AN ALTERNATIVE MECHANISM FOR CROSS-BORDER DATA TRANSFER IN CHINA – CERTIFICATION

A company in China has the option of relying on (i) the standard contract (see our article) or (ii) certification to transfer personal information outside of China, if it is not subject to the mandatory Cyberspace Administration of China (CAC) security assessment. Certification is, therefore, an alternative data transfer mechanism to the standard contract under the Personal Information Protection Law (PIPL).

On 16 December 2022, the Chinese National Information Security Standardisation Technical Committee released an updated edition of the Practice Guidelines for Cybersecurity Standards – Technical Specification for the Certification of Cross-Border Processing of Personal Information (Specification). This sets out the standards and requirements for designated certification agents to support their certification processes and provides a guide for data transferors in relation to their personal information cross-border transfer activities[1].

For a discussion on the application of, and major requirements for, certification under the previous edition of the Specification, please see our article Important Updates On Cross-border Data Transfer In China.

1. Key changes in the updated specification

1.1 Potential change in scope of application

Article 1 of the Specification has been amended to provide that it applies to all and any personal information cross-border processing activities. This appears to expand its application beyond the specific scenarios listed in the previous edition, with some practitioners commenting that the revised Specification now applies to all cross-border processing activities. However, the provisions of the Specification relating to the “Certification Applicant” suggest that it (and the relevant certification mechanism) continue to only apply to the limited previously-specified scenarios, ie intra-group data transfers and the cross-border transfer of personal information by overseas companies which are subject to the extra-territorial scope of PIPL. We expect further clarification on the applicable scope of the Specification will be provided by the certification institutions in due course.

1.2 Additional requirements for document between data transferor and overseas recipient

The data transferor and overseas recipient must sign a legally binding document to ensure that the rights and interests of data subjects involved are protected. The Specification sets out additional mandatory clauses to be included in that document as follows:

  • the responsibilities and obligations in respect of personal information protection by the data transferor and overseas recipient, as well as the technical and management measures to prevent security risks caused by cross-border personal information processing;
  • the rights of personal information subjects in respect of their personal information, eg the right to delete their personal information, and the means to protect those rights;
  • relief for breaches of the legally binding document, termination of agreement, liability for breach of agreement, dispute resolution (among other provisions); and
  • undertakings of the data transferor and overseas recipient to bear the PRC civil law liabilities in relation to the infringement of personal information rights and interests.

The Specification does not provide template clauses. However, based on these mandatory clauses, the document is not substantially different from the standard contract for cross border transfer of personal information. Data transferors may, therefore, use the standard contract as a basis for preparing the legally binding document.

1.3 Focus of personal information protection impact assessment

The PIPL requires a personal information protection impact assessment to be carried out for cross-border transfers of personal information.

The CAC’s guidelines on security assessment provide a template for the self-assessment report (which is needed before applying for the mandatory CAC security assessment). Data transferors can use this template for the assessment required under the certification mechanism, but it is not necessary to cover all of the elements.

Personal information protection impact assessment reports must be kept for at least three years, which is consistent with the requirements under the PIPL.

The Specification clarifies that personal information protection impact assessment reports must include at least the following items:

  • the legality, legitimacy, and necessity of the purpose, scope, and means of processing personal information by the data transferor and overseas recipient;
  • the scale, scope, type, sensitivity, and frequency of cross-border personal information processing, and the risks in respect of the personal information;
  • the overseas recipient has undertaken to perform its responsibilities and obligations, implement management and technical measures; and has the capability to fulfil its responsibilities and obligations to guarantee the security of cross-border personal information processing;
  • the risk of leakage, damage, tampering, abuse of personal information (among other risks) after cross-border processing, and the channels for individuals to protect their rights and interests; and
  • the impact that the personal information protection policies and regulations of the country or region where the overseas recipient is located have on the performance of personal information protection obligations and the protection of personal information-related rights and interests.
1.4 Additional obligations on the data transferor and overseas recipient

The Specification imposes a number of additional obligations on the data transferor and overseas recipient as follows:

  • The overseas recipient must immediately notify the data transferor and certification body if the laws or policies of the country or region where the overseas recipient is located change such that the overseas recipient is unable to meet the certification requirements.
  • The overseas recipient must undertake not to provide personal information received from the data transferor to a third party.
  • The data transferor and overseas recipient must record the cross-border processing of personal information, keep those records for at least three years, and provide them to the competent PRC authority, if requested.
  • In the event of personal information leakage, tampering or loss, the data transferor and/or overseas recipient is required to immediately take remedial measures, notify the other party, report the incident to the competent PRC authority, notify the personal information subjects, and record and retain all the relevant facts and the impact.
  • The parties shall bear the burden of proof in demonstrating that the relevant obligations have been fulfilled (in case of any breach or query from the competent PRC authorities).

Some of these obligations are imposed directly on the overseas recipients so they will be subject to the supervision of the certification agents.[2]

1.5 Data subjects’ rights and relevant courts

The Specification provides that personal information subjects can claim against both the data transferor and overseas recipient when asserting their rights in respect of their personal information, including by requesting either one of them takes steps to satisfy the personal information subject’s requests and in seeking compensation.

The Specification provides that the courts determined in accordance with the PRC Civil Procedure Law will have jurisdiction (instead of the courts of the habitual residence of the relevant data subjects). In practice, this means that data subjects may also bring actions before the relevant courts in the place where the defendant is domiciled or where the data breach occurred.

2. When is Certification possible?

Before any cross-border transfer of personal information, a data transferor needs to determine whether it is subject to the mandatory CAC security assessment or whether any other cross-border mechanism (eg certification or the standard contract) can be implemented. The following flowchart sets out the key determining factors.

 

3. Aspects requiring further clarification

Further clarification is still needed on the scope of application of the Specification and the relationship between the legally binding document under the Specification and the standard contract for cross-border transfer of personal information.

The China Cybersecurity Review Technology and Certification Center has announced that it is responsible for certification. It has established an online system for certification applications and has published a template application form on its website.

It remains to be seen whether certification will become a popular option for the transfer personal information outside of China compared with the standard contract.


[1] This is one of the mechanisms for cross-border transfer of personal information under Article 38 of PIPL.

[2] A certification agent is not a regulator and therefore is not subject to statutory restrictions such as confidentiality.

 

Nanda Lau
Nanda Lau
Head of Corporate, China, Mainland China
+86 21 2322 2117
Peggy Chow
Peggy Chow
Of Counsel, Singapore
+65 6868 8054
Weili Zhong
Weili Zhong
Senior Associate, Mainland China
+86 10 6535 5105