Key Points
- China has released new rules for transferring personal information outside the country.
- Companies will now need to get a special certification for certain data transfers.
- The rules apply to a broad category of “non-critical information infrastructure operators.”
- The government says the goal is to protect personal information and ensure data security. The new rules will take effect on January 1, 2026.
Chinese regulators have released new rules that will require companies to get a special certification before they can transfer certain types of personal information outside of the country. The move is the latest step in Beijing’s ongoing effort to tighten its control over the flow of data.
The new framework, announced on Thursday by China’s cyberspace and market regulators, is aimed at “non-critical information infrastructure operators.” This is a broad category that could include a wide range of companies.
These companies will now have to apply for and receive a certification before they can move certain kinds of personal data across borders.
In a statement, the government said the goal of the new rules is to protect the rights of individuals and to promote the “secure and efficient” flow of data. However, for international companies operating in China, the new certification requirement is likely to add another layer of bureaucracy and uncertainty to their operations.
The new rules are set to take effect on January 1, 2026. This is part of a larger trend in China, which has been steadily rolling out new laws and regulations to govern data security and cross-border data flows, a major point of concern for foreign businesses.
