The National Information Security Standardisation Technical Committee of China ('TC260') issued, on 24 June 2022, its Practice Guidelines for Cybersecurity Standards - Technical Specification for the Certification of Cross-Border Processing of Personal Information, following public consultations. In particular, the TC260 confirmed that the practice guidelines propose basic principles and requirements for the security of cross-border processing of personal information, as well as the protection of the rights and interests of personal information subjects.

More specifically, the practice guidelines clarify that they provide policy and regulatory requirements in order to implement Article 38 of the Personal Information Protection Law ('PIPL'). In addition, the practice guidelines highlight that they apply to cross-border processing activities of personal information by multinational companies or the same economic or business entity, as well as activities of foreign personal information processors, as stipulated in Article 3(2) of the PIPL. Moreover, the practice guidelines establish principles, such as lawfulness, legitimacy, necessity, as well as good faith, and introduce requirements providing for legally binding agreements where an overseas recipient conducts data processing on behalf of a personal information processor. Furthermore, the practice guidelines provide organisational measures, rules for cross-border processing, and requirements for conducting a Data Protection Impact Assessment ('DPIA'), among other things.

You can read TC260 press release here and the practice guidelines here, both only available in Chinese.