China: Cyberspace Administration of China and State Administration for Market Regulation Measures for the Authentication of Personal Information Exported Abroad (Order No. 20) enter into force

On 1 January 2026, the Cyberspace Administration of China and the State Administration for Market Regulation Measures for the Authentication of Personal Information Exported Abroad (Order No. 20) enter into force. These measures apply to personal information processors who provide personal information outside the People's Republic of China through personal information protection certification. The measures define personal information export certification as a conformity assessment by professional certification bodies, verifying that processors' cross-border data activities comply with relevant laws, regulations, standards, and technical specifications. The certification is applicable to non-critical information infrastructure operators who have provided overseas the personal information of more than 100'000 but fewer than 1'000'000 individuals (excluding sensitive personal information) or the sensitive personal information of fewer than 10'000 individuals since 1 January of the current year. Important data is excluded, and processors must not split quantities to avoid mandatory security assessments. Before applying for certification, processors must fulfil obligations such as obtaining individual consent and conducting a personal information protection impact assessment. This assessment focuses on the legality, necessity, scope, and risks of data processing by both the processor and overseas recipient, along with the impact of recipient country policies. Professional certification bodies conduct activities in accordance with specified rules, issuing certificates valid for three years.