Executive summary

According to the China Personal Information Protection Law (“PIPL”), certification of cross-border data transfer by an organisation designated by the Chinese regulator can be used as a mechanism for cross-border data transfers from China. In June 2022, the National Information Security Standardization Technical Committee issued the Cybersecurity Practices Guideline relating to the Safety Certification Specification for Cross-Border Processing of Personal Information (the “Certification Guideline”), which is a set of guidelines for handling such certification. It is also a set of recommended guidelines for data handling.

Scope of Application

The Certification Guideline is expressly applicable in the following scenarios:

(1) Cross-border personal information transfer between the subsidiaries or associate companies of multinational companies or other economic organisations.

(2) Personal information processing activities outside of China of the personal information of natural persons in China if the information is processed (1) for the purpose of providing products or services to natural persons located in China; (2) to analyse or assess the conduct of individuals located in China; or (3) under any other circumstance as prescribed by the Chinese laws or regulations.

Under the scenario (1) above, if a company is to proceed with certification, the certification should be initiated by the entity in China, and that entity would bear the legal responsibility. Under the scenario (2) above, if the data processor outside of China is to proceed with certification, the certification may be initiated by its designated representative in China, and that representative would bear the legal responsibility.

Basic Requirements

The Certification Guideline has set out the following basic requirements for certification.

(1) Legally Binding Agreement

There shall be an agreement between the data controller and the recipient of personal information outside the territory. The agreement shall cover some basic contents, such as the details of the cross-border processing activities. Importantly, the data recipient located outside of China shall undertake to accept the supervision by the certification organisation and shall undertake to be bound by the relevant China laws and regulations.

(2) Organisation Management 

Each of the data controller and the data recipient located outside of China shall proceed as follows:

1. Appoint a responsible person to conduct the data protection work, analogous to the role of a data protection officer under the EU’s General Data Protection Regulation (GDPR).

2. Set up an organisation structure which handles data related works such as handling personal data access request and complaint.

(3) Personal Information Cross-Border Processing Rules

Both the data controller and the data recipient located outside of China shall comply with the same set of personal information processing rules which cover some basic matters such as the manner of handling personal data, the duration of data storage, and the permissible locations for data relays, etc.

(4) Impact Assessment

Before cross-border personal data transfer may proceed, an impact assessment shall be conducted. The assessment shall evaluate items such as the legality of data transfer, whether the protection measures are compatible with the risk levels, whether the data subject’s right will be undermined, etc.

(5) Protection of Data Subject’s Right

There are various requirements set out for the protection of data subject’s right, the key requirements are:

• Data subjects have the right of information, right to withdraw consent, and right to access;

• Data subjects have the right to require a copy of the relevant part of the agreement between the data controller and the data recipient located outside of China;

• Data subjects have the right to reject automated decision making;

• Data subjects have the right to complain to Chinese regulators.

Follow up

The PIPL prescribed that certification of cross-border data transfer to be used as a mechanism for cross-border data transfer from China needs to be conducted by an organisation designated by the Chinese regulator. It is expected that such organisations would be designated for this purpose as the next step.