Certification by a professional institution is one of the mechanisms permitted under China’s Personal Information Protection Law (PIPL) to legitimizing cross-border transfers of personal information. Other permitted mechanisms include governmental security review and standard contractual clauses to be issued by Chinese government. However, to date, there have been no clear rules on the criteria and procedures for obtaining the PIPL certification.
On April 29, 2022, the National Information Security Standardization Technical Committee (known as “TC260”) published the draft Practical Guide to Cyber Security Standards – Technical Specification for Certification of Cross-Border Data Processing Activities (the Certification Rules) for public comment. The Certification Rules provide some potential clarity on the requirements that companies must follow in order to have their cross-border data processing activities certified (more details below), but also leave some important questions open, e.g., which professional institutions are authorized to issue certification.
Companies cannot obtain a certification at the moment; the certification option will only become available in practice after CAC finalizes the Certification Rules and designates the certification institutions. We expect that Cyberspace Administration of China (CAC) will designate several institutions to issue certification in accordance with the Certification Rules. There is, however, no published timeline on when this will happen.
The Certification Rules would only apply to the following two situations:
- cross-border data processing activities within a multinational corporation or the same economic, business entity; and
- processing of Chinese individuals’ personal information by an overseas data controller which is subject to the exterritorial application of PIPL.
It is unclear what is meant exactly by “a multinational corporation or the same economic, business entity.” We expect that cross-border transfers of personal information among affiliated companies in one group can be certified in accordance with the proposed Certification Rules, although these companies may be independent legal persons or entities in different jurisdictions.
It seems that non-affiliated entities are excluded from the application scope of these proposed Certification Rules, although PIPL itself does not limit the certification mechanism to affiliated companies only.
The proposal prescribes the following principles for certification of cross-border data processing activities:
- lawfulness, fairness, necessity and integrity;
- public disclosure and transparency;
- information quality;
- equal protection;
- accountability; and
- voluntary certification.
Cross-border data processing activities would be required to comply with a series of legal, contractual and organizational requirements in order to be certified in accordance with the Certification Rules. For example, the parties involved in the cross-border data processing activities would be required to:
- sign a legally binding and enforceable instrument, which shall include, among other requirements, the parties’ commitments to accept supervision from the certification institution, and to be governed by Chinese privacy laws and regulations;
- appoint a data protection officer who shall be a member of the decision-making body of the relevant party, and set up a data protection institution to handle data subject requests and monitor the cross-border data processing activities;
- formulate and adhere to a uniform set of data processing rules, which shall include
- mapping of the categories, sensitivity and amount of the personal information to be processed;
- the purpose, method and scope of the cross-border data processing;
- the period during which personal information will be stored outside of China, and the measures to be taken when the storage period expires;
- any transit country or region required by the cross-border data processing;
- resources and measures required for protection of data subjects’ rights and interests; and
- rules for compensation and handling of data security incidents;
- conduct data protection impact assessments;
- respect the following rights of data subject:
- the right to be a third-party beneficiary of the parties’ agreement pertaining to protection of data subjects, and to obtain a copy of the relevant provisions;
- the right to make complaints and reports to the competent Chinese authorities;
- the right to initiate lawsuits in Chinese courts against the relevant parties involved in the cross-border data processing; and
- all other existing statutory rights under PIPL.
China’s regulatory regime for cross-border data transfers is still evolving. Compared with the other two transfer mechanisms under the Chinese data regime (i.e., governmental security review and standard contractual clauses), the certification route has received relatively less attention from international companies.
The proposed Certification Rules seem to have been specifically tailored to the needs of multinational companies and overseas data controllers, and provide an alternative to the standard contractual clauses route for companies that are not subject to a mandatory security review. There is no published timeline on when the Certification Rules will be finalized. But, given the standard contractual clauses have not been published yet, it is possible that the Certification Rules may be finalized and take effect earlier. International companies may accordingly wish to keep a close watch on the development of this alternative data transfer mechanism.