The Cyberspace Administration of China, the country's top internet regulator, is soliciting opinions from the public for a series of newly drafted guidelines on the cross-border flow of personal information.

The draft of the personal information cross-border protection certification measures, formulated in accordance with the Personal Information Protection Law and other Chinese laws and regulations, was released on Friday for consultation, with a deadline for public comments set for Feb 3.

According to the draft, the proposed measures aim to enhance the secure and efficient flow of personal information across borders, establishing a clear framework for the certification process.

According to the draft, the certification should be managed by authorized professional organizations that have received approval from the State Administration for Market Regulation. These organizations would assess the personal information handling practices of companies transferring data overseas.

Under the new rules, any organization that needs to transfer personal information from China to overseas entities must undergo a certification process. This includes cases in which personal information collected and generated in China is transmitted abroad or stored domestically but made accessible to foreign parties. Certification would also be required for foreign entities processing Chinese personal data.

Key criteria for certification will focus on the legality and necessity of the cross-border data transfer, as well as the impact of data protection standards in the destination country on personal information overseas, according to the draft.

The certification process will also evaluate whether the foreign data processor's practices align with Chinese data protection laws and whether binding legal agreements between Chinese companies and foreign entities clearly define data protection responsibilities, it added.

The evaluations will include the organizational and technical measures in place to safeguard data security and individuals' privacy rights.

Meanwhile, the draft establishes strict conditions for domestic personal information processors seeking to transfer personal data abroad, setting quantitative limits on the scale of data transfers.

It stipulates that certification applies to entities transferring nonsensitive data of more than 100,000 but fewer than 1 million individuals annually, or sensitive personal data of fewer than 10,000 individuals.

Ma Qingquan, a lawyer from Wincon Law Firm in Qingdao, Shandong province, said in an article explaining the draft that the introduction of these measures provides clear compliance pathways and responsibilities for personal information handlers involved in cross-border data transfers.

For certification agencies, the measures standardize each step of the process to ensure the professionalism and fairness of the certification work, while offering specific supervisory frameworks for regulatory authorities to enhance effectiveness, Ma added.