China’s Certification for Personal Information Export: Underway?

On 29 April 2022, the National Information Security Standardization Technical Committee (“TC260”) released the draft Technical Specification for Certification of Personal Information Cross-border Processing (“Draft Specification”) for public consultation.

In this article, we highlight the key provisions of the Draft Specification and set out our observations on the proposed measures.

Background

The article 38 of the Personal Information Protection Law (《个人信息保护法》) ( “PIPL”) (For our comments on the PIPL, please click here) provides for three routes for personal information processors (“PI Processors”)[1] exporting personal information out of mainland China (“China”), namely:

1. passing a governmental security assessment as required for critical information infrastructure operators and organisations that process personal information reaching a certain threshold amount (“Thresholds”) specified by the Cyberspace Administration of China (“CAC”);
2. attaining a personal information protection Certification (“Certification Regime”) by an institution accredited by the CAC; or
3. entering into a standard contract with the foreign recipient, which is to be formulated by the CAC.

The CAC released the draft Measures of Security Assessment for Data Export (《数据出境安全评估办法（征求意见稿）》) (“Draft Export Measures”) in October 2021, which sets out in more detail the Thresholds and the procedures of the governmental security assessment. (For our comments on the Draft Export Measures, please click here).

For the Certification Regime, the Draft Specification is the first attempt to provide more guidance on implementing the Certification Regime. According to TC260, it intends the Draft Specification to shed some light on the certification criteria for certification bodies and to provide guidance to PI Processors engaged in cross-border personal information processing activities.

Before diving into the Draft Specification, it is worth noting that the Draft Specification is a non-binding practical guidance with a legal effect even lower than recommended national standards, and therefore it lacks compulsory effect of an implementing regulation.

Key Provisions and Observations

Applicability of Certification Regime

Under the Draft Specification, the Certification Regime applies in the following scenarios:

1. Scenario One: cross-border personal information processing activities within a multinational company or an economic or public entity; and
2. Scenario Two: processing activities carried out outside of the territory of China by foreign PI Processors that are subject to the extra-territorial effect of the PIPL[2].

On the one hand, whilst the PIPL does not limit the applicability of the Certification Regime to specific types of personal information export, the Draft Specification, however, narrows the applicability of the Certification Regime to cross-border personal information sharing within a company or organisation. It is not clear whether such a limitation is authorized by higher authorities.

On the other, the PIPL extends the Certification Regime to overseas PI Processors that are subject to the extraterritorial effect of the PIPL but may not be involved in the export of personal information. The TC260 does not give any explanation as to the legal ground for extending the Certification Regime. In fact, TC260 states in the Draft Specification that it only intends to provide guidance for establishing the Certification Regime under article 38 of the PIPL, which only concerns export of personal information.

From the perspective of overseas PI Processors subject to the extraterritorial effect of the PIPL, it is apparently not a mandatory requirement for them to comply with, and therefore there will not be any legal consequence if they fail to be certified. Whilst it may be helpful for an overseas personal information processor to assess their compliance with the PIPL by attaining the certification, there does not seem to be enough incentive for them to do so in the absence of clear benefit that will justify the costs and resources to be incurred for the certification process.

We hope that the TC260 can provide more explanation for its position and address these issues in the final draft.

Who may apply for certification?

The Draft Specification also provides for who are qualified to apply for the certification.

1. In Scenario One, the entities located in China may apply for the certification with regard to the sharing within a multinational company or an economic or public entity. Despite the slight confusing terms, apparently the Draft Specification intends to refer to a group of undertakings or enterprises that form the multinational company group or economic or public organisations and process personal information cross-border, rather than a single company or entity.
2. In Scenario Two, the local representatives established or designated by foreign PI Processors may submit the application on behalf of the foreign PI Processors. Pursuant to the PIPL, a foreign PI Processor subject to the extraterritorial effect must establish or appoint a local representative in China. Whilst the PIPL remains silent on the liability of local representatives, the Draft Specification goes a step further and purports to hold the local representative liable for its actions relevant to the certification. Although the Draft Specification does not specify what such legal liability will be, it would not doubt render it more difficult for a foreign PI Processor to designate a representative in China.

Certification requirements

The Draft Specification lays down requirements for certification in three main aspects, namely a legally binding and enforceable document, organisational management, and protection of individuals’ rights to personal information.

Legally binding and enforceable documents

Relevant parties involved in cross-border processing of personal information should sign legally binding and enforceable documents to protect the rights of individuals. Such documents should specify at least the following:

1. identity of parties involved in the cross-border transfer;
2. purposes of cross-border processing and the categories and scope of personal information being processed;
3. measures to protect rights of individuals;
4. undertaking to abide by unified personal information processing rules (see below) and to ensure that the level of protection is not lower than the that under the PIPL and other relevant laws and regulations of China;
5. undertaking to accept the supervision of the certification bodies;
6. undertaking to be subject to the Chinese laws and regulations on personal information protection;
7. entities that bear legal liability within the territory of China; and
8. other obligations as stipulated by applicable laws and regulations.

Such document will be signed by entities in Scenario One and usually take the form of an intra-group transfer agreement. We note that the Draft Export Measures also lay down requirements for the contract to be entered into between the importer and exporter. The requirements under the two draft regulations are generally consistent. Under the PIPL, the CAC will also release the standard contract for data export.

Whilst the requirements under the Draft Specification are more likely to be considered in the certification process, for those that are not exporting through the Certification Regime, they should enter into the standard contract or make sure that the contract will meet the requirements under the Draft Export Measures.

It is unclear how the entities subject to the extraterritorial effect of the PIPL should sign such legally binding and enforceable documents and with whom.

Organisational management

Under the Draft Specification, all parties involved in cross-border processing activities should designate their own personal information protection officers. The personal information protection officer should be a member of the senior management within the organisation and possess expertise, knowledge and management experience relevant to personal information protection. The Draft Specification also sets out certain duties that the personal information protection officer must perform.

We note that under the PIPL a PI Processor should only appoint a personal information protection officer if the amount of personal information being processed reaches a certain amount that is yet to be prescribed by the CAC.

The Draft Specification also requires all parties involved in cross-border processing to establish a personal information protection department to carry out certain data protection tasks in the cross-border processing activities.

The Draft Specification does not explain the rationale for extending the above-discussed requirements to each party involved in cross-border processing activities. However, such a move will not double render the certification requirements more onerous for the companies that export small amounts of personal information.

Unified cross-border processing rules

Parties involved in cross-border processing must abide by a set of unified cross-border processing rules, which should at least include the following contents:

1. details of cross-border processing, including categories, sensitivity and volume of personal information;
2. the purposes, means and scope of cross-border processing;
3. retention period and disposal methods upon expiry of the period;
4. countries or regions where personal information will be transferred in transit;
5. resources and measures that are required for protecting rights of individuals; and
6. compensation and response plans related to personal information security incidents.

The content of such unified cross-border processing rules under the Draft Specification, in certain aspect, resembles the binding corporate rules (“BCRs”), which is considered a cross-border transfer safeguard under the General Data Protection Regulation.

For instance, the BCRs must also include details of cross-border processing, identification of third countries or regions and the means for data subjects to exercise their rights and to obtain remedy. However, the unified cross-border processing rules does not on its own provide for a route for personal information export.

PIPIA

The parties concerned should conduct a personal information protection impact assessment (“PIPIA”) prior to exporting personal information outside of China. A PIPIA tailored to the export of personal information should at least cover: (i) the legality of the personal information export, (ii) the possible impacts of the export on the rights of individuals, and (iii) the impact of the legal and cybersecurity environment of the overseas countries or regions on the rights of individuals.

Notably, the Draft Specification requires exporters of personal information to refer to the up-to-date version of the non-binding national standards Information Security Technology – Guidance for Personal Information Security Impact Assessment (GB/T 39335-2020) when conducting the PIPIA. The current version of the standards were published before the PIPL and provide guidance for conducting the then personal information security impact assessment, which need to be updated.

The PIPL requires the PI Processors to conduct PIPIA before exporting personal information. However, the Draft Specification seems to extend the obligation to both PI Processors and entrusted parties.

Safeguards for the rights of individuals

The Draft Specification explicitly states that individuals are the beneficiaries with regard to relevant provisions on individual rights in the legally binding documents signed by the parties involved in cross-border processing of personal information. On that basis, the individuals have the right to obtain from the parties a copy of the clauses that are relevant to their rights thereunder. The Draft Specification does not explain why individuals should be treated as beneficiaries of the contract, which seems to be a point that is more appropriate for the court to determine.

The individuals are also entitled to a series of rights stipulated by the PIPL, including the right to be informed, the rights of access, rectification and deletion, the right to refuse automated decision-making, as well as the right to submit complaints to the relevant government authorities or file lawsuits for illegal personal information processing activities.

To provide appropriate safeguards for the rights of individuals, the Draft Specification requires the parties concerned to:

1. notify individuals of the identities of the parties involved, the purposes of the processing, the categories of personal information and the retention period, and obtain a separate consent of individuals;
2. abide by the legally binding and enforceable documents;
3. establish a convenient channel for individuals to exercise their rights;
4. terminate the export in a timely manner if it is materially impossible to safeguard personal information;
5. provide a copy of clauses relevant to individual rights as contained in the legally binding documents upon the request of the individual;
6. the responsible parties in China (which we assume refers to local entities and local representatives) should facilitate the exercise of individual rights and bear the legal liability of compensation where the cross-border processing infringes the rights of individuals;
7. undertake to be subject to the supervision of the accredited certification bodies; and
8. undertake to be governed by the jurisdiction of China and with the applicable Chinese laws and regulations on personal information protection.

Whilst some of the above requirements may be incorporated into privacy policies and legally binding documents for cross-border processing, it is unclear how the parties may fulfil their other undertakings, which could require issuance of an undertaking to the accreditation bodies.

Conclusion

The Draft Specification is the first step that has been taken toward establishing the Certification Regime introduced by the PIPL. Some essential elements of the Certification Regime are left not addressed, such as the accredited certification bodies, the certification procedure and the effective period of the certification, which we expect to be covered by future regulations and guidelines.

The Draft Specification has also created some critical questions. For instance, why the Certification Regime should also apply to the foreign entities subject to the extraterritorial effect, especially in the absence of legal basis for the extension of applicability or any incentives for them to do so. The onerous requirements of appointing personal information protection officer and establishing relevant department may deter companies exporting small amount of personal information from participating in the Certification Regime. We hope that such issues will be addressed in the final document.

[1] A personal information processor is defined as an organisation or individual that independently determines the purposes and means of the processing.

[2] Under article 3 of the PIPL, processing of personal information of individuals located within China, which is conducted outside China, will be subject to the PIPL if such processing (i) is conducted for the purpose of providing products or services to the individuals, or (ii) involves the analysis or assessment of the behaviours of the individuals.