In China, personal information (“PI”) may be transferred overseas when it is essential for business operations, subject to a number of conditions as stipulated under the Personal Information Protection Law (2021) (“PIPL”),1 among which are (i) PI protection certification by a specialized institution in accordance with the provisions of the Cyberspace Administration of China (“CAC”) (PIPL Article 38(2)), (ii) a CAC-initiated security assessment (required of Critical Information Infrastructure Operators or when the number of PI meets a quantitative threshold) (PIPL Article 38(1)) or (iii) execution of a standardized contract formulated by CAC (PIPL Article 38(3)).
To implement Article 38(2) of the PIPL and to provide the foundation and basic requirements for establishment of the PI protection certification system for purposes of PI cross-border processing, the National Information Security Standardization Technical Committee (“TC260”) on April 29, 2022 published for public comment the draft Practical Guide to Cybersecurity Standards – Technical Guidelines on Certification of Personal Information Cross-border Processing Activities (网络安全标准实践指南－个人信息跨境处理活动认证技术规范, draft “Guidelines”).2 The deadline for submission of comments is May 13, 2022.
We note that the Guidelines, once approved, would constitute a guide for standardization by the TC260 Secretariat to promote cybersecurity-related standards and knowledge, and provide standardized practice guidelines, not a national standard itself. We also note that the draft Guidelines do not include a list of accredited certification institutions.
Who will need to make a certification
The draft Guidelines (Section 1) would apply to:
- Cross-border processing of PI by multinational companies (“MNCs”) or internal PI cross-border processing by economic entities, i.e., businesses including Chinese subsidiaries of MNCs, and public institutions; and
- Overseas processors of the PI of natural persons located in China, when the processing is for the purpose of analyzing/assessing the behavior of such natural persons, as specified in Article 3(2) of PIPL.
We understand that the draft Guidelines would not apply to PI cross-border processing activities that are separately subject to a CAC security assessment requirement (Section 1, para 2).
Applications for certification would need to be made by the in-China entity of the MNC, economic entity or public institution, or the organization set up or designated representative in China in cases of overseas PI processors (PIPL Article 3(2)). Participants in PI cross-border processing activities would be required to adopt PI protection standards that meet or exceed the applicable standards stipulated by the PIPL and personal information protection regulations (Section 3(d)).
Consistent with one of the conditions for cross-border PI transfer specified in Article 38(2) of the PIPL, the draft Guidelines clarify that the certification for PI cross-border processing would be voluntary, but the government will recommend capable/qualified parties to conduct the certification (Section 3(f)). This means that certification itself would not be mandatory as it is just one of several ways to enable cross-border PI processing, others being security review and standardized agreement. The Chinese government nonetheless recommends that parties seek certification.
Basic requirements for PI cross-border processing activity
- The draft Guidelines would require that parties participating in PI cross-border processing enter into legally binding and enforceable documentation. In particular, such documentation would be required to clearly specify that (Section 4.1):
- The parties concerned comply with unified PI processing rules;
- The parties warrant that they accept supervision by a certification institution;
- The parties warrant that they are governed by applicable Chinese PI protection laws and regulations; and
- The parties identify the entity which bears legal responsibility in China.
- The draft Guidelines would also specify requirements for organizational management, including the appointment of the individual in charge of PI protection and the establishment of a PI protection unit in each party participating in the PI cross-border processing activity (Sections 4.2.1 and 4.2.2).
Responsibilities and obligations (Section 5.2)
The parties involved in PI cross-border processing activity would be required to bear the following responsibilities and obligations:
- Inform PI subjects of the basic information of the parties participating in the cross-border processing activities; the purpose, storage time limit, and type of PI to be provided overseas; and obtain individual consent from each PI subject;
- Liability of the domestic party for compensation when the PI cross-border processing harms the interests of PI subjects;
- Warrant by all parties that they are subject to supervision by the Chinese certification institution with respect to the PI cross-border processing, including responses to inquiries and regular inspections;
- Compliance with applicable Chinese PI protection law and regulations and subjection to Chinese jurisdiction.