On June 24, 2022, China’s National Information Security Standardization Technical Committee (commonly referred to as “TC260”) finalized the Technical Guideline on Personal Information Cross-Border Transfer Certification (Final Cert Guideline). Although the Final Cert Guideline largely remains the same as the draft version released this past April, which is described in our prior blog post, China Releases Draft Cross-Border Personal Information Transfer Certification Guidelines, as described below, there are several changes, which will impact organizations seeking such certification.

  • Extends Application to Multinational Companies’ Subsidiaries and Affiliates. The Final Cert Guideline clarifies that it applies to multinational companies and their “subsidiaries and affiliated companies” whose internal personal information (PI) processing activity requires transferring PI outside China. By explicitly calling out subsidiaries and affiliated companies, the Final Cert Guideline broadens the scope of entities that may utilize the Cross-Border Transfer Certification. Multinational companies usually enter the Chinese market by establishing affiliated Joint Ventures (JVs) and Wholly Foreign-Owned Enterprises (WFOEs) that are subject to foreign ownership percentage caps under local foreign investment laws. The Final Cert Guideline’s extended scope makes it easier for a multinational company to utilize its Chinese-based affiliated JV or WFOE as the entity that applies for the Cross-Border Transfer Certification.
  • Requires Compliance with GB/T 35273-202. The Final Cert Guideline also clarifies that PI Handlers who wish to apply for a Personal Information Cross-Border Transfer Certification should, at a minimum, comply with the requirements in the Information Security Technology – Personal Information Security Specification (GB/T 35273-2020) (PI Security Specification). The PI Security Specification is another technical specification released by the TC260 that took effect Oct. 1, 2020, setting out detailed principles and security requirements for the collection, storage, use, sharing, transfer, public disclosure, and deletion of PI. While the GB/T code indicates that the PI Security Specification is only a voluntary and recommended Specification setting out industry best practices, incorporation of the PI Security Specification into the Final Cert Guideline sets the compliance standard for participating entities.
  • Revocation of Consent Mechanism Required. Section 5.1(b) of the Final Cert Guideline requires participating entities to offer individuals the right to revoke their consent for the cross-border transfer of their PI. In practice, this newly added right will likely require participating entities to expend extensive technical and administrative resources to come into compliance, as it will require building or adopting a consent mechanism at the point of PI collection.
  • New Breach Notification Obligation. Finally, Section 5.2(4) of the Final Cert Guideline adds an additional obligation for PI Handlers and their overseas recipients. PI Handlers and their overseas recipients are obligated to (a) immediately implement mitigation measures and (b) notify the regulatory authority and relevant individuals in cases of unauthorized disclosure, alteration, or loss of PI. This newly added breach notification obligation requires participating entities to develop and implement an incident or breach response procedure internally.

The Final Cert Guideline, together with the publication of the finalized Data Export Security Assessment Measures (effective Sept. 1, 2022) and the release of the draft standard contractual clauses for public consultation, end years of uncertainty as to which mechanism a company should rely on when transferring PI outside China for further processing. In the coming months, we anticipate seeing the complete set of supplemental measures and guidelines relating to cross-border data transfers. With this information in hand, multinational organizations that operate in the Chinese market will have a more certain compliance path in relation to cross-border transfers.