroad for Personal Information (Draft for Comments) (hereinafter referred to as "the Draft for Comments") to solicit public opinions. The deadline for feedback is February 3, 2025. The release of the draft for soliciting opinions has fired the first shot of legislation in the field of data protection in 2025, and is also another important measure in the field of personal information protection in China. It is of great significance for regulating the cross-border flow of personal information and ensuring personal information security. If officially approved, it may become the optimal solution for overseas processors to process domestic personal information and legally export data within the jurisdiction of the Personal Security Law. The draft for soliciting opinions consists of 20 articles, which clarify the scope, conditions, and main contents of personal information protection certification, aiming to implement Article 38 (1) (2) of the Personal Information Protection Law, which stipulates that personal information can be exported through personal information protection certification. This article will provide a quick evaluation and analysis of the issues that personal information export enterprises need to pay attention to in the draft for soliciting opinions, and provide suggestions for enterprises on how to carry out the next steps of work.

1、 Background

According to the current regulatory framework for data export compliance in China, when enterprises export data, they should comprehensively judge and determine whether they need to: (i) declare and pass the data export security assessment, (ii) enter into a personal information protection standard contract, or (iii) pass the personal information security protection certification (hereinafter referred to as the "pre export procedure") based on their own subject type and the type of export data. Specifically:

If the data that the enterprise intends to export is important, it shall declare and pass the data export security assessment of the Cyberspace Administration of China.

If the data that the enterprise intends to export is personal information, it shall declare and pass the data export security assessment of the Cyberspace Administration of China if any of the following conditions are met: (i) the enterprise is recognized as a key information infrastructure operator; (ii) Processing personal information of more than one million people; (iii) Providing personal information of 100000 people to overseas countries since January 1 of the previous year; Or (iv) providing sensitive personal information of 10000 individuals to overseas countries since January 1st of the previous year.

If the data to be exported is personal information and does not meet any of the above conditions, one can choose to (i) enter into and file a personal information protection standard contract, or (ii) export personal information after obtaining personal information security protection certification.

China has taken an important step in the management of personal information export. Starting from June 1, 2023, the "Standard Contract Measures for Personal Information Export" has been implemented, providing specific guidance and regulations for providing personal information overseas.

For personal information security protection certification, on November 4, 2022, the State Administration of Market Supervision and Administration and the State Internet Information Office jointly issued the Announcement on the Implementation of Personal Information Protection Certification, marking the formal establishment of China's personal information protection certification system.

As one of the compliance pathways for the export of personal information in China, the authentication results of personal information export have the same legal effect as the filing results of the personal information export standard contract.

2、 Scope of application of personal information protection certification

（1） Scenario where personal information can be exported through personal information protection authentication

Article 4 of the draft for soliciting opinions stipulates all two conditions that personal information processors must meet to provide personal information to overseas through personal information protection certification, including:

(1) Non critical information infrastructure operators;

(2) Starting from January 1st of that year, providing personal information (excluding sensitive personal information) of more than 100000 people but less than 1 million people or less than 10000 people to overseas entities;

(3) Excluding important data.

The above conditions will exclude situations where an application for data export security assessment must be submitted to the cyberspace administration department in accordance with the Personal Information Protection Law and the existing data security assessment methods. In addition, it should be noted that enterprises that meet the aforementioned regulations can choose one of the exit compliance measures in the personal information protection certification and personal information exit standard contract filing according to actual conditions. For enterprises that meet the exemption situations in Articles 3, 4, 5, and 6 of the Regulations on Promoting and Regulating Cross border Data Flow, they are exempt from applying for data exit security assessment, signing personal information exit standard contracts, and passing personal information protection certification.

（2） It seems that it is not applicable for overseas entities to directly collect personal information within the country

The direct collection of personal information of domestic natural persons by overseas entities does not belong to the situation where domestic personal information processors provide personal information to overseas, and does not fall under the definition of "personal information export" in Article 38 of the Personal Information Protection Law and the draft for soliciting opinions. Therefore, it seems that personal information protection authentication cannot be applied. However, Article 5 of the draft for soliciting opinions stipulates that if overseas entities meet the requirements of Article 3 (2) of the Personal Information Protection Law, their collection and processing of personal information of domestic natural persons still falls under the category of "cross-border personal information processing activities". They can apply for certification by a specialized agency or designated representative set up in China in accordance with the "Guidelines for the Practice of Cybersecurity Standards - Security Certification Standards for Cross border Personal Information Processing Activities" and bear legal responsibilities.

3、 The main content of personal information protection certification

The draft for soliciting opinions stipulates and divides the responsibilities of certification bodies and various departments in the field of personal information protection certification. It clarifies the various links and responsibilities of certification bodies in their certification work, and provides strong regulatory authority and responsibility basis and system for regulatory departments. The specific details are as follows:

（1） Certification evaluation content and standards

Article 10 of the Draft for Soliciting Opinions provides a detailed list of the key evaluation criteria for personal information protection certification when personal information is exported, including:

(1) The legality, legitimacy, and necessity of the purpose, scope, and method of personal information export;

(2) The impact of personal information protection policies, laws, and network and data security environments in the countries or regions where overseas personal information processors and recipients are located on the security of personal information when leaving the country;

(3) Whether the level of personal information protection of overseas personal information processors and recipients meets the requirements of the laws, administrative regulations, and mandatory national standards of the People's Republic of China;

(4) Does the legally binding agreement between the personal information processor and the overseas recipient stipulate the obligation to protect personal information;

(5) Whether the organizational structure, management system, and technical measures of personal information processors and overseas recipients can fully and effectively safeguard data security and personal information rights and interests;

(6) Other matters that professional certification agencies consider necessary to assess based on personal information protection certification standards.

This article covers various core aspects of personal information export activities: firstly, it emphasizes the legality and legitimacy review of the purpose, scope, and transmission methods of personal information export, ensuring that the cross-border transmission of personal information is based on real and reasonable commercial needs, and limited to necessary scope, strictly complying with legal norms, and avoiding excessive collection or illegal use of information; Secondly, pay attention to the regulations, policies, and data security environment of the country or region where the overseas recipient is located, and focus on evaluating the potential impact of external environment and factors on personal information security protection; Thirdly, evaluate whether the level of personal information protection of overseas recipients meets the corresponding standards in China, and review the allocation of responsibilities and obligations for personal information protection in the agreement between the two parties. At the same time, attention is also paid to reviewing the organizational structure, management system, and technical measures of both parties to ensure data security and personal information rights protection from a practical perspective. Finally, the sixth item also stipulates that professional certification bodies retain the power to assess other matters, leaving room for adapting to complex and changing information protection scenarios in the future.

（2） Certification Body Filing Standards

Article 8 of the Draft for Soliciting Opinions stipulates that certification bodies conducting personal information export and personal information protection certification shall register with the national cyberspace administration and submit materials. A series of material requirements aim to comprehensively review the professional competence and management level of certification agencies, fundamentally ensuring the effective implementation of certification work. The certification qualification indicates that the institution has access qualifications and professional capabilities. The relevant professional work in the past 3 years reflects its practical experience and abilities. The implementation rules and work plan of the certification ensure that the certification process is carried out in an orderly manner. The data security risk prevention mechanism guarantees the data security during the certification process. The supervision mechanism maintains the authority and supervision of the certification. The dispute acceptance and complaint handling mechanism provides guarantees for resolving conflicts and disputes and safeguarding the rights and interests of all parties.

（3） Obligations of certification bodies

Article 11 of the "Draft for Soliciting Opinions" stipulates that "if professional certification institutions discover that personal information export activities pose a threat to national security, public interests, or seriously affect personal information rights and interests during certification activities, they shall promptly report to the national cyberspace administration and relevant departments. This article sets a reporting obligation for certification bodies when abnormal situations are discovered, which is monitored and reported by certification bodies directly involved in personal information export certification work. This can ensure that relevant departments respond quickly and effectively prevent damage from expanding.

Article 12 of the "Draft for Soliciting Opinions" stipulates that "professional certification bodies shall, within 5 working days after issuing certification certificates or changes in the status of certification certificates, submit relevant information on personal information export and personal information protection certification certificates to the National Certification and Accreditation Public Information Platform, including certification certificate number, name of certified personal information processor, certification scope, and certificate status change information. This article sets the obligation for certification bodies to submit information, and certification bodies should submit certification certificates to public information platforms within the prescribed time limit to ensure the transparency and openness of certification information. In addition, the article also stipulates that the national market supervision and administration department and the national cyberspace administration department should establish a certification information sharing mechanism, strengthen departmental cooperation, and jointly handle problems discovered during the regulatory process.

Article 13 of the "Draft for Soliciting Opinions" stipulates that "if a professional certification body discovers that a certified personal information processor no longer meets the certification requirements due to inconsistencies between personal information export and certification scope, it shall promptly suspend or revoke the relevant certification certificate and make it public. If the national cyberspace administration and relevant departments discover that a certified personal information processor has the aforementioned circumstances in the supervision and management of personal information protection, the professional certification body shall cooperate to suspend or revoke the relevant certification certificate in a timely manner and make it public. This provision stipulates the management obligation of certification bodies for certification certificates and the cooperation obligation when regulatory authorities discover problems. This means that certification bodies should continue to monitor the personal information export dynamics of personal information processors and take timely measures when they discover situations that do not meet certification requirements; When regulatory authorities discover problems during the supervision and management process, certification bodies should cooperate in timely handling of violations and prevent the continued export of personal information that does not meet certification standards.

（4） Supervision and reporting mechanism

Article 14 of the "Draft for Soliciting Opinions" stipulates that "the national market supervision and administration department, in conjunction with the national cyberspace administration department, shall supervise the certification activities of personal information export and personal information protection, conduct spot checks on the certification process and results, and evaluate professional certification institutions. If the national market supervision and administration department has problems with the service quality of personal information export security certification activities, it shall give warnings, order rectification within a specified time limit, or suspend business for rectification according to the circumstances; if it refuses to rectify or fails to complete rectification within the prescribed time limit, or if there is fraud, its certification institution qualification shall be revoked and published. If a professional certification institution obtains the record through improper means such as concealing relevant information or providing false materials, the national cyberspace administration department shall revoke the record; If serious violations occur and administrative penalties such as suspension of business for rectification or revocation of certification agency qualifications are imposed, the national cyberspace administration department shall cancel the registration.

This article clarifies the supervisory and management responsibilities of the two major regulatory authorities in personal information protection certification activities, as well as the punishment measures for violations. By conducting spot checks on the certification process and results, and evaluating the joint supervision of certification activities by certification bodies, we ensure their effectiveness and impartiality. For quality issues that arise during certification, adopt tiered punishment measures that are appropriate to the severity of the situation, and establish a complete regulatory system. At the same time, Article 16 grants provincial-level and above internet information departments and relevant departments the power to interview personal information processors in specific circumstances. In the face of risks and security incidents, regulatory departments can directly communicate with processors to understand the situation, propose rectification requirements and solutions, and minimize personal information security risks.

Article 15 stipulates that "any organization or individual who discovers that a certified personal information processor has violated these Measures by providing personal information overseas may report it to the provincial-level or above cyberspace administration department and relevant departments. This article establishes a social supervision and reporting mechanism, encouraging various organizations and citizens to participate in the supervision of certified personal information processors, which helps regulatory authorities to timely learn and handle punitive behaviors in personal information export activities.

4、 Requirements for using personal information protection authentication

The draft for soliciting opinions also clarifies the supporting compliance obligations and procedural regulations that personal information processors need to fulfill when providing personal information to overseas through personal information protection authentication, as follows:

（1） Applicant and Responsibilities

Article 9 of the Draft for Soliciting Opinions stipulates that "Personal information processors within the territory of the People's Republic of China voluntarily apply for personal information export personal information protection certification from professional certification agencies. Personal information processors outside the territory of the People's Republic of China who apply for personal information export personal information protection certification shall be assisted by their specialized agencies or designated representatives established within the territory, and shall bear corresponding legal responsibilities, promise to comply with relevant laws and regulations of the People's Republic of China on personal information protection and accept supervision and management, and accept continuous supervision from professional certification agencies during the validity period of the certification. This article stipulates different application methods and corresponding responsibilities for domestic and foreign entities. Domestic processors can decide whether to apply for certification based on their own business needs, while overseas processors require assistance in applying through specialized institutions or designated representatives established within the country, and promise to comply with Chinese regulations, assume corresponding legal responsibilities, and carry out personal information export activities in an orderly manner within the legal framework of China.

（2） Application requirements

In order to facilitate the smooth implementation of certification and improve the efficiency of certification work, personal information processors who apply for personal information protection certification for personal information export should fully understand the standard requirements and certification process, prepare detailed materials based on their own business reality, download corresponding templates, truthfully and accurately fill in certification application forms, self-evaluation forms and other supporting materials. The scope of personal information export certification for personal information protection is closely related to the types, quantities, and sensitivity of personal information, as well as the processing of personal information export, the organization and management of personal information processors, the level of personal information protection of overseas recipients, and the legal environment. The evaluation methods and applicable indicators for different business scenarios need to be compared and analyzed by the applicant processor based on the actual situation.

5、 The difference between personal information protection certification and personal information protection standard contract

Personal information protection certification and personal information export standard contract filing are parallel paths for personal information export compliance. Enterprises can choose one to carry out according to their own needs and wishes. There are differences in the applicant and validity period between the two, and understanding these differences can help companies choose compliance measures that are more suitable for their actual situation

（1） Differences in application subject

The draft for soliciting opinions clarifies that both domestic and foreign entities can apply for personal information protection certification. Domestic processors can decide whether to apply for certification based on their own business needs, while overseas processors are required to assist in the application through specialized institutions or designated representatives established in China, and promise to comply with Chinese regulations and bear corresponding legal responsibilities.

The signing parties of the personal information standard contract are domestic personal information processors and overseas recipients, and the filing application parties must be consistent with the domestic parties signing the standard contract.

（2） Different validity periods

According to Article 5.1 of the Implementation Rules for Personal Information Protection Certification issued by the State Administration of Market Supervision and the State Internet Information Office in 2022, the validity period of the certification certificate is three years. If the certificate needs to be renewed upon expiration, the certification client shall submit the certification authorization within 6 months before the expiration of the validity period. The certification body shall adopt post certification supervision to issue new certificates to those who meet the certification requirements.

The deadline for filing the standard contract for personal information export can be freely agreed upon by the parties in the contract and can be valid for a long time.

（3） Different auditing agencies

The registration materials for the standard contract for personal information export shall be submitted through the data export declaration system and reviewed by the provincial cyberspace administration department. Personal information protection certification requires review and evaluation by professional institutions certified by the state, and continuous supervision by professional certification institutions during the validity period. The national cyberspace administration and relevant departments are responsible for supervising and evaluating personal information protection certification activities and certification institutions, which also determines that the cost of certification in practice is usually higher than that of standard contract filing.

6、 Summary and Next Steps for the Enterprise

The release of the draft for soliciting opinions is another important measure in the field of personal information protection in China, which is of great significance for regulating the cross-border transmission of personal information and ensuring its security. At the same time, we also hope that relevant departments can continuously improve the certification methods and related supporting standards according to the actual situation, while ensuring the security of personal information and promoting the free flow of data across borders.

Considering the impact of the draft on existing data export compliance mechanisms, we suggest that companies closely monitor the release of the draft and evaluate its overall impact on the ongoing data export compliance work in conjunction with the existing text of the draft. Specifically, if overseas personal information processors have a need to process domestic personal information and leave the country, they should quickly understand the authentication process and requirements, entrust domestic specialized agencies or designated representatives to prepare application materials in accordance with regulations, and actively apply for authentication. One should decide whether to apply for certification based on their business needs, risk tolerance, and level of emphasis on personal information protection. If you decide to apply for certification, you should pay attention to the qualifications and market reputation of the certification body, and choose an institution with higher service quality and professionalism. Closely monitor the standards, regulations, procedures, and rules issued by relevant departments, timely grasp policy updates, and ensure that one's own behavior is in line with the latest requirements. Before applying for certification, a self-assessment should be conducted based on the evaluation criteria. For the purpose, scope, and method of outbound travel, detailed documentation should be prepared to explain its legality, legitimacy, and necessity; Conduct in-depth research on the information protection policies, laws, and security environment of the country or region where the overseas recipient is located, and form a risk assessment report; Ensure that agreements signed with overseas recipients clearly and specifically specify personal information protection obligations; Review the organizational structure, management system, and technical measures of oneself and overseas recipients, and make necessary improvements and optimizations.

Annotations and citations

[1] Article 38, Paragraph 1 of the Personal Information Protection Law of the People's Republic of China: "If a personal information processor needs to provide personal information outside the territory of the People's Republic of China for business or other purposes, it shall meet one of the following conditions: (1)

[2] Article 3, Paragraph 2 of the Personal Information Protection Law of the People's Republic of China: "If any of the following situations occur in the processing of personal information of natural persons within the territory of the People's Republic of China outside the territory of the People's Republic of China: (1) with the purpose of providing products or services to natural persons within the territory of the People's Republic of China; (2) analyzing and evaluating the behavior of natural persons within the territory of the People's Republic of China; (3) other situations stipulated by laws and administrative regulations