China data security management certification myths dispelled

A question that many organisations whose business operations rely heavily on personal data processing may pose: How do we prove to end customers and potential business partners that we are compliant with the applicable data protection law? Is there a benchmark like the ISO certification that we can or should obtain? In the EU, a GDPR certification mechanism was introduced but it remains to be implemented at national level. Last week, China took a step toward its own certification regime for data security management. We consider below whether it might be the answer to these questions for China’s tech and other business operators.

The State Administration for Market Supervision and the Cyberspace Administration of China (CAC) jointly announced, on 5 June 2022, the launch of a Data Security Management Certification Scheme (Certification), together with the Data Security Management Certification Implementation Rules (Certification Rules). Official’s statements encouraged network operators to strengthen network data security protection and regulation by obtaining a Certification.

Who can or should apply for a Certification

Network operators can apply for a Certification under the Certification Rules. The term “network operators” is defined as owners and administrators of networks and network service providers and, for the purpose of the Certification, “network” refers to open and public networks.

Essentially, any business that is an operator of an open and public network in mainland China can apply for the Certification based on its business need, since the Certification is only voluntary – albeit recommended.   

How to obtain a Certification? 

  • Certification process: The Certification process includes a technical verification and onsite review. Businesses that successfully pass these stages will receive a Certification, which will be valid for three years, subject to on-going supervision.
  • Legal basis: The Certification work will be assessed by an accreditation body engaged by the operator from a list of qualified firms. The assessment will be made against the standards in the Information Security Technology – Network Data Processing Security Requirements GB/T 41479, which was released in April this year and will take effect on 1 November 2022, and other relevant national standards (e.g. the Personal Information Security Specification).
  • Accreditation bodies: Accreditation bodies will be approved institutions such as the China Cybersecurity Review Technology and Certification Centre (CCRC), while it remains to be seen what other institutions will be qualified to assess operators for this Certification. 

CCRC has been tasked with increasing accreditation and review work. Empowered by the Cybersecurity Law which has been effective since mid-2017, the CCRC has been using national standards to conduct security certification reviews for certain special-purpose cybersecurity products, and is expected to be designated as a professional agency for the purposes of certificating cross-border handling of personal information under the Personal Information Protection Law (PIPL). As referenced in our previous post regarding the amended Cybersecurity Review Measures, the CCRC is also the body entrusted by CAC delegates to conduct the cybersecurity reviews that caused shocks across the global investment markets last summer. Those striving for a fair and efficient digital ecosystem in China will likely watch the extent of this influence in the hands of one body juxtaposed with the practicality of resourcing the CCRC’s multiple supervisory roles.

Does a Certification mean PIPL compliance?  

The simple answer is, unfortunately not.

First of all, it is important to understand that the Certification focuses on an organisation’s data security management and system, instead of whether all personal information processing activities are compliant with the PIPL and other applicable data privacy laws. The benefit of obtaining a Certification is similar to being certified under ISO standards (e.g. ISO/IEC 27001, or the new ISO/IEC 27701 on Privacy Information Management Systems). In essence, these are directed toward management systems, while legal compliance should cover all aspects of a business’s data life cycle.

Having said that, the advantages of applying for a Certification are still apparent for some businesses (although the scheme remains to be tested in practice), e.g. improving internal data management and procedures by following industry best practices, added-value from demonstrating the measures taken to achieve better compliance, and perhaps a way of retaining trust from customers and business partners.        

Interplay with other certification regimes

This is not the first data protection related certification in China – there are also other certification schemes in place or introduced by law, e.g. the Mobile Application Security Certification Scheme launched in March 2019, and the cross-border transfer certification introduced from 1 November 2021 as one of the data export mechanisms under the PIPL. For the latter, although implementation rules are still awaited, recent draft guidelines were released aiming to provide some practical guidance once finalised.

Is it worth obtaining a certification for your data governance in China? Different businesses could have different answers. All in all, data compliance is not a sprint, but a marathon requiring well-planned and long-term effort.