China Intensifies Cross-Border DataTransfer Enforcement with New Certification Rules and Landmark Cases
On October 17, 2025, Chinese regulators unveiled new rules governing the
certification of cross-border personal information transfers, signaling a significant
tightening of the nation’s data export regime. This development, coupled with the
recent publication of two landmark enforcement cases in September, underscores a
new era of stringent data governance in China. For international law firms and their
clients, these changes necessitate an immediate and thorough review of existing
data transfer practices to ensure compliance with the evolving legal landscape.
The new certification rules, along with the enforcement actions in Shanghai and
Guiyang, provide critical insights into how China’s comprehensive data privacy
framework, anchored by the Personal Information Protection Law (PIPL), is being
operationalized. The message from Beijing is clear: the grace period for compliance
is over, and robust enforcement is now a reality. This article analyzes the new
certification rules, dissects the key takeaways from the recent enforcement cases,
and provides strategic guidance for businesses navigating China’s complex cross-
border data transfer requirements.
The New Certification Rules for Cross-Border Data Transfers
The new rules, released by the Cyberspace Administration of China (CAC), establish
a formal certification process for personal information protection (PIP Certification)
as one of the three primary mechanisms for legally transferring personal data out of
mainland China. The other two mechanisms are passing a government-led Security
Assessment and concluding Standard Contractual Clauses (SCCs) with the overseas
recipient. The PIP Certification is designed for multinational corporations and their
subsidiaries, providing a more streamlined process for intra-company data
transfers.
To obtain PIP Certification, companies must engage a CAC-accredited certification
body to conduct a thorough audit of their data processing activities. The audit will
assess the company’s data security capabilities, the necessity of the data transfer,
and the adequacy of the data protection measures implemented by both the data
exporter and the overseas recipient. The certification, once granted, is valid for
three years and is subject to annual reviews.
Landmark Enforcement Cases: The Writing on the Wall
The publication of two enforcement cases in September 2025 by Chinese
authorities provides a stark warning to companies that have not yet brought their
data transfer practices into compliance with the PIPL. These cases, the first of their
kind to be publicly detailed, reveal the specific compliance gaps that regulators are
targeting.
The Shanghai Case: A European Luxury Brand Penalized
In a case that has sent shockwaves through the international business community,
the Shanghai subsidiary of a major European luxury brand was penalized for
illegally transferring customer data to its headquarters in France. The investigation,
triggered by a data breach, found that the company had failed to meet any of the
three legal requirements for cross-border data transfer: it had not conducted a
Security Assessment, signed SCCs, or obtained PIP Certification. Furthermore, the
company had failed to obtain separate and explicit consent from its customers for
the transfer of their personal information overseas.
The Guiyang Case: Cloud Data Synchronization Under Scrutiny
In another case, a company in Guiyang was issued an administrative warning for
using cloud data synchronization services that resulted in the transfer of data to
servers located outside of China. The Yunyan District Cyberspace Administration
found that the company had failed to implement necessary security management
measures for cross-border data transfers, had not fulfilled its security assessment
and compliance review obligations, and had not provided adequate data security
training to its employees. This case highlights the risks associated with the use of
cloud services and the need for companies to have a clear understanding of where
their data is being stored and processed.
Strategic Implications for International Law Firms and Their Clients
The new certification rules and the recent enforcement actions have significant
strategic implications for international law firms and their clients doing business in
China. The following are key considerations for ensuring compliance and mitigating
risks:
Conduct a Comprehensive Data Mapping and Risk Assessment: Companies
must have a clear understanding of what personal information they are
collecting, where it is being stored, and to whom it is being transferred. A
comprehensive data mapping exercise is the first step in identifying potential
compliance gaps.
Choose the Right Data Transfer Mechanism: Based on the nature and
volume of the data being transferred, companies must choose the most
appropriate legal mechanism: Security Assessment, SCCs, or PIP Certification.
The new certification rules provide a viable option for intra-company transfers,
but the requirements are still stringent.
Obtain Separate and Explicit Consent: The Shanghai case underscores the
importance of obtaining separate and explicit consent from individuals before
transferring their personal information overseas. This consent must be
informed, and individuals must be provided with clear information about the
purpose of the transfer and the identity of the overseas recipient.
Implement Robust Data Security Measures: Both the data exporter and the
overseas recipient must implement robust data security measures to protect
the personal information being transferred. This includes technical measures
such as encryption and access controls, as well as organizational measures
such as data security policies and training.
Develop an Incident Response Plan: In the event of a data breach,
companies must have a clear incident response plan in place. This includes
procedures for notifying affected individuals and the relevant authorities in a
timely manner.
Conclusion: The Imperative of Proactive Compliance
China’s new certification rules and the recent enforcement actions mark a turning
point in the country’s data privacy landscape. The message from regulators is
unequivocal: compliance with the PIPL is not optional. International law firms and
their clients must take a proactive approach to data governance, ensuring that their
cross-border data transfer practices are fully compliant with the evolving legal
requirements. Failure to do so will not only result in significant financial penalties
but also reputational damage and loss of customer trust.
