China reveals draft rules on cross-border personal data transfers

China’s government has released a draft version of guidelines on cross-border flow of personal information, opening it for public comments. According to the proposed rulebook, any organization transferring personal information from China to overseas entities must undergo a certification process.

Personal information processors within the territory of China will be required to apply for certification for personal information export to professional certification agencies approved by the State Administration for Market Regulation. The rules, standards and technical regulations for the qualification assessment will be issued by the Cyberspace Administration of China, the country’s main internet regulator.

Certification standards will consider the legality and necessity of the cross-border data transfer, as well as the data protection standards in the destination country.

The guidelines are formulated according to the country’s laws, including the Personal Information Protection Law (PIPL) which regulates biometric data privacy in China. Often compared to the European Union’s GDPR, the 2021 law introduces hefty fines for business operators that fail to protect consumers’ personal information.

PIPL also allows prosecutors to initiate civil litigation and has been used to slow down the unchecked expansion of commercial facial biometrics in industries such as hotels and leisure. Similar to the law, the draft guidelines on cross-border data transfer will open the possibility for organizations and individuals to report violations.

The deadline for public feedback is February 3rd, 2025.

Article Topics

biometrics  |  China  |  cross-border data sharing  |  Cyberspace Administration of China  |  data privacy  |  data protection  |  data sharing  |  regulation