Cross-border transfer of personal information (hereinafter referred to as "PI"1 and the cross-border transfer of PI as "PI export") is a daily occurrence and business necessity for many companies operated in China, especially for multinational companies and domestic companies using ERP software provided by foreign operators with servers located abroad. With the continuous release of supporting rules of the Personal Information Protection Law ("PIPL") in terms of restrictions on PI export in China, PI export compliance is attracting increasing attention.
This series consists of four articles. The first article will introduce the development and framework of China's restrictions on PI export, and the next three articles will respectively introduce the three PI export mechanisms provided by the PIPL in detail, namely the compulsory notification mechanism (Security Assessment) and two self-management mechanisms (Standard Contract & Certification).
The is the fourth of the four articles and will review the PI export mechanism of Certification under the Chinese PIPL from the perspective of local practitioners.
As introduced before, the Standard Contract and Certification are both optional approaches. Compared with Standard Contract, Certification has its own advantages such as covering multiple data processing scenarios within group company. So far, although the framework of Certification mechanism has almost been established, it still takes some time for this mechanism to be widely implemented in China.
- What is the basis of Certification?
According to the Implementing Rules for the Certification of Personal Information Protection (《个人信息保护认证实施规则》in Chinese, "Certification Rules") and Cyber Security Standard Practical Guidance–Security Certification Specifications on Cross-border Transfer of PI V2.0 (《网络安全标准实践指南—个人信息跨境处理活动安全认证规范V2.0》in Chinese, "Certification Specifications"), PI handlers that carry out PI export activities shall meet the requirements provided by the Information Security Technologies - Personal Information Security Specifications (GB/T 35273) (《信息安全技术 个人信息安全规范》in Chinese, "PISS") and the Certification Specifications when applying for PI protection Certification.
- The PISS is a non-mandatory national standard jointly issued by the State Administration for Market Regulation and the Standardization Administration of the P.R.C. that took effect on October 1, 2020. It sets out detailed provisions on the principles and security requirements for general PI processing activities (e.g., collection, storage, use, transmission, publishing, deletion).
- The Certification Specifications is a non-mandatory guide issued by the TC260 that came into effect on December 16, 2022. It specifies the preconditions for companies to obtain Certification from three aspects, including following the basic principles for PI export, meeting the basic requirements for PI export which involve binding documents, organizational management, rules on the cross-border PI processing and PIPIA, and meeting the requirements for protecting the rights and interests of PI subjects.
Notably, TC260 recently released the Information Security Technology-Certification Requirements for Cross-border Transmission of Personal Information (Draft for Comments) (《信息安全技术 个人信息跨境传输认证要求(征求意见稿)》in Chinese, "Certification Requirements (Draft)"), a non-mandatory national standard on March 16, 2023, whose content is practically the same as the Certification Specifications.
- Which agency can grant Certification?
Currently, China Cybersecurity Review Technology and Certification Center ("CCRC"), the directly affiliated institution of State Administration for Market Regulation, is the only agency designated by the CAC to grant Certification.
- What is the procedure of Certification?
The Certification Rules has provided the mode of "Technical Verification + On-site Examination + Post-certification Supervision" for PI protection certification. The specific procedures are as follows:
- Entrustment: PI handlers shall submit certification entrustment materials as required by the certification agency, who would then, based on the certification entrustment materials including the type and quantity of PI, the scope of PI processing activities involved, the information of the technical verification agency, etc., determine the certification scheme.
- Technical Verification: The technical verification agency determined by the certification agency shall conduct technical verification in accordance with the certification scheme and issue a technical verification report.
- On-site Examination: The certification agency shall conduct an on-site examination and issue an on-site examination report.
- Certification Decision: The certification agency shall make a certification decision and issue a certification certificate based on the certification entrustment materials, technical verification report, on-site examination report and other relevant materials. If the certification requirements are not met temporarily, the PI handler may be required to make rectification.
- Post-certification Supervision: The certification agency shall,
within the validity period of certification, continuously supervise
the PI handler that has obtained the certification in a reasonable
frequency, to ensure that the certified PI handler continuously
complies with the certification requirements. For those who fail to
pass the supervision, the certification agency shall suspend or
even revoke the certification certificate as the case may be.
- What are the major requirements for Certification?
Major requirements for the certification include:
- Legally binding agreements
- Establishment of Data Protection Officer (DPO) and data protection institutions of the parties
- PIPIA
- Data subject rights
- Rules for cross-border transfers
- Acceptance of the supervision of the certification body, including responding to inquiries and routine inspections
The Certification Specifications, together with the Certification Requirements (Draft) further requires PI processors and overseas receiving parties clarify in the document the cross-border PI processing purpose, sensitivity, quantity, method, retention period, storage location, and the rights of PI subjects as well as the methods and means to safeguard those rights.
- How long is the certificate of Certification valid?
- A certification certificate shall be valid for three years. Where a certificate needs to be renewed upon expiry, the PI handler shall apply for certification entrustment within six months before the expiry of the valid term.
- Where, within the valid term of a certification certificate, the name or registered address of the certified PI handler or the certification requirements or scope etc. change, the certified PI handler shall apply for change and the certification agency would decide whether to approve such change.
- The certification agency shall publicize the relevant
information such as the issuance, change, suspension,
deregistration and revocation of the certification certificate.
- What is the relationship between the Certification and the SCC?
For cross-border PI transfers, both mechanisms are applicable for data that escaped the mandatory threshold for the security assessment. However, an SCC is preferable for PI export that occurs less frequently, whereas a certification is suitable for PI export among MNCs in daily business operations.
Additionally, the current version of the SCC does not apply to scenarios in which data processors provide PI to overseas data handlers/processors. Unless the finalized version includes such scenarios, the only available mechanism might be a certification.
- What rights are data subjects entitled to under the Certification?
Data subjects are entitled to the following rights:
- The right to require the data handler and overseas recipient to provide a copy of the legal text involving their rights and interests, and to claim rights from the PI processor and the overseas receiver;
- The right to know, decide, restrict or refuse others to process his PI, the right to consult, copy, correct and supplement his PI, the right to delete his PI, and the right to withdraw his consent to cross-border processing of his PI;
- The right to request the PI processor to take appropriate measures to realize it or directly make a request to the overseas receiver. If the PI processor cannot achieve it, it shall notify and request the overseas receiver to assist in achieving it;
- The right to require PI handlers and overseas recipients explain their rules for cross-border PI processing;
- The right to deny the data handler from making decisions based only on automated processes;
- The right to claim compensation from either the PI processor or the overseas receiver;
- The right to file a judicial lawsuit against the PI processor and overseas receiver who carry out cross-border PI processing activities in accordance with the jurisdiction court determined by the Civil Procedure Law of the People's Republic of China;
- Other rights stipulated by laws and administrative regulations.
- What is the mark of Certification?
The certification mark for PI protection that includes cross-border processing activities is as follows:
"ABCD" stands for the identification information of a certification agency.
We shall mention that comparing with Security Assessment and Standard Contract as covered in the previous two articles, the PI export mechanism through Certification described above is still in the early stage of development and more time and practice will be needed to make it a feasible way for companies doing business in China.
Footnotes
1 Under the PIPL, PI is defined as any kind of information, electronically or otherwise recorded, related to an identified or identifiable natural person within PRC, excluding anonymized information that cannot be used to identify a specific natural person and is not reversible after anonymization.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
