On 24 June 2022, the Secretariat of the National Information Security Standardisation Technical Committee (TC260) issued the Technical Specification for Certification of Cross-Border Transfers of Personal Information (the Certification Specification), eight weeks after it first issued the draft of the same name (the Draft). The relatively speedy finalisation of the Certification Specification is a reflection of the emphasis being placed by the Cyberspace Administration of China (CAC) on cross-border data transfers.
The Certification Specification supplements Article 38(2) of the Personal Information Protection Law (PIPL), which provides for one of the mechanisms (Certification Mechanism) that data controllers can utilise in order to transfer personal information outside of the People's Republic of China (PRC).
The Certification Specification endeavours to provide guidance to certification bodies, as well as data controllers engaged in cross-border personal information transfer activities. The finalised Certification Specification deviates slightly from the Draft and reflects TC260’s responses to some of the concerns raised on the proposed Certification Mechanism.
In this article, we discuss the key provisions reflected in the finalised Certification Specification.
Scope of Application
The Certification Specification provides that the Certification Mechanism applies to cross-border personal information transfers in the following circumstances:1
- cross-border transfers within a multinational company, or among subsidiaries or affiliates of the same economic or public entity; and
- personal information processing activities subject to PIPL’s extraterritorial reach.2
The Certification Mechanism does not apply to cross-border personal information transfers between unrelated entities, which will need to rely on the standard contract provided for in Article 38(3) of the PIPL. A draft of the standard contract was released by the CAC on 30 June 2022 (Draft Standard Contract) – for more details, see our update on this here.
Notably, TC260 did not make any changes to scenario (2) in the Draft, i.e. the application of the Certification Mechanism to personal information processing activities subject to the extraterritorial reach of PIPL. The inclusion of this controversial provision has raised concerns amongst businesses during the public consultation since Article 38 of the PIPL ostensibly only applies to data controllers transferring personal information outside of the PRC, but not to the direct collection of personal information from data subjects by overseas organisations. The extension of the Certification Mechanism to overseas organisations appears to broaden the scope of the PIPL, and suggests that the direct collection of personal information from data subjects in the PRC may also be caught within the ambit of Article 38 of the PIPL. This position is further muddied by Article 3(f) of the Certification Specification, which provides that “the certification of cross-border processing of personal information is a voluntary certification recommended by the state. Qualified data controllers and foreign recipients are encouraged to voluntarily apply for certification of cross-border processing of personal information when processing personal information across borders”.
From a practical perspective, most overseas data controllers are unlikely to voluntarily apply for certification and subject themselves to unduly onerous and costly compliance. Unfortunately, the TC260 does not give further explanation as to the legal basis for this requirement, and only future enforcement actions and further clarifications of the Certification Specification will reveal whether overseas data controllers will be required to apply for certification.
Who May Apply for Certification?
In the case of cross-border transfers within a multinational company, the domestic party may apply for certification and assume legal responsibility for such transfers.3
In the case of scenario (2), the certification can be applied for by the local representatives established or designated by overseas personal information processors4, as mandated by Article 53 of the PIPL. While the PIPL is silent on the liability of local representatives, the Certification Specification goes a step further and explicitly states that the local representative shall be liable for the overseas data controller’s actions in the certification process.5 Even though the Certification Specification does not specify what the legal liability will be, this provision may make it more difficult for overseas personal information processors to appoint local representatives in the PRC.
Key Certification Requirements
The Certification Specification provides more details on the requirements for certification, namely:
- entering into a legally binding agreement6;
- formulating certain organisational management7;
- abiding by rules of cross-border personal information processing8; and
- conducting personal information protection impact assessments9.
In particular, we note that some of the terminology in the Certification Specification has changed; for example, “relevant parties involved in cross-border processing of personal information” featured in the Draft has been replaced with “personal information processor and foreign recipient” in the Certification Specification. This clarifies that foreign recipients of personal information are considered a “relevant party” and should also meet the relevant requirements under the Certification Specification.
(1) Legally binding agreement
Data controllers and the foreign recipients of the personal information are required to sign a legally binding agreement, which should specify the following as a minimum:
- the data controller and the foreign recipient;
- the categories of personal information being transferred;
- the purpose of processing;
- the applicable measures to protect the rights and interests of data subjects;
- the responsible party within the PRC;
- an obligation on the part of the foreign recipient to comply with the data laws of the PRC, acceptance of supervision by the certification body and acceptance of jurisdiction of relevant PRC laws10; and
- other obligations stipulated by applicable laws and regulations.
These provisions required under the Certification Specification appear to be less onerous than the provisions of the recently released Draft Standard Contract. This may be a relevant consideration for eligible data controllers when deciding whether to rely on the Certification Mechanism or the Standard Contract Mechanism11 for cross-border data transfers.
Another question raised by this Certification Specification requirement – is whether overseas data controllers would be caught by the extraterritorial effect of the PIPL and be required to sign a legally binding agreement with their local representatives as well. It is unclear at this point how this obligation may affect them.
(2) Organisational management
The Certification Specification requires both the data controller and the foreign recipient to designate a data protection officer.12 The data controller and the foreign recipient are further required to set up a relevant department tasked with ensuring the requirements for protection of personal data security are met.13 This goes beyond the present provisions of the PIPL14, and imposes an obligation on both the data controller and foreign recipient.
(3) Rules of personal information cross-border processing
Data processors and foreign recipients must abide by cross-border personal information processing rules, which should, as a minimum, include the following:
- basic information about the cross-border transfer, including the type, sensitivity, quantity of the personal information involved;
- the purpose, method and scope of the cross-border transfer;
- the retention period and disposal methods upon expiry of the transfer period;
- the regions or countries through which the personal information will transit during the transfer;
- the resources needed and the measures taken to protect the data subjects’ rights and interests; and
- the compensation and response plans related to personal information security incidents.
(4) Personal information protection impact assessments
Data controllers are required to carry out data protection impact assessments covering the potential impact of the foreign legal environment and cybersecurity environment on data subjects’ rights. This is in-line with the requirement under Article 55 of the PIPL, which states that data controllers providing personal information abroad are required to conduct an impact assessment prior to any cross-border data transfers. It is worth noting that the relevant requirements of such assessments have been provided under non-binding national standards15 and further detailed in the recently finalised Measures for Security Assessment for Cross-Border Data Transfers. While the security assessment set out in the Measures of Security Assessment for Cross-Border Transfers is meant to be a more stringent cross-border personal information transfer mechanism, the wording of Article 55 of the PIPL suggests that impact assessments are to be the same irrespective of the specific circumstances of cross-border data transfers. Given this ambiguity, companies that wish to err on the side of caution may want to undertake a more comprehensive impact assessment which complies with the stricter security assessment obligation.
Protection of Data Subject Rights
In keeping with the CAC’s emphasis on the protection of data subjects’ rights, the Certification Specification provides that data subjects are the third party beneficiaries of data transfer agreements, and may require data controllers and foreign recipients to provide a copy of the data transfer agreement to them.16 This echoes the provisions of the Draft Standard Contract, which also contains requirements for parties to make available a copy of the standard contract to data subjects17.
Furthermore, the Certification Specification imposes an obligation on both data controllers and foreign recipients to take immediate remedial measures and notify relevant authorities in the event of a data breach18.
The Certification Specification sheds some light on the Certification Mechanism introduced by the PIPL but many essential questions remain unaddressed; for instance, the Certification Specification is silent on the relevant certification bodies, the detailed certification procedures and the validity period of a certification.
The Certification Specification has also added more confusion as it seems to expand even further the extra-territorial effect of the PIPL by requiring overseas data controllers to comply with the Certification Mechanism. The requirement for both the data controller and foreign recipient to appoint a data protection officer and establish a responsible department to ensure compliance with the PIPL may increase compliance cost for companies.
The rapid finalisation of the Certification Specification and the issuance of the finalised Security Assessment Measures and Draft Standard Contract highlight the PRC government’s recent focus on cross-border data transfers and hint at greater regulatory scrutiny to come. Given the questions left unanswered by the Certification Specification, data controllers and foreign recipients involved in cross-border personal information transfer activities should pay close attention to future developments in order to pre-empt any regulatory scrutiny.
The authors would like to thank Roslie Liu, Intellectual Property Officer at Mayer Brown, for her assistance with this article.
1 Article 1 of the Certification Specification.
2 Article 3(2) of the PIPL.
3 Article 2 of the Certification Specification.
6 Article 4.1 of the Certification Specification.
7 Article 4.2 of the Certification Specification.
8 Article 4.3 of the Certification Specification.
9 Article 4.4 of the Certification Specification.
10 Article 4.1 of the Certification Specification.
11 See Article 38(3) of the PIPL.
12 Article 4.2.1 of the Certification Specification.
13 Article 4.2.2 of the Certification Specification.
14 See Article 52 of the PIPL, which provides that data controllers are only required to appoint a data protection officer if the personal information being processed reaches a certain threshold.
15 See Information Security Technology – Guidance for Personal Information Security Impact Assessment, released by TC260 on 19 November 2020.
16 Article 5.1 (b) of the Certification Specification
17 See Article 2(8) and 3(2) of the Draft Standard Contract.
18 Data breach is means a situation where personal information is leaked, tampered with, or lost.