On 2 December 2022, the Communist Party of China ('CPC') Central Committee and the State Council jointly released the Opinions on Building Basic Systems for Data to Better Play the Role of Data Factors ('the Opinions'), in order to speed up efforts to build basic systems for data, give full play to China's strengths in massive-scale data and rich application scenarios, and stimulate the potential of data factors. Dr. Annie Xue and Yang Chen, from GEN Law Firm, outline the key takeaways from the Opinions.

Great news from the Cyberspace Administration of China ('CAC') - China's Standard Contract Measures for Exporting Personal Information ('the SCC Measures') have been officially adopted by the CAC on 22 February 2023. Since this date, there officially are three approaches for data transfers under the Personal Information Protection Law ('PIPL') of the People's Republic of China ('PRC'). Without a doubt, the Chinese Standard Contractual Clauses ('SCCs') will be a great choice for small and medium-sized organisations to comply with the requirements for data transfers.

Dehao Zhang, Counsel at Fieldfisher China, discusses the SCC Measures, including requirements around Personal Information Protection Impact Assessments ('PIPIAs') and practical considerations for businesses.

The long-awaited Standard Contractual Clauses of China ('China SCCs'), as referred to in Article 38 of the Personal Information Protection Law ('PIPL'), and the Regulations for the China SCCs ('the Regulations') were finally endorsed and released by the Cyberspace Administration of China ('CAC') on 24 February 2023¹.

The perception of the China SCCs as being straight-forward and simple template clauses to just be concluded as they are could lead in the wrong direction. The complexities ahead shall not be underestimated, particularly for multinational companies. In this Insight, Dr. Michael Tan, Dr. Paul Voigt, Julian Sun, and Wiebke Reuter, from Taylor Wessing, share their long-term observations and thoughts on the China SCCs, as well as practical steps on how businesses can prepare.

The State Administration for Market Regulation ('SAMR') and the Cyberspace Administration of China ('CAC') have jointly formulated and released the Rules for the Implementation of Personal Information Protection Certification. In fact, they decided to implement a personal information protection certification according to the Regulations of the People's Republic of China on Certification and Accreditation, with a view to encouraging personal information processors to improve their personal information protection capabilities through certification.

Dehao Zhang, Counsel at Fieldfisher LLP, unpacks the key elements of the certification, which, despite not being a mandatory obligation for organisation, provides another compliance approach for cross-border data transfers.

On 16 December 2022, the National Information Security Standardization Technical Committee of China promulgated the guidelines for the Cybersecurity Standards Specification for the Certification of Cross-Border Processing of Personal Information v2.0 ('the revised Specification'), replacing the original specification enacted on 26 June 2022. The revised Specification provides implementation rules for one of the practical ways for lawfully conducting cross-border data processing activities, i.e. third-party certification. The revised Specification contains the applicable scenarios, ways to obtain certification, basic principles, basic requirements, and special requirements for securing data subjects' rights. Ziqing Zheng, Partner at Zhong Lun Law Firm, discusses the revised Specification and its content.