On April 29, 2022, China’s National Information Security Standardization Technical Committee (commonly referred to as “TC260”) released a draft Technical Guideline on Personal Information Cross-Border Transfer Certifications (Cert Guideline). While the Cert Guideline is still in draft form and thus subject to change, it provides some clarification regarding the certification process for cross-border transfers of personal information (PI).
China’s Personal Information Protection Law (PIPL) permits cross-border PI transfers when one of the conditions listed in Article 38 is met,[1] and the data subject consents to the transfer. Article 38 provides that PI Handlers[2] can make cross-border transfers of PI after obtaining a PI protection certification from a “specialized certification agency” following “CAC-approved certification requirements.” However, the PIPL left open many issues about the certification process, which the Cert Guideline addresses, such as:
- the types of entities that may rely on such certification to transfer PI overseas;
- the process for applying for certification;
- the conditions required to obtain such certification; and
- the organization that will act as the certification body.
Who May Rely on Cross-Border PI Transfer Certification
According to the Cert Guideline, the following PI Handlers may apply for and rely on the certification to transfer PI overseas:[3]
- Multinational companies and their subsidiaries, whose internal PI processing activity requires transferring PI outside China; and
- Overseas PI Handlers who process China-based individuals’ PI overseas, where the purpose of such processing is to (a) provide products or services to China-based individuals; (b) analyze or assess Chinese-based individuals’ behavior, or (c) as otherwise regulated under relevant laws and regulations.[4]
In addition to meeting the certification criteria outlined in the Cert Guideline, multinational companies and overseas PI Handlers operating in specific sectors, such as the automobile and financial sectors, will also need to make sure they are in compliance with the various sectoral regulations that contain specific requirements for cross-border transfer of PI.
The Cert Guideline explicitly carves out and does not apply to entities that must undergo mandatory PI export security assessment with the national and provincial CAC. Pursuant to the Data Security Law,[5] the PIPL,[6] and the draft implementing measure on PI Export Assessment the CAC released, organizations involved in the activities listed below must undergo a PI export security assessment, and cannot apply for the PI protection certification the Cert Guideline describes:
- exporting PI and critical PI collected and generated by critical information infrastructure operators (CIIO)[7];
- exporting of critical data[8];
- exporting any PI by a PI Handler who processes PI of over one million individuals;
- accumulatively exporting PI belonging to more than 100,000 individuals
- accumulatively exporting sensitive PI belonging to more than 10,000 individuals; or
- other situations as determined by the CAC.
Certification Criteria
The Cert Guideline notes that in determining whether certification should be granted, a certification agency will review a participating entity’s: (a) contractual and organizational setup; (b) PI use, retention, and disposal rules; (c) PI transfer impact assessment process; and (d) individual rights, procedures, and support. Further detail regarding each criteria is provided below.
Contractual Setup. The Cert Guideline requires entities participating in the cross-border transfer of PI to execute legal and enforceable data transfer contracts among themselves. The Cert Guideline provides that this contract must address the following:
- the identity of contracting parties and their China-based representative;
- the categories of PI transferred and the purpose for transferring PI;
- the contracting parties’ commitment to a level of PI protection at least equivalent to Chinese data protection laws;
- the contracting parties’ agreement to be subject to the certification agency’s continued monitoring; and
- the contracting parties’ agreement to be governed by applicable Chinese data protection laws.[9]
Organizational Setup. The Cert Guideline provides that entities engaged in cross border transfers must appoint a PI Protection Officer (Officer). Although the Cert Guideline is silent on whether the Officer must reside in China, it does provide that an Officer must have expertise in PI protection issues, relevant management experience, and be a senior management member of the organization.[10] This requirement mirrors Article 52 of the PIPL, which requires that PI Handlers who process a large volume of PI appoint an Officer. Unlike the PIPL, the Cert Guideline elaborates on the Officer’s qualifications and responsibilities, which are similar to those required of Data Protection Officers under Article 37 of Europe’s General Data Protection Regulation. Participating entities must also establish a PI Protection Unit (Unit) within the organization. The Unit will be responsible for implementing rules on PI usage, retention, and disposal; performing PI transfer impact assessments; monitoring the organization’s adherence to its contractual obligations; and responding to individual rights requests.[11]
PI Transfer Impact Assessment. The Cert Guideline notes that participating entities must undertake an impact assessment according to a national standardized guideline[12] on PI safety and security. At a minimum, the impact assessment must address the following issues:
- if the transfer is in accordance with applicable laws, regulations, and administrative guidelines;
- the impact on individuals’ rights when transferring their PI overseas for further processing;
- the applicable laws, practices, and cybersecurity environment of the destination country; and
- if there are other relevant safeguards in place to protect individuals’ rights.[13]
Individual Rights Support. Apart from offering individuals the rights to access, correction, deletion, and objection to certain processing activities, the Cert Guideline emphasizes that the cross-border transfer of PI must be based on an individual’s separate informed consent.[14] In obtaining an individual’s consent for the transfer, participating entities must inform the individual, via email, SMS, mail, or fax, about: (a) the overseas PI Handler’s identity; (b) the categories of PI transferred; (c) the purpose for transferring PI; and (d) the retention period for the PI. For overseas PI Handlers offering goods and services to Chinese individuals, this informed consent requirement may impose some challenging technical hurdles.
Certification Method and Agency
Multinational organizations’ Chinese branches may take the lead in applying for the certification. On the other hand, overseas PI Handlers may entrust their China-based representative, established as required under Article 53 of the PIPL, to undergo the application process. Effectively, the entire certification process shall take place in China through a China-established entity, which will be legally responsible for maintaining the certification standards.
The Cert Guideline is silent about who will qualify as an accredited certification agency, and there are still uncertainties regarding what will be the “CAC-approved certification requirements” under the PIPL. Nevertheless, China’s Cybersecurity Review Technology and Certification Center (CCRC) or another administrative agency with experience evaluating and issuing certifications may well be the first accredited certification agency. According to the Cert Guideline, its drafting is supported by the CCRC, an accredited agency for issuing the China Compulsory Certification (CCC) mark. Furthermore the CAC may endorse or adopt the TC260’s Cert Guideline, as the TC260 Committee is composed of members from and under the direct supervision of the CAC (the agency vested with rulemaking and enforcement authority under the PIPL), and the TC260 Committee reports directly to China’s National Standardization Administration (the central body for all activities related to developing and promulgating national standards in China).
[1] Article 38 of the PIPL requires that PI Handlers who transfer PI outside of China must meet one of the following conditions: (1) complete a data export assessment and obtain approval from a provincial-level Cyberspace Administration of China (CAC) agency; (2) obtain PI protection certification from a specialized agency following CAC’s regulation; (3) execute a standardized contract issued by the CAC with the overseas data recipient; or (4) qualify other conditions set by relevant laws, regulations, or CAC guidelines.
[2] “PI Handlers” refers to individuals or organizations determining the means and purpose of processing, similar to a controller under the EU’s General Data Protection Regulation.
[3]See Section 1 of the Cert Guideline.
[4]See Article 3(2) of the PIPL.
[5]See Article 31 of the Data Security Law.
[6]See Articles 38, 40 of the PIPL.
[7]See Article 31 of the Data Security Law.
[8] “Critical data” is a concept first introduced in the Cybersecurity Law but not defined in any current legislation. However, based on several implementing rules and guidelines still in their draft form, critical data are “non-PI data on national security, economic development, social stability, or public interests, where its alteration, destruction, or breach may undermine national interests.”
[9]See Section 4.1 of the Cert Guideline.
[10]See Section 4.2.1 of the Cert Guideline.
[11]See Section 4.2.2 of the Cert Guideline.
[12]See GB/T 39335 Information Security Technology — Guidance for Personal Information Security Impact Assessment.
[13]See Section 4.4 of the Cert Guideline.
[14]See Section 5.2(a) of the Cert Guideline.