Core Points - The rapid development of the global digital economy has made cross-border data flow a key factor in the global allocation of data elements and high-level international cooperation and competition [1] - The National Internet Information Office and the State Administration for Market Regulation have jointly announced the "Personal Information Exit Certification Measures," detailing the applicable scenarios and application methods for personal information exit certification [1] - The measures will take effect on January 1, 2026 [1]

记者17日从国家网信办获悉：近日，国家互联网信息办公室、国家市场监督管理总局联合公布《个人信 息出境认证办法》，自2026年1月1日起施行。 国家互联网信息办公室有关负责人表示，该办法对多个方面作出细化规定，包括个人信息出境认证的适 用情形、申请方式、认证要求以及专业认证机构应当履行的义务等。该办法明确，个人信息处理者通过 个人信息出境认证的方式向境外提供个人信息的，应当同时符合下列情形：一是非关键信息基础设施运 营者；二是自当年1月1日起累计向境外提供10万人以上、不满100万人个人信息（不含敏感个人信息） 或者不满1万人敏感个人信息，且向境外提供的个人信息中不包括重要数据。个人信息处理者不得采取 数量拆分等手段，将依法应当通过出境安全评估的个人信息通过个人信息出境认证的方式向境外提供。 （文章来源：人民日报） ...

Core Viewpoint - The newly released "Personal Information Outbound Certification Measures" aims to regulate the outbound transfer of personal information, ensuring the protection of personal data rights and promoting safe cross-border data flow, effective from January 1, 2026 [1][2]. Group 1: Certification Applicability and Requirements - The certification applies to non-critical information infrastructure operators that provide personal information to overseas entities, specifically those that have cumulatively provided information to over 100,000 but less than 1 million individuals, or less than 10,000 individuals for sensitive information, without including important data [1]. - Personal information processors must apply for certification through professional certification agencies, which are required to follow basic certification norms and personal information protection rules. The validity of the certification is set for three years [2]. Group 2: Obligations of Certification Agencies - Professional certification agencies must report certification-related information to the national certification and accreditation information public service platform. If a certified entity's outbound activities do not align with the certification scope, the agency must suspend or revoke the certification [2]. - Agencies are also required to report any violations of laws or regulations regarding outbound personal information activities to the relevant national departments [2]. Group 3: Supervision and Management - Certification agencies must file with the national internet information department within 10 working days of obtaining certification qualifications. The national market supervision and internet information departments will oversee the certification activities [2]. - Provincial-level internet departments can conduct interviews with certified entities if significant risks or personal information security incidents are identified [2]. Group 4: Legal Responsibilities - The measures outline legal responsibilities for violations of the certification rules and specify the applicability of the regulations [3].

Core Points - The National Internet Information Office and the State Administration for Market Regulation have jointly announced the "Personal Information Outbound Certification Measures," which will take effect on January 1, 2026 [1][2] - The measures aim to protect personal information rights, regulate outbound personal information certification activities, and promote the efficient and secure cross-border flow of personal information [1] Group 1: Certification Applicability - The certification applies to personal information processors that are not critical information infrastructure operators and have provided personal information to overseas entities, meeting specific thresholds [1] - Specifically, processors must have provided personal information to more than 100,000 but less than 1 million individuals (excluding sensitive personal information) or less than 10,000 individuals for sensitive personal information [1] Group 2: Certification Process and Requirements - Personal information processors must apply for certification through professional certification agencies, which must follow established certification norms and rules [2] - The validity period of the certification is set at three years [2] Group 3: Obligations of Certification Agencies - Professional certification agencies are required to report certification information to the national certification and accreditation information public service platform [2] - If a certified personal information processor's outbound activities are found to be inconsistent with the certification scope, the agency must suspend or revoke the certification [2] Group 4: Supervision and Management - Certification agencies must file with the National Internet Information Department within 10 working days of obtaining certification qualifications [2] - Provincial-level internet information departments can conduct interviews with certified processors if significant risks or personal information security incidents are identified [2] Group 5: Legal Responsibilities - The measures outline legal responsibilities for violations of the certification regulations and specify their applicability [3]