China: Specification for the Certification of Cross-Border Processing of Personal Information
On 26 June 2022, the National Information Security Standardization Technical Committee of China promulgated its guidelines on the Cybersecurity Standards Specification for the Certification of Cross-Border Processing of Personal Information ('the Specification'). The Specification provides implementation rules for one of the methods of lawfully conducting cross-border data processing activities, i.e. third party certification. The Specification contains the applicable scenarios, ways to obtain certification, basic principles, basic requirements, and special requirements for securing data subjects' rights. Ziqing Zheng, Partner at Zhong Lun Law Firm, discusses the Specification and its content.
Nature and role
The Specification is a recommended standard rather than a compulsory one and thus requirements thereunder do not constitute statutory obligations for data controllers or processors. Article 3 of the Specification also sets forth the voluntary certification as one of the basic principles in relation to becoming certified.
Article 38 of the Personal Information Protection Law ('PIPL') provides five ways for legally processing personal information across borders, as detailed in the table below. Becoming certified is one way to go. The Specification aims at providing guidelines on becoming certified, for institutions and data controllers/processors which may be involved in such process.
Passing the security assessment in accordance with Article 40 of the PIPL.
Cyberspace Administration of China ('CAC') or its local counterparts.
Mandatory for significant data controllers/processors, in draft form.
Certification institutions approved by the CAC.
Concluding a contract stipulating both parties' rights and obligations with the overseas recipient in accordance with the standard contract formulated by the CAC.
Data controllers/processors, under the supervision of the CAC.
Pending, likely voluntary.
Passing the security assessment required by industry regulators.
Mandatory for the relevant industries, such as intelligent connected vehicles, healthcare, and finance.
International treaties, if any.
Applying for certification
Article 1 of the Specification provides two circumstances where data controllers/processors may apply for certification:
- Personal information processing conducted by data processors belonging to the same multinational company or single economic or business entity. In practice, this scenario applies when a foreign parent company intends to process personal information collected by its Chinese subsidiary ('the Single Entity Scenario').
- Personal information processing conducted by data controllers/processors outside China in accordance with paragraph 2, Article 3 of PIPL, which provides the following circumstances:
- for the purpose of providing products or services for natural persons located within China;
- analysing or evaluating the behaviour of natural persons located within China; or
- any other circumstance as provided by any law or administrative regulation ('the PIPL Article 3 Scenario').
Party responsible for legal consequences
Single Entity Scenario
Data controller/processor located within China.
Domestic or foreign data controllers/processors involved.
PIPL Article 3 Scenario
Established or designated representative located within China.
Representative, and domestic or foreign data controllers/processors involved.
Although the Specification does not clearly mention the party responsible for legal consequences associated with data breach incidents or disputes, based on Article 2, Article 3e, and Article 4.1g of the Specification, we understand that the Specification provides a liability scheme comparable to Article 13(3) of the draft Measures on Security Assessment of Personal Information Export promulgated by the CAC on 13 June 2019. Namely, this means that domestic and foreign data controllers/processors may incur joint and several liability for any damages to the rights and interests of data subjects. In the event of such damages, the data subject could claim compensation from the domestic data controller/processor for convenience, which could later also apply to the foreign data controller/processor.
Factors to be evaluated
The Specification outlines the basic principles, requirements, and data subject rights as factors to be considered before issuing the certification.
Data subject rights
In comparison with the broad language of Article 38 of the PIPL, the Specification demonstrates a more detailed scheme for certification while still leaving some points to be clarified, such as the timeframe, procedures, and effective term for certification, as well as the competent institution to grant and supervise the certification. We expect future development of more implementation rules.
Ziqing Zheng Partner
Zhong Lun Law Firm, Beijing