China: Certification

Latest developments

On 16 December 2022, the National Information Security Standardisation Technical Committee (TC260) circulated the 2.0 version of the Technical Certification Specification for Certification of Personal Information Cross-border Processing (Certification Specification 2.0).

Summary

The Certification Specification explicitly requires PI processors, who will apply for the certification, to comply with the requirements of the non-binding national standards Information Security Technology – Personal Information Security Specification published by the TC260 (Security Specification).

The Certification Specification 2.0 provides for who are qualified to apply for the PI Export Certification:

• The entities located in China may apply for the certification with regard to the sharing within a multinational company or an economic or public entity.
• The local representatives established or designated by overseas PI Processors may submit the application on behalf of the foreign PI Processors. Pursuant to the PIPL, a foreign PI processor subject to the extraterritorial effect must establish or appoint a local representative in China.

The basic requirements under the Certification Specification include:

• Legally binding and enforceable documents: Relevant parties involved in cross-border processing of personal information should sign legally binding and enforceable documents to protect the rights of individuals.
• Organisational management: Both the PI processor (i.e. the exporter) and the overseas recipient involved in cross-border processing activities should designate their own personal information protection officers and establish their personal information protection departments to carry out certain data protection tasks in the cross-border processing activities.
• Unified cross-border processing rules: The PI processor (i.e. the exporter) and the overseas recipient must abide by a set of unified cross-border processing rules, which should at least include the following contents:
  • Details of cross-border processing, including volume, scale, categories and sensitivity of personal information;
  • The purposes, means and scope of cross-border processing;
  • Retention period and disposal methods upon expiry of the period;
  • Countries or regions where personal information will be transferred in transit;
  • Resources and measures that are required for protecting rights of individuals; and
  • Compensation and response plans related to personal information security incidents.
• PIPIA: The PI processor (i.e. the exporter) should conduct a PIPIA prior to exporting personal information outside of China.

How could it be relevant for you?

Some essential elements of the certification regime are not addressed by the Certification Specification, such as the accredited certification bodies, the certification procedure and the effective period of the certification, which we expect to be covered by future regulations and guidelines. As such, a more practical option for companies to export PI at this stage is to opt for Standard Contract if companies will not be subject to the Security Assessment.

Next steps and relevance

The Certification Specification 2.0 is a useful attempt of the TC260 towards establishing the certification regime for data export in China, but the regime will not be completed in the absence of higher-level mandatory regulations. In addition, many questions like how the Certification Specification applies to PI processor subject to the extraterritorial effect of the PIPL need to be further explained.

*Information is accurate up to 27 November 2023