On November 18, 2022, the State Administration for Market Regulation and the Cyberspace Administration of China jointly released the Rules on Implementation of Personal Information Protection Certification (《个人信息保护认证实施规则》) (the "Rules"). The Rules mark a major step toward improving China's specialized institution certification regime for personal information (the "PI") protection. The Rules (in Chinese only) are available at: http://www.cac.gov.cn/2022-11/18/c_1670399936983876.htm.
Please find below a brief summary of the key points found in the Rules.
According to Article 1 of the Rules, the personal information protection certification (the "PI Certification") applies to PI processing activities such as collection, storage, use, handling, transmission, provision, disclosure, deletion and cross-border processing. The applicable scenarios are much broader than the specialized institution certification under Article 38 of the PRC Personal Information Protection Law, which is one of the three legal bases for the cross-border transfer of PI. In the future, PI Certification may come to represent a common form of government accreditation obtained in connection with undertaking various PI processing activities.
PI Certification Standards
On top of effective laws and regulations, the Rules require certified PI processors to comply with the following standards in relation to their PI processing activities:
Information Security Technology — Personal Information Security Specification ((GB/T 35273) 《信息安全技术 个人信息安全规范》); and
Security Certification Specification for Cross-border Processing of Personal Information ((TC260-PG-20222A) 《个人信息跨境处理活动安全认证规范》).
Notably, the National Information Security Standardization Technical Committee has placed on its agenda of another national standards, i.e. the Information Security Technology — Certification Specification for Cross-border Transfer of Personal Information (《信息安全技术 个人信息跨境传输认证要求》).
Foreseeably, these standards will be drafted in a manner that reflects the current best practices in relation to PI cross-border data transfers.
PI Certification Process
According to the Rules, the PI Certification process includes three steps, i.e. technical verification, on-site examination and post-certification supervision. These steps will be undertaken by a certification organization, technical verification organization and other relevant parties. The certification organization will determine and notify applicants of the certification scheme case by case based on their application materials, which include the type and quantity of the PI involved, the scope of the PI processing activities, the capabilities of the technical verification organization, etc. The certification organization will then make a final decision based on its comprehensive evaluation of the certification application materials, technical verification report, on-site examination report and other relevant considerations.
PI Certification Validity Period
Once granted, a PI Certification certificate will be valid for three years, provided that the PI processor continues to meet relevant requirements during post-certification supervision by the certification organization. If the PI Certification certificate needs to be renewed upon expiry, the applicant should submit an application within six months of expiry.
Considering various details have not been finalized for the PI Certification process at the current stage, it is expected that there may be more updates alongside its implementation in the future.