Article 38 of China’s Personal Information Protection Law (“PIPL”) enacted in 2021, which is more demanding than GDPR in Europe, provides three channels to conduct the outbound transfer or export of personal information (“PI”). The three channels are: (i) a government-led security assessment when the quantity of PI to be exported crosses the relevant quantitative threshold; (ii) execution with the recipient of a government-approved standard contractual clause (“SCC”); and (iii) Personal Information Protection Certification (“PIPC”) by a government-approved entity. While PIPC is officially voluntary, Chinese regulators nonetheless expressly encourage companies to adopt the certification mechanism to improve data governance and compliance.¹

The China Cybersecurity Review Technology and Certification Center (“CCRC”), a state-owned certification institution directly under the supervision of the State Administration for Market Regulation, recently became the first certification institution approved to conduct PIPC. CCRC subsequently posted online the PIPC Management System as well as the official Application Form for PIPC (“Application Form”).²

In accordance with the PIPC Management System, the application process for PIPC is as follows:

• The applicant submits its Application Form with the required certification materials and information identified therein, including
• Information on the organization(s) to be certified by the PIPC, including name, address, business operations, and total number of employees of said organization(s)
• Self-assessment and relevant supporting documentation
• Description of the business operations which require export of PI
• Organization chart or description of duties of the applicant
• List of data to be included in the export, including categories of PI or sensitive PI (“SPI” or sometimes “PSI”) in accordance with relevant data classification catalogues to be finalized by the organization(s)
• Contract between the transferor and the overseas transferee may also be required
• The applicant must affirm that it has not suffered any major PI security incidents within the past twelve months.
• PIPC is achieved through a combination of technical verification, onsite verification and post-certification supervision. CCRC determines the certification plan based on the certification materials, including identifying a technical verification institution. CCRC is in the position of conducting onsite verification and post-certification supervision.
• The applicant must notify CCRC of any changes that would affect the validity of a PIPC certification, including but not limited to changes to the list of data and scope of business.
• PI processors who engage in cross-border PI processing activities must also comply with the requirements set out in TC260-PG-20222A - The Practical Guide to Cybersecurity Standards – Specifications on Security Certification for Cross-Border Personal Information Processing Activities (V2.0-202212)) promulgated by the National Information Security Standardization Technical Committee on December 16, 2022 (“Certification Specifications V2.0”).³

If the data export activity does not trigger a mandatory government-led security assessment, multinational companies may choose between PIPC and SCCs for permission to transfer PI overseas. Now that the first certification institution qualified to issue PIPC has been announced, even before SCCs have been finalized, companies may prefer to pursue the PIPC channel. Doing so now would signal to regulators and business partners that the company subscribes to a higher level of PI protection compliance, which may in turn enhance its business image in China.