China Rolls Out Personal Information Protection Certification Regime

Written By

james gong Module
James Gong

Legal Director
China

I am a Legal Director based in Hong Kong and lead the China data protection and cybersecurity team.

tanya luo Module
Tanya Luo

Associate
China

I am a data associate in our Beijing office. My practice focuses on data privacy, cybersecurity, and telecommunications.

jacqueline che Module
Jacqueline Che

Associate
China

As an associate in our Commercial team based in Shanghai, I advise Chinese and international clients on a range of data protection and cybersecurity issues, with a special focus on the TMT sector.

On 18 November 2022, the State Administration for Market Regulation (“SAMR”) and the Cyberspace Administration of China (“CAC”) jointly issued an announcement to implement a personal information protection certification regime (“PI Protection Certification”) and published the implementing rules (“Certification Rules”). In this article, we highlight the key provisions of the Certification Rules and set out our observations.

BACKGROUND

China’s Cyber Security Law (“CSL”) provides that the government will promote certification, testing and risk assessment for cybersecurity. The Data Security Law (“DSL”) also states that the government will encourage data security assessment and certification services. In June 2022, SAMR and the CAC announced they would establish the regime for data security management certification and published relevant rules for establishing the regime.

Under the Personal Information Protection Law (“PIPL”), the CAC will coordinate the relevant ministries to support personal information protection assessment and certification services. In June 2022, the National Information Security Standardization Technical Committee (“TC260”) published the first version of the Guidance for Cross-border Personal Information Processing Activities (TC260-PG-20222A) (“PI Export Certification Guidance”), which was updated in December. The PI Protection Certification is a further move by the government to complete the certification regime for personal information protection.

KEY PROVISIONS AND OBSERVATIONS

I. Certification standards

Personal information processors1 (“PI Processors”) are required to comply with the Personal Information Security Specification (GB/T 35273) (“PI Specification”), which is a set of non-mandatory national standards on data protection originally published in 2017. The TC260 updated the PI Specification in March 2020 but there has been no further update since.

As the latest version of the PI Specification was released over a year before the PIPL was introduced, some of the provisions in the PI Specification are inconsistent with the PIPL, for instance, the scenarios where PI Processors could rely upon other legal bases rather than consent for processing of personal information (“PI”). Therefore, the current version of the PI Specification may not be suitable to provide the standards for the PI Protection Certification. Consequently, PI Processors that apply for certification run the risk of violating the PIPL.

The reference to PI Processors in the Certification Rules seems to suggest that an entrusted party defined in the PIPL as a party that processes PI on behalf of a PI Processor, will not be able to apply for the PI Protection Certification; further an applicant can only apply for PI Protection Certification in relation to the processing activities that the applicant itself has conducted in its capacity as a PI Processor. It is not clear whether this is the intention of the CAC.

The Certification Rules also require PI Processors that export personal information, to comply with the PI Export Certification Guidance, which therefore applies the Certification Rules to PI export certification as well.

II. Certification process

The certification process consists of four steps:

1. Application:
  • the certification applicant will submit to the certification institutions the application materials that include the applicant’s basic information, certification engagement document, and
    relevant supporting documents;
  • the certification institutions will review the application materials to determine whether the application is acceptable;
  • if acceptable, the certification institutions will prepare and notify the applicant of the certification plan that covers the types and amount of PI, the scope of processing and information of technical verification institutions, which are supposed to conduct technical assessment of the applications;
2. Technical verification:
  • the technical verification institutions will carry out technical verification according to the certification plan and issue relevant report(s);
3. Onsite inspection:
  • the certification institution will inspect the applicant’s operations on site and issue relevant report(s);
4. Assessment and approval:
  • the certification institution will issue a certificate to the applicant that meet the certification requirements or require rectification within a specified time limit. A failure to rectify within the specified time may result in a failed certification application.

The Certification Rules do not specify in detail what constitutes the application materials, what the certification plan is, or the scope of the technical verification and onsite inspection. The list of certification institutions and technical verification institutions are yet to be published.

Further, at the commencement of the application for certification the certification institutions are required to specify the time frame within which each of the above steps need to be completed. However, the Certification Rules do not provide guidance as to length of any time frame.

Once granted, the certification will be valid for three years. If the PI Processor wishes to renew the certification, it must apply within six months before the existing certification’s expiry. The certification institution will assess the application by way of post-certification supervision discussed below.

PI Processors must also apply for an update of its certification if its name or registered address, certification requirements or certification scope change. The certification institution will assess the application and may conduct a technical verification and/or onsite inspection if necessary.

III. Post-certification supervision

The certification institution is required to continuously supervise a PI Processor by conducting a “comprehensive assessment” on a periodical basis after a PI Processor receives its PI Protection Certification. PI Processors that fail to pass the assessment will have their certification suspended or withdrawn.

However, the Certification Rules do not specify the scope of the assessment for the post-certification process, in particular, whether it will involve ongoing technical verifications or onsite inspection.

CONCLUSION

The PI Protection Certification provides the PI Processors with a way to assess their own PI protection level with accreditation from independent third-party institutions. The Certifications Rules establish the framework of the certification regime but currently lack key details to ensure that the regime is workable. We expect further details when the implementing rules are published in 2023 to provide for such details.

1A personal information processor is defined under the PIPL as an organisation or individual that independently determines the purposes and means of the processing, akin to the concept of data controller under the General Data Protection Regulation (“GDPR”) of the European Union.

Latest insights

More Insights
Curiosity line blue background

Talent Wars: The Impact of Artificial Intelligence on Human Resource Practices Across Asia

Dec 27 2024

Read More
Curiosity line yellow background

China Cybersecurity and Data Protection: Monthly Update - December 2024 Issue

17 minutes Dec 23 2024

Read More
featured image

EDPB weighs in on key questions on personal data in AI models

1 minute Dec 20 2024

Read More