Specifications for Certification of Personal Information Export
On April 29, 2022, the National Information Security Standardization Technical Committee issued for public comments a draft of the Technical Specifications for the Certification of Personal Information Cross-border Processing (the “Draft Specifications”). As the first official draft specifications on personal information protection certifications, the Draft Specifications are intended to refine and partially implement Article 38 of the Personal Information Protection Law (the “PIPL”), thus facilitating cross-border transfers of personal information (“PI”). In this article, we briefly analyze the key aspects of the Draft Specifications from the perspective of companies that transfer PI cross-border.
PIPL certifications: one of the mechanisms for PI cross-border transfers
Article 38 of the PIPL stipulates several alternative mechanisms for PI cross-border transfers that may be relied upon in lieu of a government security assessment. Among these alternatives is Article 38, para. 1, clause 2, which provides the guiding principle that PI handlers may obtain a “personal information protection certification” (“PIPC” or the “certification”).
Notably, the PIPC cannot substitute for government security assessments that are mandatory for PI cross-border transfers by critical information infrastructure operators and PI handlers that process a specified quantity of PI which is to be determined by the Cyberspace Administration of China (“CAC”). Aside from these circumstances, the PIPC mechanism described in the Draft Specifications may be an option for PI cross-border transfers.
Scope of application: offshore data handlers and cross-border data transfers among multinational group companies
The Draft Specifications apply to: (1) cross-border transfers of PI in the context of cross-border data transfers to entities of an international organization or multinational group company; and (2) processing of PI of domestic natural persons by overseas handlers, if conditions are met as set out in PIPL Article 3, para. 2 (e.g., targeting of domestic natural persons).
Regarding cross-border processing of PI in multinational group companies, the Draft Specifications are similar to the Binding Corporate Rules under GDPR Article 47. The PRC entity would apply for the certification and bear legal liability. To further illustrate, the Draft Specifications would require that the overseas handler designate a person in charge and a dedicated party within China to handle affairs relating to PI protection. In practice, a company’s domestic affiliate often assumes this role.
The Draft Specifications may also apply to overseas PI handlers, provided any of the conditions are met as set forth in PIPL Article 3, para. 2. Such exterritorial application raises another question—if overseas handlers directly collect PI from domestic PI subjects, do those activities constitute the “cross-border provision of PI” for purposes of PIPL Chapter III? Some professionals hold the opinion that, in light of GDPR, such direct collection does not constitute the cross-border provision of PI and that Chapter III should thus not apply. However, the Draft Specifications seemingly contradict this viewpoint.
PIPC applicants: domestic entities
According to the Draft Specifications, the following applicants are responsible for obtaining the certification:
Cross-border transfer of PI in a group of multinational companies
Cross-border transfer of PI of domestic natural persons by overseas handlers, which meets the conditions set in PIPL Article 3, para. 2.
Designated representative or dedicated entity established within China
According to the Draft Specifications, only PI handler’s entities in China should apply for the certification, which differs from the requirements of Regulations on Administration of Network Data Security (Draft for Comments), released by the CAC in November 2021. The draft regulations would require that both the domestic exporter and the overseas importer obtain a PIPC from a specialized institution in accordance with CAC rules. We await further clarification as to whether and how an overseas receiver will participate in the certification process.
Certification body: not yet specified
The PIPL stipulates only that the certification must be conducted by a specialized institution. The Draft Specifications do not specify detailed qualifications for eligible institutions. However, such certification institutions should monitor whether the relevant parties comply with their undertakings made as part of the certification.
Binding rules: binding and enforceable documents must be signed
Pursuant to the Draft Specifications, relevant parties involved in cross-border transfer of PI must sign binding and enforceable documents, in order to provide sufficient safeguards for PI subjects to exercise their rights. However, this document is not necessarily a standard contract. In fact, as prescribed in Article 38 of the PIPL, a standard contract is an alternative to PIPC. Therefore, we consider this document could also be a data processing agreement or commitment letter. The document is required to include following points:
- The relevant parties involved in cross-border processing of PI;
- The purpose of data cross-border processing and the scope and type of data transferred;
- The measures to be taken for protecting the rights of PI subjects;
- All related parties covenant to comply with unified rules of personal information processing and ensure that the level of personal data protection is be no less than that afforded by Chinese laws and regulations;
- All relevant parties covenant to accept supervision of the certification body;
- All relevant parties covenant to accept the jurisdiction of Chinese laws and regulations related to PI protection;
- The institution which bears legal liability in China;
- Other obligations prescribed in Chinese laws and regulations.
Conditions for certification: multidimensional rules
Besides binding rules, under the Draft Specifications, PI handlers must also meet other certification requirements, including organizational structure, cross-border processing rules, data protection impact assessment, and rights of PI subjects.
Data protection officer:
(1) Required to be designated by all relevant parties.
(2) Has expert knowledge or practices of data protection.
(3) Required to be a member of management.
(4) Mainly responsible for the following work:
n Specify main purposes, basic requirements, working missions and protective measures.
n Provide personnel, material resources and financial support and ensure availability.
n Provide guidance and support for relevant personnel and ensure that the goal can be achieved.
n Report working status to the person in charge and continuously make improvements.
Data protection institutions:
(1) Shall be established by all related parties.
(2) Perform data protection duties.
(3) Prevent unauthorized access, leakage, tampering, and damage of PI.
(4) Mainly responsible for following work:
n Draw up a protection plan approved by all relevant parties.
n Organize PI protection impact assessment.
n Monitor compliance with the binding rules while processing PI.
n Deal with complaints and requests from PI subjects.
Cross-border processing rules
All relevant parties processing PI must comply with unified cross-border processing rules, which at least incorporate: (1) basic information of cross-border processing, including categories, sensitivity and quantity of the data; (2) the duration of data storage overseas and the processing measures after the storage period is reached; (3) transfer country or region; (4) resources and measures dedicated to protecting rights of PI subjects; (5) rules of compensation and management in case of PI security incidents.
Data protection impact assessment
Conduct the assessment in accordance with PIPL and Information security technology - Guidance for personal information security impact assessment (GB/T 39335-2020).
Rights of PI subjects
n Protect various rights of PI subjects, including the right to know, the right to decide, the right to consult and copy their PI, the right to request the handlers to correct or delete their PI, the right to reject automatic decisions, etc.
n Immediately stop processing PI when it becomes difficult to ensure the security of PI.
n The domestic institution promises to provide convenience for PI subjects to exercise their rights and bear liability for damages.
n Undertake to be subject to supervision of the Chinese certification body.
n Undertake to be subject to and comply with Chinese laws and regulations.
The Draft Specifications reference the BCRs and code of conduct provided for in GDPR, aiming to provide convenience for PI cross-border transfers for multinational group companies and processing of domestic PI by overseas PI handlers. The Draft Specifications only set forth the requirements used by certification bodies in their certification processes. They differ from GDPR, which requires BCRs and codes of conduct to be approved by the supervisory authority. Therefore, China’s PIPC mechanism may have more flexibility in practice. The current Draft Specifications mainly provides relatively detailed substantive rules. We expect that the Draft Specifications or other subsequent normative documents can further clarify issues, including certification bodies and procedures, in order to provide more specific guidance for the implementation of the PIPC mechanism.