On 16 December 2022, the National Information Security Standardization Technical Committee (“TC260”) released the 2.0 version (“Updated Version”) of the Technical Specification for Certification of Personal Information Cross-border Processing (“Certification Specification”), less than six months after issuing the first version. In this article, we highlight the key changes in the Updated Version and set out our observations.
Certification is one of the two safeguards, to be released by the Cyberspace Administration of China (“CAC”), which the personal information processors (“PI Processors”) [1] may adopt in order to export personal information under the Personal Information Protection Law (“PIPL”) if they do not reach the thresholds for a security assessment conducted by the CAC. The other safeguard being the standard data export contract (“Standard Contract”).
On 24 June 2022, the TC260 issued the first version of the Certification Specification, which was intended to provide guidance for implementing the certification regime and released a draft of the Updated Version on 8 November 2022. On 18 November 2022, the CAC and the State Administration for Market Regulation confirmed that the Certification Specification will be used as the standards for certification of cross-border data processing activities in the rules for personal information protection certification (for our comments on the rules, please click here). As a low-level technical guidance, the rules falls short of the legal authority of national standards.
In our comments on the previous version of the Certification Specification (click here) and its consultation draft (click here), we raised some issues that need to be addressed. In this article, we will set out the key changes in the Updated Version and discuss whether any of the prior issues have been resolved or whether any new issues have emerged.
Scope and extraterritorial effect
The Updated Version makes no amendment to the current scope of the Certification Specification, which applies to the following scenarios:
For the overseas PI Processors in Scenario Two, there do not appear to be enough benefits to justify their investment in attaining the certification. In addition to the cost of implementing such certification, the requirements under the Certification Specification will require the overseas PI Processors to adapt their existing intra-group transfer mechanisms and rules. In the absence of clear indication that the CAC will prioritise such overseas PI Processors for enforcement actions, there seems to be a lack of incentive for the multinational companies and organisations to apply for the certification.
Implementation has also been made particularly difficult by the fact that most of the requirements of the Certification Regime cater to Scenario One only, which is not suitable for Scenario Two where there is no exporter at all.
Although it is provided that the local representatives appointed by the overseas PI Processors may apply on its behalf, it does not render the application any more practical. Whilst the regime for registering local representatives has yet to be established, such local representative may also be reluctant to apply on behalf of the overseas PI Processors, as the local representatives may be held legally liable under the Certification Specification for all the materials it submits.
PI Processor as applicant
The Updated Version introduces the concept of the PI Processor, as defined under the PIPL, and makes it the eligible applicant for the certification. It goes further through requiring the PI Processor to have a legal personality, good reputation and credibility.
The Updated Version excludes from the scope the scenarios where the data exporter in China is an entity (“Entrusted Party”) that is entrusted by a PI Processor to process the personal information and cannot determine the purpose or means of the processing. It is common for a Chinese subsidiary of a multinational company to act as the Entrusted Party and export personal information to its overseas affiliates, who are PI Processors. In other words, the certification under the Updated Version does not cover all types of data exports from China, and the implications are that some multinational companies may need to adopt both the certification and the Standard Contract as safeguards for data exports, which would render the certification regime even less appealing for multinational companies.
In addition, the Updated Version excludes from the certification any organisations that are not legal persons, and therefore non-governmental organizations, representative offices and alike may not qualify as an applicant for the certification.
The Updated Version adds more requirements for the applicants of the certification to comply with, and most of these requirements (including concepts) are lifted from the draft Standard Contract released by the CAC (for our comments on the Standard Contract, please click here).
In particular, the Updated Version:
With so many elements of the draft Standard Contract incorporated into the Updated Version, the intention seems to be to bring the protection standards under the certification in line with those under the Standard Contract.
Whilst some commentators argue that the legal agreement under the certification does not need to be the same as the Standard Contract, it appears that participants in the certification will be subject to obligations equivalent to those under the Standard Contract in any case.
In light of the above, the certification regime, as revised by the Updated Version, does not seem to bring apparent significant advantages over the Standard Contract. The enhanced requirements subject the multinational companies to an equivalent level of the obligations as found under the Standard Contract. In addition, the multinational companies will still need to conduct the PIPIA; establish a personal information protection department in each of the exporters and importers; enter into a set of binding corporate rules compliant with the Certification Specification; and go through the certification application process.
These requirements are far more onerous than those contemplated under the Standard Contract, and as a result the Update Version may not be able to serve the purpose of facilitating data export within multinational companies and international organisations as expected. Multinational companies should assess the cost-efficiency of the certification regime over other safeguards for data export, especially the Standard Contract, before they proceed.
[1] A personal information processor is defined as an organisation or individual that independently determines the purposes and means of the processing under the PIPL.