The National Information Security Standardisation Technical Committee ('TC260') requested, on 16 March 2023, public comments on the draft National Standard 'Certification Requirements for Cross-Border Transmission of Information Security Technology and Personal Information'. In particular, the draft Standard stipulates the basic principles and requirements for personal information processors conducting cross-border data transfers and the requirements for protecting the rights and interests of personal information subjects.

More specifically, the draft Standard outlines principles, including, among others, legality, necessity and good faith, openness and transparency, and information quality assurance. The draft Standard also provides the principle of equal protection, such that overseas recipients should take necessary measures to ensure that cross-border data transfers meet the requirements stipulated in the Personal Information Protection Law of the People's Republic of China ('PIPL'). Likewise, the draft Standard outlines that personal information processors and overseas recipients should clarify the responsibilities of each party and when conducting cross-border data transfers, designate one or more parties in China or institutions set up by overseas receivers in China, to deal with overseas recipients. Further, the draft Standard encourages voluntary certification for personal information processors who carry out cross-border data transfers.

In addition, the draft Standard notes that personal information processors and overseas recipients should sign legally enforceable contracts, documenting, among other things, basic information on each party, the purpose, scope, the retention period of the cross-border transfer, the responsibilities of each party, and the rights of data subjects.

Notably, the draft Standard also specifies that personal information processors who carry out cross-border transfers should set up personal information protection agencies to perform information protection obligations. Furthermore, the actions of such agencies would include, the draft Standard details, the performance of privacy impact assessments, a review of organisations' compliance with Chinese data protection laws and regulations, and the handling of requests and complaints from data subjects.

Public comments may be submitted to [email protected] until 15 May 2023.

You can read the announcement here and the draft Standard here, both only available in Chinese.