Member Article

On April 29, 2022, the National Information Security Standardization Technical Committee issued for public comments a draft of the Technical Specifications for the Certification of Personal Information Cross-border Processing (the “Draft Specifications”). As the first official draft specifications on personal information protection certifications, the Draft Specifications are intended to refine and partially implement Article 38 of the Personal Information Protection Law (the “PIPL”), thus facilitating cross-border transfers of personal information (“PI”). In this article, we briefly analyze the key aspects of the Draft Specifications from the perspective of companies that transfer PI cross-border.

PIPL certifications: one of the mechanisms for PI cross-border transfers

Article 38 of the PIPL stipulates several alternative mechanisms for PI cross-border transfers that may be relied upon in lieu of a government security assessment. Among these alternatives is Article 38, para. 1, clause 2, which provides the guiding principle that PI handlers may obtain a “personal information protection certification” (“PIPC” or the “certification”).

Notably, the PIPC cannot substitute for government security assessments that are mandatory for PI cross-border transfers by critical information infrastructure operators and PI handlers that process a specified quantity of PI which is to be determined by the Cyberspace Administration of China (“CAC”). Aside from these circumstances, the PIPC mechanism described in the Draft Specifications may be an option for PI cross-border transfers.

Scope of application: offshore data handlers and cross-border data transfers among multinational group companies

The Draft Specifications apply to: (1) cross-border transfers of PI in the context of cross-border data transfers to entities of an international organization or multinational group company; and (2) processing of PI of domestic natural persons by overseas handlers, if conditions are met as set out in PIPL Article 3, para. 2 (e.g., targeting of domestic natural persons).

Regarding cross-border processing of PI in multinational group companies, the Draft Specifications are similar to the Binding Corporate Rules under GDPR Article 47. The PRC entity would apply for the certification and bear legal liability. To further illustrate, the Draft Specifications would require that the overseas handler designate a person in charge and a dedicated party within China to handle affairs relating to PI protection. In practice, a company’s domestic affiliate often assumes this role.

The Draft Specifications may also apply to overseas PI handlers, provided any of the conditions are met as set forth in PIPL Article 3, para. 2. Such exterritorial application raises another question—if overseas handlers directly collect PI from domestic PI subjects, do those activities constitute the “cross-border provision of PI” for purposes of PIPL Chapter III? Some professionals hold the opinion that, in light of GDPR, such direct collection does not constitute the cross-border provision of PI and that Chapter III should thus not apply. However, the Draft Specifications seemingly contradict this viewpoint.

PIPC applicants: domestic entities

According to the Draft Specifications, the following applicants are responsible for obtaining the certification:

According to the Draft Specifications, only PI handler’s entities in China should apply for the certification, which differs from the requirements of Regulations on Administration of Network Data Security (Draft for Comments), released by the CAC in November 2021. The draft regulations would require that both the domestic exporter and the overseas importer obtain a PIPC from a specialized institution in accordance with CAC rules. We await further clarification as to whether and how an overseas receiver will participate in the certification process.

Certification body: not yet specified

The PIPL stipulates only that the certification must be conducted by a specialized institution. The Draft Specifications do not specify detailed qualifications for eligible institutions. However, such certification institutions should monitor whether the relevant parties comply with their undertakings made as part of the certification.

Binding rules: binding and enforceable documents must be signed

Pursuant to the Draft Specifications, relevant parties involved in cross-border transfer of PI must sign binding and enforceable documents, in order to provide sufficient safeguards for PI subjects to exercise their rights. However, this document is not necessarily a standard contract. In fact, as prescribed in Article 38 of the PIPL, a standard contract is an alternative to PIPC. Therefore, we consider this document could also be a data processing agreement or commitment letter. The document is required to include following points:

• The relevant parties involved in cross-border processing of PI;
• The purpose of data cross-border processing and the scope and type of data transferred;
• The measures to be taken for protecting the rights of PI subjects;
• All related parties covenant to comply with unified rules of personal information processing and ensure that the level of personal data protection is be no less than that afforded by Chinese laws and regulations;
• All relevant parties covenant to accept supervision of the certification body;
• All relevant parties covenant to accept the jurisdiction of Chinese laws and regulations related to PI protection;
• The institution which bears legal liability in China;
• Other obligations prescribed in Chinese laws and regulations.

Conditions for certification: multidimensional rules

Besides binding rules, under the Draft Specifications, PI handlers must also meet other certification requirements, including organizational structure, cross-border processing rules, data protection impact assessment, and rights of PI subjects.

Conclusion

The Draft Specifications reference the BCRs and code of conduct provided for in GDPR, aiming to provide convenience for PI cross-border transfers for multinational group companies and processing of domestic PI by overseas PI handlers. The Draft Specifications only set forth the requirements used by certification bodies in their certification processes. They differ from GDPR, which requires BCRs and codes of conduct to be approved by the supervisory authority. Therefore, China’s PIPC mechanism may have more flexibility in practice. The current Draft Specifications mainly provides relatively detailed substantive rules. We expect that the Draft Specifications or other subsequent normative documents can further clarify issues, including certification bodies and procedures, in order to provide more specific guidance for the implementation of the PIPC mechanism.