Blog

The final piece of China’s cross-border data transfer framework has now been released with the issuance of the Certification Measures. Effective January 1, 2026, businesses must closely monitor certification institutions, standards, and application procedures. Early preparation and strategic planning will be essential for long-term compliance and risk management.

On October 14, 2025, the Cyberspace Administration of China (CAC) and the State Administration for Market Regulation (SAMR) jointly issued the long-awaited Measures for Certification of Cross-Border Personal Information Transfer (hereinafter referred to as the “Measures”), which will officially take effect on January 1, 2026.

The release of the Measures marks a pivotal moment in China’s data governance landscape. It completes the three-pathway framework for cross-border personal information transfers established under the Personal Information Protection Law (PIPL).

With the certification method now fully defined, China’s regulatory architecture for cross-border data transfer (CBDT) is considered comprehensive and operational.

The Measures clarify key aspects of the certification process, including scope and applicability, application procedures, certification body obligations, as well as supervision and enforcement.

This final regulatory piece enhances legal certainty for businesses. It offers enterprises another structured compliance pathway and may prove especially beneficial for multinational corporations engaged in frequent or large-scale data transfers.

Certification in China’s CBDT framework

Under Article 38 of PIPL, personal information processors in China who need to transfer personal data overseas for business or operational purposes must choose one of three legally prescribed pathways:

1. Undergo a security assessment organized by the CAC, except where exempted by relevant laws and regulations.
2. Undergo a certification for cross-border personal information (PI) transfer by a professional institution in accordance with the regulations of the CAC.
3. Sign a standard contract with a foreign party stipulating the rights and obligations of each party in accordance with standards set by the CAC.
4. Meet other conditions set by the CAC or relevant laws and regulations.

Since 2022, China has gradually built out this framework through a series of regulatory instruments. The Security Assessment Measures, released in July 2022, laid out detailed procedures for high-risk data transfers. In February 2023, the Standard Contract Measures were issued and came into effect in June, providing a more accessible compliance route for many businesses.

Find Business Support

However, the certification pathway remained incomplete for some time. While several technical standards and guidelines were released – such as the Security Certification Specifications for Cross-Border Processing of Personal Information V2.0 (December 2022) and the Information Security Technology – Certification Requirements for Cross-Border Transmission of Personal Information (March 2023) – a formal regulatory document was still missing.

Now with the release of the Measures, this long-awaited document provides the legal and procedural foundation for certification, aligning with earlier standards and the CAC’s January 2025 draft for public consultation.

Moreover, China’s State Administration for Market Regulation (SAMR) and Standardization Administration of China (SAC) jointly released the Data security technology—Security certification requirements for cross-border processing activity of personal information (GB/T 46068-2025), which will take effect on March 1, 2026.

All these developments signal that the three pathways for CBDT under the PIPL are now fully operational, marking a significant milestone in China’s data governance regime.

Applying for a certification for CBDT

The newly released Measures for Certification of Cross-Border Personal Information Transfer outline the specific conditions under which personal information processors may opt for the certification pathway to legally transfer personal data overseas.

Scope of application

To be eligible for certification, a personal information processor must meet all of the following criteria:

1. It is not a critical information infrastructure operator (CIIO)
2. Transfer volume thresholds:
3. Since January 1 of the current year, it has transferred the PI of between 100,000 people and one million people out of China (excluding sensitive PI).
4. Since January 1 of the current year, it has transferred the “sensitive” PI of less than 10,000 people out of China.
5. The data being transferred must not include important data as defined by Chinese regulations.

Importantly, the Measures prohibit data volume splitting or other circumvention tactics to avoid the security assessment requirement. If the data transfer volume exceeds the thresholds for certification, the processor must undergo a security assessment instead.

Pre-application obligations

Before applying for certification, personal information processors must fulfill several legal obligations, including:

The PIPIA must evaluate:

• The legitimacy, necessity, and scope of data processing by both the processor and the overseas recipient;
• The volume, sensitivity, and type of data being transferred, and potential risks to national security, public interest, or individual rights;
• The technical and organizational safeguards promised by the overseas recipient;
• The risk of data breaches or misuse, and the effectiveness of redress mechanisms;
• The legal environment of the recipient’s jurisdiction and its impact on data protection; and
• Any other factors that may affect the security of the data transfer.

The PIPIA report should be retained for at least three years.

Also read: How to Conduct a Personal Information Protection Impact Assessment in China

Application process

Processors must apply for certification through a professional certification institution authorized to conduct personal information protection audits. For overseas processors, the application must be submitted via a designated domestic representative or entity.

Once the application is approved, the institution will issue a certificate, valid for three years. To maintain continuity, processors must reapply six months before the certificate expires.

Supervision and enforcement

The Measures establish a multi-layered oversight mechanism:

• National and provincial CAC and market regulation authorities will conduct regular and ad hoc inspections of certification activities and outcomes.
• If certified processors are found to pose significant risks or experience data security incidents, authorities may initiate interviews and require corrective actions.
• Whistleblowers, including organizations and individuals, may report violations to certification bodies or regulators.
• Violations of the Measures may result in penalties under the PIPL, Cybersecurity Law, and Certification and Accreditation Regulations, and may lead to criminal liability where applicable.

Comparing standard contract vs. certification

Under China’s CBDT mechanisms, both the standard contract and certification pathways provide legal mechanisms for cross-border transfers of personal information. While they share many similarities, such as overlapping applicability and similar pre-transfer obligations, their structural differences make them suitable for distinct business scenarios.

The standard contract is a self-managed process in which enterprises sign a fixed-format agreement with the overseas recipient, strictly following the CAC’s template. After conducting a self-assessment, the enterprise submits the contract and related materials for filing with the provincial CAC, which may conduct formal or substantive reviews. As a commercial agreement, the standard contract is not publicly disclosed, and its contents are not subject to public scrutiny or external evaluation.

In contrast, certification is conducted by third-party professional institutions based on CAC-issued rules. It involves a comprehensive review of the enterprise’s technical, organizational, and governance measures. Unlike the standard contract, certification carries a degree of public authority – it reflects, to some extent, administrative recognition of the enterprise’s data protection capabilities. For companies with high reputational stakes in personal information protection, certification offers a credible external endorsement of their compliance posture.

Find Business Support

The compliance focus also differs. The standard contract emphasizes the legal obligations of a specific data transfer, ensuring the overseas recipient agrees to uphold data subject rights and assumes clear data protection responsibilities. Certification, on the other hand, assesses the enterprise’s overall compliance framework, including internal governance, data protection systems, and technical safeguards. It promotes ongoing compliance and dynamic supervision. In practice, the standard contract is more suited to “one-off” or occasional transfers, while certification is better aligned with enterprises engaged in frequent or long-term cross-border data activities.

Post-transfer supervision further distinguishes the two. With the standard contract, enterprises are responsible for monitoring the overseas recipient’s compliance, and CAC oversight is primarily conducted through the filing system. Certification bodies, however, implement continuous monitoring mechanisms. Certificates may be suspended or revoked, and violations are publicly disclosed, creating external compliance pressure.

Given these differences, the standard contract is generally more appropriate for low-volume, low-risk transfers. It is relatively easy to implement but offers limited flexibility due to its fixed format. Certification, by contrast, is better suited for enterprises with frequent, high-risk, or high-profile data transfers, or those seeking to demonstrate a high level of data protection. The certification is valid for three years, helping reduce repetitive compliance efforts.

Enterprises should assess their business scale, data export scenarios, and compliance capacity to select the most appropriate pathway for CBDT.

What to watch next?

As the Measures prepare to take effect on January 1, 2026, enterprises should go beyond understanding the basic provisions and actively monitor several key developments to ensure compliant and efficient implementation.

Key areas to monitor include:

• Certification institutions and qualifications: Certification must be conducted by professional institutions that have obtained official qualifications for personal information protection certification. While the list of authorized institutions has not yet been released, it is expected to be jointly determined by the SAMR and CAC.
• Certification standards and technical specifications: The Measures indicate that the CAC, together with relevant data governance authorities, will formulate detailed certification standards and technical specifications, while the market regulation authorities will define certification rules, certificate formats, and usage guidelines.
• Application procedures and operational details: While the Measures outline the general process, many practical details remain to be clarified or will be defined by certification institutions, such as required documentation beyond the PIPIA report (such as data inventory, agreements, internal governance policies), online/offline application channels, review timelines and feedback mechanisms, proof of compliance capability for overseas recipients, and so on.

Companies are suggested to consult the official websites of the CAC, SAMR, and the Certification and Accreditation Administration of China (CNCA) for timely updates and implementation guidance.

Key takeaway

Personal information protection certification is a critical mechanism for enabling compliant, trustworthy, and internationally aligned data flows. As the Measures enter into force in 2026, enterprises must pay close attention to the qualifications of certification institutions, evolving standards and procedures, and long-term compliance obligations. For legal, compliance, and information security professionals, now is the time to study regulatory trends, plan ahead, and strengthen internal capabilities to ensure a smooth transition into the new regime.

If you need further interpretation or practical support, our team at Dezan Shira & Associates is here to assist you with tailored guidance and hands-on expertise. For more information, please get in touch with China@dezshira.com.

Prince Andrew was paid tens of thousands of pounds by a British businessman linked to a wealth management company which ripped off pension savers.

The King’s brother, who last week said he would no longer use his titles including the Duke of York, has long faced questions about his finances and how he is funding his lifestyle.

He stepped down as a working royal in 2019 because of his association with the sex offender Jeffrey Epstein and no longer receives any money from the King.

Although his finances remain opaque, details of some of his arrangements and controversial business associates have occasionally emerged from court cases.

Prince Andrew did not respond to requests for comment.

Documents from the High Court in London show that Andrew received £60,500 from a British businessman, Adrian Gleave in December 2019, a few weeks after the BBC Newsnight interview which led to his withdrawal from public life.

The payments came to light in a High Court case brought by an elderly Turkish millionaire, Nebahat Isbilen, who claimed money she had paid to Andrew and his ex-wife Sarah Ferguson had been misappropriated by a business adviser.

That money was funnelled through a British company owned by Mr Gleave, Alphabet Capital Limited.

According to an “agreed statement of facts signed by or on behalf of the Duke and Duchess, Mr Gleave and Alphabet”, Mr Gleave’s company Alphabet had “previously made, and might in the future make, substantial payments to HRH Prince Andrew the Duke of York”.

The payments Prince Andrew received directly from Mr Gleave and his businesses, which were also sent via Alphabet Capital, came months after the businessman had stepped down as a director of SVS Securities – a company which had been ordered to stop trading by the financial regulator over pension mis-selling allegations.

SVS Securities collapsed in August 2019, days after the Financial Conduct Authority (FCA) had ordered it to stop regulated activities.

Clients’ pension funds were found to have been invested in high-risk bonds against their interests in order to generate large commissions for SVS.

Some investments made on the basis of the undisclosed commissions then defaulted, leaving customers with substantial losses. Investors were also charged large fees to withdraw funds in an effort to boost profits, the FCA found.

Mr Gleave, 55, was head of business development at SVS, which he had joined in 2013.

He remained a registered director on the FCA’s register until late July 2019, less than two weeks before the regulator’s intervention.

He had been a company director registered with Companies House until a couple of months earlier, although on LinkedIn he claims to have left the business in November 2018.

Three SVS directors were later banned and fined by the FCA but Mr Gleave was not one of them. Two are appealing the decision.

The Financial Services Compensation Scheme has paid out more than £41m to former SVS customers.

At the time of his dealings with Prince Andrew, Mr Gleave also ran a number of caravan and mobile home parks in Northern Ireland and England.

At one point, he was reported to have worked out of one of the parks, a retirement village for over-55s on the east coast of Northern Ireland.

Ten of the parks have since gone into administration and Mr Gleave, who did not respond to a request for comment, now works for a renewable energy company with a focus on AI and crypto financing.

Neither Prince Andrew nor Mr Gleave have ever explained the reason for the payments or the nature of any contractual relationship between the two men.

Baroness Margaret Hodge, a former chair of the Commons public accounts committee, said Mr Gleave’s business background raised questions for Prince Andrew about his judgement and financial dealings.

“This is yet another instance where a dose of transparency would help answer legitimate questions about the origins of the money and the purpose of the payment,” she said.

“Without those answers any sceptical person would be worried that there might be some financial wrongdoing taking place and this would risk sullying the reputation of the Royal family,” she added.

As well as the payments he made himself, Mr Gleave’s company, Alphabet Capital, was also used to funnel significant sums which had originated from Ms Isbilen to Prince Andrew and his ex-wife Sarah, court documents show.

Ms Ferguson was paid £50,000 by Alphabet Capital in February 2020. It has previously been reported that she was paid £20,000 by Alphabet for a role advising the company and that she also received more than £200,000 to cover work she had done as a brand ambassador for a US solar energy company.

Prince Andrew was separately given £750,000 directly by Ms Isbilen, money which he has repaid.

Another £10,000 was paid from Alphabet Capital to the couple’s daughter, Eugenie. This, along with a £15,000 payment from Ms Isbilen’s business adviser has previously been described by Eugenie as a gift from a “long-standing family friend” which she said was to pay for a surprise birthday party for her mother, Sarah.

Alphabet Capital filed accounts claiming it was a dormant company at the time of the payments. These were later corrected but listed a turnover of just £80,000.

Prince Andrew and Mr Gleave did not respond to requests for comment.