On 24 June 2022, the National Information Security Standardization Technical Committee (“TC260”) circulated the finalised Technical Certification Specification for Certification of Personal Information Cross-border Processing (“Certification Specification”). The Certification Specification makes some worth-noting amendments to its draft version released by the TC260 in April 2022 (“Draft Certification Specification”) (For our comments on the Draft Certification Specification, please click here).
In this article, we highlight the key amendments of the Certification Specification and set out our observations.
In its extract, the Certification Specification explicitly requires the personal information (“PI”) processors, who will apply for the certification, to comply with the requirements of the non-binding national standards Information Security Technology – Personal Information Security Specification published by the TC260 (“Security Specification”).
The Security Specification lays down in detailed requirements on personal information processing, which are intended to serve as a good practice guide for entities that process PI in China. Notably, the Security Specification is a set of recommended national standards published before the Personal Information Protection Law (“PIPL”) and some of the requirements may be inconsistent with the PIPL. To render such requirements effective under the current legal framework, TC260 should update the Security Specification as soon as possible.
Nonetheless, the Certification Specification seems to treat the Security Specification as a prerequisite for the application of the certification regime. As such, PI processors should make sure that the full life cycle of the processing is aligned with the Security Specification.
The Certification Specification applies in the following scenarios:
For Scenario One, the Certification Specification affirms that the certification regime applies to the intra-group transfer within the same group of companies and amends the wording to render it less ambiguous.
For Scenario Two, whilst the Certification Specification makes it clear that it applies to persons subject to the extraterritorial effect of the PIPL. As we previously discussed, the extension of the certification regime lacks legal basis and fails to provide enough incentive for such entities to obtain the certification. More importantly, the entire Certification Specification provides very little guidance as to what the requirements are in this Scenario Two. Hopefully, TC260 will explain in more detail how they envisage the certification regime will be implemented in Scenario Two.
The basic requirements under the Certification Specification remain the same, namely a legally binding agreement, organisational management measures, and protection of individuals’ rights to personal information, and most of the detailed requirements remain unchanged.
The Certification Specification makes clear that it is the PI processors and the foreign recipients that will be bound such requirements, although the precise term should be the PI processor within China or a PI exporter.
The binding and enforceable document is expressly referred to as a legally binding agreement, and therefore the PI processor and the foreign recipient must enter into such an agreement. Interestingly, under the agreement only the foreign recipient, instead of all the relevant parties, must undertake to abide by the personal information cross-border processing rules, accept supervision of the certification institution and be governed by the Chinese PI protection law and regulations. The rationale behind this change seems to be that the PI processors located within China will automatically be subject to such requirements. However, the PI processor in China may not necessarily be subject to the cross-border processing rules or the supervision of the certification institution in the absence of any mandatory legal requirements, which the Certification Specification certainly lacks.
Unless a mandatory regulation requires so, it is still necessary that the PI processors in China to give such undertakings in the agreement, which is at least a binding obligation enforceable by the parties to it. Besides, the Certification Specification fails to specify the governing law for the agreement, which seems to be an omission of the TC260 that could give rise to unwanted flexibility to the parties.
The PI processor in China must conduct a PIPIA on the cross-border processing activities. The Certification Specification deletes the requirement of using the non-binding national standards Guidance for Personal Information Security Impact Assessment as guidance for the PIPIA. As discussed in our previous comments, this national standard took effect before the PIPL and will need to be updated if it is intended to be used for conducing PIPIA.
The Certification Specification adds a requirement that the PI processors in China and importers should take remediation measures to address the data breach incidents promptly and notify relevant government authorities and inform individuals when such incident has occurred or is likely to occur.
The Certification Specification retains most the requirements in the previous draft whilst trying to make some clarifications and supplements. However, most the issues we raised in our comments on the previous draft remain unresolved. The Certification Specification is a useful attempt of the TC260 towards establishing the certification regime for data export in China, but the regime will not be completed in the absence of higher-level mandatory regulations.