Certification by a professional institution is one of the mechanisms allowed by Chinese law Privacy Act (PIPL) to legitimize cross-border transfers of personal information. Other authorized mechanisms include government security review and standard contractual clauses to be issued by the Chinese government. However, to date, there are no clear rules on the criteria and procedures for obtaining PIPL certification.
On April 29, 2022, the National Information Security Standardization Technical Committee (says “TC260”) published the project Practical guide to cybersecurity standards – Technical specification for the certification of cross-border data processing activities (the Certification Rules) for public comment. The certification rules provide potential clarifications on the requirements companies must meet to have their cross-border data processing activities certified (more on this below), but also leave some important questions open, for example, which professional institutions are authorized to issue certification.
Companies cannot obtain certification at this time; the certification option will only become available in practice after the Cyberspace Administration of China (CAC) finalizes the certification rules and designates the certification institutions. We expect CAC to designate multiple institutions to issue certification in accordance with the Certification Rules. There is, however, no published timeline on when this will happen.
The certification rules would only apply to the following two situations:
- cross-border data processing activities within a multinational company or the same economic or commercial entity; and
- the processing of Chinese individuals’ personal information by a foreign data controller that is subject to the extraterritorial application of the PIPL.
It is unclear what is meant by “a multinational corporation or the same economic or commercial entity”. We expect that cross-border transfers of personal information between affiliated group companies may be certified under the proposed certification rules, although such companies may be legal persons or independent entities in different jurisdictions.
It appears that unaffiliated entities are excluded from the scope of these proposed certification rules, although PIPL itself does not limit the certification mechanism to affiliates only.
The proposal prescribes the following principles for the certification of cross-border data processing activities:
- legality, fairness, necessity and integrity;
- public disclosure and transparency;
- information quality;
- equal protection;
- responsibility; and
- voluntary certification.
Cross-border data processing activities would be required to comply with a series of legal, contractual and organizational requirements in order to be certified under the certification rules. For example, parties involved in cross-border data processing activities would be required to:
- sign a legally binding and enforceable instrument, which will include, among other requirements, the parties’ undertakings to accept the supervision of the certification institution and to be governed by Chinese privacy laws and regulations;
- appoint a data protection officer who will be a member of the decision-making body of the party concerned, and set up a data protection institution to handle requests from data subjects and monitor cross-border data processing activities;
- formulate and adhere to a uniform set of data processing rules, which will include:
- mapping of the categories, sensitivity and quantity of personal information to be processed;
- the purpose, method and extent of cross-border data processing;
- the period for which the personal information will be stored outside of China and the actions to be taken upon expiry of the storage period;
- any country or region of transit required by the cross-border processing of data;
- resources and measures necessary to protect the rights and interests of data subjects; and
- rules for compensation and handling of data security incidents;
- conduct data protection impact assessments;
- respect the following rights of the data subject:
- the right to be a third party beneficiary of the parties’ data subject protection agreement and to obtain a copy of the relevant provisions;
- the right to lodge complaints and reports with the competent Chinese authorities;
- the right to sue in Chinese courts against relevant parties involved in cross-border data processing; and
- all other statutory rights existing under PIPL.
China’s regulatory regime for cross-border data transfers is still evolving. Compared to the other two transfer mechanisms of China’s data regime (i.e. Government Security Review and Standard Contractual Clauses), the certification route has received relatively less attention from international companies.
The proposed certification rules appear to have been specifically tailored to the needs of multinational companies and foreign data controllers, and offer an alternative to the standard contractual clauses route for companies that are not subject to a mandatory security review. There is no published timeline on when the certification rules will be finalized. But, since the standard contractual clauses have not yet been published, it is possible that the Certification Rules will be finalized and come into force sooner. International companies may therefore wish to closely monitor the development of this alternative data transfer mechanism.