On December 16, 2022 – less than six months after the initial version (“V1.0”) was released in June 2022, and within six weeks after the draft revision was issued on November 8 – the National Information Security Standardization Technical Committee (“TC260”) published TC260-PG-20222A - The Practical Guide to Cybersecurity Standards – Specifications on Security Certification for Cross-Border Personal Information Processing Activities (V2.0-202212)) (“V2.0” or “Certification Specifications”).
The Certification Specifications are intended to implement the personal information (“PI”) protection certification regime as one of the three specified channels provided in Article 38 of the Personal Information Protection Law (“PIPL”) for the cross-border transfer of PI. The other specified channels are standard contractual clauses (“SCCs”) and a security assessment led by the Cyberspace Administration of China (“CAC”). While certification is officially voluntary, Chinese regulators nonetheless expressly encourage companies to adopt the certification mechanism to improve data governance and compliance (Article 4(f)).
The Certification Specifications function as best industry practice and provide the basis for qualified institutions to carry out certifications for cross-border PI processing activities. They also serve as a reference for PI processors to regulate their cross-border PI processing activities.
Scope of application
V1.0 would have limited the application of certification to (a) PI cross-border processing by multinational companies (“MNCs”) or internal PI cross-border processing within group undertakings; and (b) circumstances subject to the PIPL’s extraterritorial reach as specified in Article 3 para. 2 of the PIPL.1
V2.0 deletes this limitation and instead provides that certification applies to all PI cross-border processing activities (Article 1), to encourage the protection of PI outbound transmission through security certification by all applicable PI processors on a voluntary basis. V2.0 still lists internal cross-border PI transfer among affiliates within the same MNC or economic or business organization as a scenario subject to certification under V2.0.
Applicants
V2.0 adds a qualification requirement, requiring that applicants for certification have legal-person status with sound credit and reputation, and maintain normal operations.2 In case of cross-border PI processing by MNCs or among subsidiaries or affiliates under the same economic or business entity, the party in China shall be the applicant; in case of PI processing by overseas PI processors under the circumstances specified in Article 3 para. 2 of the PIPL, the designated entity or representative of the overseas PI processor shall be the applicant (Article 2).
Legally-binding document
V2.0 requires PI processors and overseas receiving parties to enter into legally binding and enforceable documents for PI cross-border processing. V2.0 further requires that the two sides clarify in the document the cross-border PI processing purpose, sensitivity, quantity, method, retention period, storage location, and the rights of PI subjects as well as the methods and means to safeguard those rights.
PI protection impact self-assessment
V2.0 significantly extends the requirements for self-assessment of the impact on PI protection made by PI processors prior to cross-border transfer (Article 5.4), including the generation of an assessment report and three-year report retention requirement. The assessment report must also include more specific items, including 1) the overseas receiving party’s past experience in cross-border transmission and processing of similar PI, whether the overseas receiving party has had any data security-related incidents and whether it has handled them in a timely and effective manner, and whether the overseas receiving party has ever received a request for PI from the public authority of its home country/region and its response to such request; and 2) the current laws and regulations on the protection of PI in the relevant country/region, the generally applicable standards, and the differences in relevant laws, regulations and standards for PI protection vis-à-vis China (Article 5.4(e)).
PI processor/overseas receiving party’s obligations
V2.0 refines and expands the obligations of PI processors and overseas receiving parties. For example, V2.0 requires the two parties to conduct compliance audits on a regular basis with respect to their handling of PI (Article 5.2.2(e)); to accept supervision by certification institutions on cross-border PI processing, including by answering inquiries and cooperating with inspections; and to provide relevant records to Chinese authorities that perform PI protection duties (Articles 5.2.2(g) and 6.2(k)).
Rules for PI cross-border processing
The rules for PI cross-border processing in V2.0 (Article 5.3) are similar to the rules in V1.0 for the PI processors and overseas receiving parties, but V2.0 requires (Article 5.3 para. 1) that the PI processors and overseas receiving parties agree on and abide by “identical” (同一) PI cross-border processing rules. This is a change of wording from V1.0, which stated that the PI processors and overseas receiving parties shall abide by “unified” (统一) PI cross-border processing rules. This change apparently adds greater authority to the domestic PI processors.
Conclusion
MNCs need to conduct an internal assessment of the efficiency and their eligibility to choose from different channels for PI cross-border transfers. Where the cross-border data transfer activities do not trigger the mandatory CAC-led security assessment, MNCs may choose security certification or SCCs as a channel to transfer PI overseas. Given that neither V2.0 nor the SCC rules are finalized, it remains unclear which channel may be more efficient for MNCs to engage in intragroup cross-border PI transfers. A security certification may, however, signal to regulators and business partners that a company subscribes to a higher level of PI protection compliance, which may in turn enhance its corporate reputation in China. However, the identification of certification institutions and the details of the certification procedure have yet to be specified.