Release of Draft Rules on Certification for Cross-Border Personal Data Transfer in China

China

On 29 April 2022, the National Information Security Standardisation Technical Committee issued a draft of the Technical Specifications for Certification of Personal Information Cross-border Processing Activities (“Certification Draft”) to solicit public comment, which provides for the first time details on the certification mechanism for cross-border transfer of personal data. We have highlighted the key take-aways of the Certification Draft in the attached article. 

Background

The Personal Information Protection Law of the People’s Republic of China (“PIPL”), effective on 1 November 2021, has imposed specific requirements for cross-border transfer of personal data. Article 38 of the PIPL requires that the data handler, i.e. the entity or person who decides independently the purpose and method for the personal data processing activities, shall use one of the following channels for the cross-border transfer of personal data:

  1. conduct and pass a security assessment by the Cyberspace Administration of China (“CAC”);
  2. get a certification by a third-party institution in accordance with the CAC’s provisions; or
  3. conclude the Standard Contractual Clauses (“SCCs”) to be formulated by the CAC with the offshore data recipient.

In furtherance of the above requirements, the CAC released for public comment the Draft Measures on Security Assessment of Cross-border Data Transfer (“Draft Measures”) (see our introduction on the Draft Measures here) on 29 October 2021, which elaborate in particular the security assessment for cross-border transfer of personal data. However, the details on certification and SCCs still remained unclear as no relevant legal documents or draft on these two requirements were released.

Release of Draft Rules on Certification for Cross-Border Personal Data Transfer in China

On 29 April 2022, the National Information Security Standardisation Technical Committee issued a draft of the Technical Specifications for Certification of Personal Information Cross-border Processing Activities (Certification Draft”) to solicit public comment, which provides for the first time details on the certification mechanism for cross-border transfer of personal data. We have highlighted the key take-aways of the Certification Draft as follows:

1. eligible personal data processing activities for the certification

The Certification Draft provides that the certification can be applied for the following two types of processing activities involving cross-border transfer of personal data:

  1. intra-group cross-border transfer of personal data (“Intra Group Transfer”); and
  2. extraterritorial processing activities described under Article 3 paragraph 2 of the PIPL, i.e. extraterritorial personal processing activities that are for the purpose of providing products and services to natural persons in China or analysing and evaluating the behaviour of natural persons in China (“Extra-territorial Processing”).
For Intra Group Transfer, the Chinese entity can apply for the certification in China and assumes the legal responsibility. For the Extra-territorial Processing, the certification can be applied by the appointed local representative or specifically established organisation of the foreign data handler.

2. evaluation on the requirements

The Certification Draft also provides the requirements for the third-party institutions to look into when determining whether to grant the certification. Data handlers that engage in cross-border transfer of personal data may refer to such requirements in the Certification Draft to be more prepared for the future implementing measures. The general requirements include the following:

  1. The parties involved in the transfer shall sign binding legal documents to make sure the data subjects’ rights are fully protected. Such documents shall include the following content:
    1. The parties involved in the cross-border transfer of personal data;
    2. The type and scope of the personal data being transferred, and the purpose for transferring such personal data;
    3. The measures taken to protect the data subjects’ rights and interests;
    4. The data processing rules that each party involved in the transfer commits to comply with, and ensure that the protection accorded to the personal data shall not be lower than the level accorded under the PIPL and other relevant personal data protection laws and regulations in China;
    5. Each party commits to accept the supervision by the certification institution;
    6. Each party commits to accept the regulation under the personal data protection laws and regulations of China;
    7. Defining the organisation/department taking legal responsibility in China; and
    8. Other obligations the parties shall observe under the laws and regulations.
  2. The party involved in the cross-border transfer shall appoint a person in charge of data protection. Such person shall be equipped with the relevant knowledge and relevant working experience, and shall be one of the decision-making members in the entity. The party involved shall also set up a relevant department to fulfil the requirements for protection of personal data security.
  3. The data processing rules for the cross-border transfer, which each party involved in such transfer shall comply with, shall include the following aspects:
    1. The basics about the cross-border transfer, including the type, sensitivity, quantity of the personal data involved;
    2. The purpose, method and scope of the cross-border transfer;
    3. The start and end of the period for the offshore storage of personal data, and how such data will be disposed after the storage period expires;
    4. The regions or countries involved for transit of the cross-border transfer;
    5. The resources needed and the measures taken to protect the data subjects’ rights and interests;
    6. The provisions on compensation and handling measures in case of incident of personal data security.
  4. The relevant party for the transfer shall conduct the protection impact assessment (“PIA”) in accordance with the PIPL and the national standards on the PIA.

3. remaining issues and our observation

Though the Certification Draft casts some light on the eligibility scope and the general requirements to be evaluated, it does not provide the qualification of the certification institution, nor does it provide any requirements on the application process. It remains unclear to the data handler in terms of to whom and how the data handler may apply for the certification. As the PIPL provides that the certification for the cross-border personal data transfer shall be carried out in accordance with CAC’s provisions, it is likely that the detailed rules on how to apply for the certification and its procedures will be released by the CAC to align with the PIPL’s provision.

The Certification Draft provides that Extra-territorial Processing is also eligible for the certification, which seems to imply that the extraterritorial processing activities described under Article 3 paragraph 2 of the PIPL constitute cross-border transfer of personal data. This may raise some contradictory views in practice. As Article 38 of the PIPL provides that the fulfilment of one of the three channels is required “when the data handler due to the need of business, needs to provide personal data out of China”,  in practice, some practitioners by reference of such text of PIPL and the experience of GDPR, take the view that the direct collection of personal data by an offshore data handler does not constitute cross-border transfer of personal data. Moreover, the draft of the Network Data Security Administration Regulations (“Draft Regulations”) released by the CAC on 14 November 2021, does provide that if the provision of the personal data out of China is necessary for the conclusion or performance of a contract for which the data subject is a party, the requirement to fulfil one of the above channels is exempted. Based on the current text of the Certification Draft and the Draft Regulations, the requirement <span">to fulfil one of the above channels would be applicable to Extra-territorial Processing, but in the case where the personal data is necessary for the contract conclusion or performance, such requirement could be exempted. However as both drafts are currently not yet finalised, there may be some changes in their final versions.