China: TC260 releases draft Specification on Cross-Border Processing of Personal Information Certification
The National Information Security Standardisation Technical Committee of China ('TC260') released, on 29 April 2022, Practice Guidelines for Cybersecurity Standards – Technical Specification for the Certification of Cross-Border Processing of Personal Information and has requested public comments on the same. In particular, TC260 confirmed that the practice guidelines are based on the relevant policy and regulatory requirements in order to implement Article 38 of the Personal Information Protection Law ('PIPL'), providing for the basis of a certification system for cross-border processing activities and for regulating such activities. More specifically, the draft clarifies that the practice guide applies to the cross-border processing activities of personal information within a multinational company or the same economic or business entity, as well as activities of foreign personal information processors, as stipulated in Article 3(2) of the PIPL, in handling personal information of natural persons in the territory outside of China.
In this regard, the draft outlines basic requirements that the relevant parties should follow, including legal constraints, organisational measures, rules for cross-border processing, and requirements for conducting a Data Protection Impact Assessment ('DPIA') among other things.
In relation to responsibilities of interested parties, the draft stipulates that concerned parties must, among other things:
- inform the subject of personal information by email, instant messaging, letter, fax, etc. of the basic information on parties involved in cross-border processing, as well as information on the purpose, type, and duration of the information, and obtain the individual's consent;
- handle the cross-border provision of personal information in accordance with signed legally binding documents;
- provide personal information subjects with access to their personal information, and should they request access to, or to copy, correct, supplement, or delete their personal information, respond in a timely manner if the request is rejected, outlining the reasons and remedy methods;
- terminate the processing when it is difficult to ensure the security of cross-border personal information; and
- in regard to cross-border processing activities subject to security assessments conducted by a government organisation, make an application to the Cybersecurity Administration of China.
Public comments can be submitted via email to wangbz @cesi.cn until 13 May 2022.
You can read TC260 press release here and the draft here, both only available in Chinese.