Skip to main content
All
November 13, 2025

China Clarifies Requirements on Personal Information Protection Certification

Advisory
By

On October 14, 2025, the Cyberspace Administration of China (CAC, 国家互联网信息办公室) and the State Administration For Market Regulation (SAMR, 国家市场监督管理总局) jointly issued the Measures on Certification For Cross-Border Transfer of Personal Information (Measures, 个人信息出境认证办法), which will take effect on January 1, 2026. The Measures are the final version of the draft for public comment published by the CAC on January 3, 2025, and present challenges and opportunities for businesses operating in or interacting with China.

Background

The Personal Information Protection Certification (PIP Certification, 个人信息保护认证) issued by CAC-Approved Certification Institutions (Certification Institution, 认证机构) is one of the three mechanisms — along with CAC Security Assessment (Security Assessment, 数据出境安全评估) and filing Standard Contractual Clauses (SCC Filing, 个人信息出境标准合同备案) — set forth under the Personal Information Protection Law (PIPL, 个人信息保护法) for the cross-border transfer of personal information.1

PIP Certification aligns with the international practice, including the European Union’s General Data Protection Regulation (GDPR).2 Unlike the Security Assessment and the SCC Filing, for which the CAC has released multiple regulations, rules, and practical guidance, to date there has been little guidance on how PIP Certification should be used for cross-border data transfer. We have summarized major existing rules and national standards relating to the PIP Certification process in Appendix A below.

Scope of Application

Article 5 of the Measures states that PIP Certification is applicable where the data processor:

  • Is not a Critical Information Infrastructure Operator (CIIO)
  • Has cumulatively transferred the personal information of more than 100,000 individuals and less than one million individuals overseas within a year, or has cumulatively transferred the sensitive personal information of less than 10,000 individuals overseas within a year

Note that data processors should not apply for PIP Certification to circumvent the Security Assessment by disaggregating data volume. Rather, data processors should review their ongoing and planned cross-border data transfers and determine which of the three cross-border data transfer mechanisms is most appropriate. The criteria for the use of these three mechanisms are set forth below:3

Data Type Number of Individuals (Cumulatively Since January 1 of the Current Year) 
< 10,000 individuals 10,000 to 100,000 individuals 100,000 to 1 million individuals ≥ 1 million individuals 
Personal Information
(Non-CIIO)		 N/A
  PIP Certification/SCC Filing Security Assessment
Sensitive Personal Information PIP Certification/SCC Filing  Security Assessment
 Personal Information (CIIO)/Important Data   Security Assessment

 

Key Steps For PIP Certification

1. Pre-Application Requirements

Article 6 of the Measures provides the requirements data processors should fulfill before applying for PIP Certification. First, data processors should inform and obtain separate consent from the individuals whose data will be transferred, which is the fundamental requirement for cross-border transfer of personal information laid out in the PIPL. In addition, data processors should perform a Personal Information Protection Impact Assessment (PIA) before applying for certification. The Measures list six areas of focus for a PIA (which are similar to the PIA required for SCC Filing), including:

1. The legality, legitimacy, and necessity of the purpose, scope, and method of processing personal information by both the personal information processor and the foreign recipient

2. The scale, scope, type, and degree of sensitivity of the personal information to be transferred abroad, and the risks that the cross-border transfer of personal information may impose on national security, public interests, and personal information rights

3. The obligations the foreign recipient commits to undertake, and whether its management and technical measures and capabilities could guarantee the security of the personal information to be transferred abroad

4. The risks of personal information being tampered with, damaged, leaked, lost, or illegally used after it has been transferred abroad, and whether there are adequate channels for protecting personal information rights

5. The impact of the personal information protection policies and regulations of the country or region where the foreign recipient is located on personal information security and personal information rights

6. Other matters that may affect the security of the cross-border transfer of personal information

2. Applying for PIP Certification

The application materials for PIP Certification should be submitted in accordance with the requirements set forth by the Certification Institutions, and may therefore vary from one institution to another. For example, the sample application form released by the China Cybersecurity Review, Certification and Market Regulation Big Data Center (CCRC, 中国网络安全审查认证和市场监管大数据中心), one of the main Certification Institutions in China, requires companies to provide information on data processors, foreign recipients, the personal information involved, and also to provide:4

  • Business process, data flow diagrams, and descriptions relating to the cross-border data transfer (Section 3.3.2)
  • Organizational structure, and roles and responsibilities of the departments involved in the cross-border data transfer (Section 3.4.3)
  • A list of business systems involved in the cross-border data transfer and introductions of these systems’ frameworks and functions, including descriptions on the relationships between these systems and the data processor’s cross-border business activities (Appendix B)

After receiving the application materials, the Certification Institution shall determine the certification plan (认证方案), by considering the type and quantity of personal information involved and the scope of personal information processing activities involved. The Certification Institution will then inform the data processor of the certification plan.

3. Evaluation and Issuance of PIP Certification

Article 3 of the Implementation Rules for Personal Information Protection Certification (Implementation Rules, 个人信息保护认证实施规则) provides that the process for PIP Certification includes technical verification, on-site review, and post-certification supervision. When a Certification Institution performs the evaluation of the applicant’s overall personal information protection status, it will also follow its own certification rules in addition to the Measures, the Implementing Rules and other relevant regulations, guidance, and national standards. The Certification Institution may also engage third parties to perform the technical verifications.

PIP Certification is valid for three years. After obtaining a valid PIP Certification, data processors may transfer data abroad freely so long as the transfer (1) is within the scope of the PIP Certification and (2) conforms to the Certification Institution’s requirements. If the data processor needs to renew its PIP Certification, it shall file an application six months prior to the expiration of its current PIP Certification. Information on the issuance, renewal, and/or revocation of PIP Certifications, will be reported to the National Certification And Accreditation Information Public Service Platform (全国认证认可信息公共服务平台) by the Certification Institution.

4. Post-Certification Supervision

Article 4.5 of the Implementation Rules states that the Certification Institution should conduct routine supervision of valid PIP Certifications to ensure that data processors conform to the certification requirements. Additionally, Article 13 of the Measures provides that the SAMR and the CAC may perform spot checks on Certification Institutions, the certification assessment process, and the results of certification assessments.

Takeaways

The Measures provide practical guidance for companies operating in China. Many companies may be faced with a choice of whether PIP Certification or SCC Filing better suit their operations. We have therefore summarized the main differences between PIP Certification and SCC Filing for reference.

Differences PIP Certification SCC Filing
Responsible Authority CAC-Approved Certification Institutions
 Provincial CAC
Method of Evaluation Comprehensive evaluation by the Certification Institution and/or third parties it authorizes
Potential on-site inspection
 Materials prepared and submitted by applicant
No on-site inspection
Valid Period Three Years Valid as long as SCC remains valid

Renewal

 Renewal applications should be filed six months prior to the expiration of PIP Certification
 Update or revise if there are changes in the transfer purpose, server location, data recipients, or other conditions provided in the relevant regulations
Other Considerations Potential on-site inspection Signing and filing standard contractual clauses with multiple foreign recipients may be burdensome
Features More suitable for companies in need of regular cross-border transfers of larger amounts of personal information
 More suitable for companies in need of occasional cross-border transfers of smaller amounts of personal information

Some issues remain unresolved with regard to the implementation of PIP Certification. For example, the differences between the valid legal agreements regarding cross-border transfer, which were required in the Cybersecurity Standard Practice Guide, and the standard contractual clauses required by SCC filing are unclear. We expect further clarification from regulators on this and other issues as additional guidance and rules are issued.

Appendix A: List of Major Existing Rules and National Standards Relating to the Overall PIP Certification Process

No. Name Date Released Summary
1 Implementation Rules for Personal Information Protection Certification
个人信息保护认证实施规则
 Released by the CAC and the SAMR on November 4, 2022

1. Provides two types of PIP Certifications: one without cross-border data transfer, the other with cross-border data transfer:

PIP logo featuring bold black letters inside two open concentric circles, with the letters A, B, C, and D aligned below. Minimal, modern black-and-white circular design representing the PIP brand

PIP Certification without cross-border data transfer; ABCD refers to the identity of the Certification Institution

PIP CB logo with bold black letters inside two open concentric circles, featuring the letters A, B, C, and D below. Modern, geometric black-and-white circular design representing the PIP CB brand identity.

PIP Certification with cross-border data transfer; ABCD refers to the identity of the Certification Institution

2. Specifies PIP Certification process: technical verification, on-site review, and post-certification supervision
3. Provides general implementation procedures for PIP Certification
4. Sets out requirements for issuance of PIP Certification, including period of validity, renewal, revocation, and publication
2 Cybersecurity Standard Practice Guide—Specification for Security Certification of Cross-Border Processing of Personal Information V2.0 (TC260-PG-20222A)
网络安全标准实践指南—个人信息跨境处理活动安全认证规范V2.0
 Released by the SAC/TC2605 on December 16, 2022
 1. A national recommended standard and therefore not legally binding
2. Provides general principles of evaluation for Certification Institutions and reference for data processors
3. Lists requirements for cross-border data transfer, which mainly include valid legal agreements regarding cross-border transfer, Personal Information Protection Officer (PIPO) and Personal Information Protection organization, cross-border personal information protection rules, and Personal Information Protection Impact Assessment (PIA)
4. Lists personal information rights and the responsibilities and obligations of the data processor and the foreign recipients
3 Data Security Technology — Security Certification Requirements for Cross-Border Processing Activity of Personal Information (GB/T 46068-2025)
数据安全技术—个人信息跨境处理活动安全认证要求
 Released by the SAMR on August 29, 2025

Take effect on March 1, 2026
 1. A national recommended standard and therefore not legally binding
2. Provides general requirements on cross-border data transfer as a reference for both data processors and Certification Institutions, regulators, and other entities
3. Provides principles and requirements similar to those listed in the Cybersecurity Standard Practice Guide
4. Appendix A provides five typical scenarios relating to cross-border transfer of personal information
5. Appendix B provides a sample report for Personal Information Protection Impact Assessment (PIA)

For questions on this or any other subject, please reach out to the authors or any of their colleagues in Arnold & Porter’s Privacy, Cybersecurity & Data Strategy practice group.

© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.

  1. See Article 38 of the PIPL.

  2. See Article 42 of the GDPR.

  3. This chart does not include scenarios in which Security Assessment, PIP Certification, and/or SCC Filing are waived.

  4. Section 1.2 also provides relevant applicable national standards, including Information Security Technology — Personal Information Security Specification (GB/T 35273-2020) (信息安全技术 个人信息安全规范) and the Cybersecurity Standard Practice Guide.

  5. National Technical Committee 260 on Cybersecurity of Standardization Administration of China (全国网络安全标准化技术委员会).

Find more content tagged:

Key Contacts

John Tan
John Tan
Partner
Shanghai
+86 (0)21 2208 3670
Siyi Gu
Siyi Gu
Associate
Shanghai
+86 (0)21 2208 3651

Related Services