Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

China: Specification for the Certification of Cross-Border Processing of Personal Information

On 26 June 2022, the National Information Security Standardization Technical Committee of China promulgated its guidelines on the Cybersecurity Standards Specification for the Certification of Cross-Border Processing of Personal Information ('the Specification'). The Specification provides implementation rules for one of the methods of lawfully conducting cross-border data processing activities, i.e. third party certification. The Specification contains the applicable scenarios, ways to obtain certification, basic principles, basic requirements, and special requirements for securing data subjects' rights. Ziqing Zheng, Partner at Zhong Lun Law Firm, discusses the Specification and its content.

Pavliha / Signature collection / istockphoto.com

Nature and role

The Specification is a recommended standard rather than a compulsory one and thus requirements thereunder do not constitute statutory obligations for data controllers or processors. Article 3 of the Specification also sets forth the voluntary certification as one of the basic principles in relation to becoming certified.

Article 38 of the Personal Information Protection Law ('PIPL') provides five ways for legally processing personal information across borders, as detailed in the table below. Becoming certified is one way to go. The Specification aims at providing guidelines on becoming certified, for institutions and data controllers/processors which may be involved in such process.

Ways

Authority

Implementation rules

Passing the security assessment in accordance with Article 40 of the PIPL.

Cyberspace Administration of China ('CAC') or its local counterparts.

Mandatory for significant data controllers/processors, in draft form.

Obtaining certification.

Certification institutions approved by the CAC.

Voluntary.

Concluding a contract stipulating both parties' rights and obligations with the overseas recipient in accordance with the standard contract formulated by the CAC.

Data controllers/processors, under the supervision of the CAC.

Pending, likely voluntary.

Passing the security assessment required by industry regulators.

Industry regulators.

Mandatory for the relevant industries, such as intelligent connected vehicles, healthcare, and finance.

International treaties, if any.

Relevant authorities.

None.

Applying for certification

Article 1 of the Specification provides two circumstances where data controllers/processors may apply for certification:

  • Personal information processing conducted by data processors belonging to the same multinational company or single economic or business entity. In practice, this scenario applies when a foreign parent company intends to process personal information collected by its Chinese subsidiary ('the Single Entity Scenario').
  • Personal information processing conducted by data controllers/processors outside China in accordance with paragraph 2, Article 3 of PIPL, which provides the following circumstances:
    • for the purpose of providing products or services for natural persons located within China;
    • analysing or evaluating the behaviour of natural persons located within China; or
    • any other circumstance as provided by any law or administrative regulation ('the PIPL Article 3 Scenario').

Responsible party

Scenario

Applicant

Party responsible for legal consequences

Single Entity Scenario

Data controller/processor located within China.

Domestic or foreign data controllers/processors involved.

PIPL Article 3 Scenario

Established or designated representative located within China.

Representative, and domestic or foreign data controllers/processors involved.

 

Although the Specification does not clearly mention the party responsible for legal consequences associated with data breach incidents or disputes, based on Article 2, Article 3e, and Article 4.1g of the Specification, we understand that the Specification provides a liability scheme comparable to Article 13(3) of the draft Measures on Security Assessment of Personal Information Export promulgated by the CAC on 13 June 2019. Namely, this means that domestic and foreign data controllers/processors may incur joint and several liability for any damages to the rights and interests of data subjects. In the event of such damages, the data subject could claim compensation from the domestic data controller/processor for convenience, which could later also apply to the foreign data controller/processor.

Factors to be evaluated

The Specification outlines the basic principles, requirements, and data subject rights as factors to be considered before issuing the certification.

Basic principles

  • lawfulness, legitimacy, necessity, and integrity;
  • publicity and transparency;
  • accuracy and integrity of the personal information processed;
  • same level of protection;
  • accountability; and
  • voluntary certification.

Basic requirements

  • executing binding and enforceable instruments to ensure data subject rights, including the types and scope of personal information, warranties on compliance, warranties of being subject to the supervision of certifying institutions and designated organisations, and taking legal responsibility;
  • designating a responsible person (e.g. a data protection officer) and establishing an organisation in charge of personal information protection;
  • complying with uniform rules on how to process personal information across borders, including but not limited to retention periods, data security measures, and emergency plan; and
  • conducting prior Data Protection Impact Assessments.

Data subject rights

  • how data subjects' rights can be guaranteed, including:
    • the data subject being the beneficiary party of a relevant legal instrument and entitled to request a copy of the relevant sections regarding its rights;
    • the right to know, decide, restrict, and/or refuse its personal information to be processed by a certain data processor;
    • the right to review, copy, correct, supplement, and delete its personal information;
    • the right to request explanations on relevant processing rules;
    • the right to refuse automatic decision as the only available decision-making mechanism;
    • the right to complain and report to competent PRC authorities; and
    • the right to sue at the venue of its residence.
  • how a participating data controller/processor's responsibility can be fulfilled, including:
    • notifying the data subject of the identity of the data processors and obtaining the data subject's separate consent;
    • complying with the executed legal instruments;
    • providing ways for data subject to exercise its rights to check, copy, correct, supplement, or delete its personal information;
    • terminating processing activities in events of uncertainties to ensure the security of personal information;
    • taking measures in events of potential or actual personal information security incidents and notifying competent authorities as well as data subjects;
    • providing, at the data subject's request, a copy of the relevant sections of the legal instrument;
    • cooperating and complying with inspections and other enforcements by the certifying institution; and
    • complying with relevant laws and regulations and being subject to the jurisdiction of PRC courts.

 

In comparison with the broad language of Article 38 of the PIPL, the Specification demonstrates a more detailed scheme for certification while still leaving some points to be clarified, such as the timeframe, procedures, and effective term for certification, as well as the competent institution to grant and supervise the certification. We expect future development of more implementation rules.

Ziqing Zheng Partner
[email protected]
Zhong Lun Law Firm, Beijing