Even before cinemas in Shanghai seek to reopen from lockdown next week, the stars of a metaphorical string of summer blockbusters in China’s own cyber and data trilogy have been pretty busy – first the internet authorities issued a draft national standard for internet platform privacy policies and next launched a data security management certification regime. Then, on 24 June, the National Information Security Standardisation Technical Committee of China (TC260) released the final version of the Cybersecurity Standards Practice Guide - Technical Specifications for the Security Certification of Personal Information Cross-Border Processing (Certification Specification).

Integral to one of the three transfer mechanisms prescribed under China’s Personal Information Protection Law, many observers compare this new certification system with the Binding Corporate Rules (BCRs) under the EU’s General Data Protection Regulation (GDPR): data protection policies regulating EU-based companies’ exports of personal data from the EU within a group of enterprises or other undertakings.

This statement is correct in the sense that the two systems enable an international group to transfer personal information among affiliates in an integrated fashion – and as long as the transfer follows a set of data protection rules approved by data protection authorities (in the EU) or certified by professional institutions (in China), there is no need to have each data sender and each data recipient enter into agreements for specific data cross-border processing scenarios. However, the BCRs have been in place since the 1995 EU Data Protection Directive, so it is a little premature to assess whether China’s certification system will function similarly in practice. For example, a key difference between the certification system and the BCRs would seem to be that the former can apply to a foreign enterprise’s processing of a PRC individual’s personal information from outside of mainland China without it first receiving that information from a domestic sender.

Educational, reference materials As part of the “Cybersecurity Standards Practice Guide”, the Certification Specification aims to “promote standards and knowledge about cybersecurity” and “provide standardised practice guidance” to certification institutions and personal information processors. The Certification Specification is therefore NOT a national standard and did not go through the complicated procedures that are required for a national standard to be finalised and released by the Standardisation Administration of China. So, what is the aim of the Certification Specification? The Certification Specification is for education and reference only, with no recommendatory legal effect, let alone being mandatory.

We understand from an insider that the TC260 proposed the Certification Specification as a national standard earlier this year, but the quota for approving these authoritative guidelines went to more mature and urgent projects. We expect there could be a new national standard regarding the same topic in 2023, which would kick off more formal implementation of security certification practices. One potential certification institution that we have talked to shares the same understanding and is gearing up operations on that basis.

Pending upper-level legislation – Between the mandatory Personal Information Protection Law (PIPL) and low-level, standard-related technical documents like the Certification Specification, there are important rules still pending. The Network Data Security Management Regulations are a key set of administrative regulations to be slotted into this hierarchy of rules once finalised by China’s State Council.

Why would this affect the certification system? The whole of Chapter V of these regulations discusses the security management of cross-border data transfers, giving more substance to the principles set out in the PIPL. Though not impossible, it would seem difficult to establish a cross-border processing certification regime before this key upper-level rule is finalised.

In particular under the PIPL, personal information cross-border transfers exceeding certain thresholds are subject to a government-led security assessment. Such thresholds are contemplated in the draft Measures for the Security Assessment of Outbound Data, which were released by the Cyberspace Administration of China (CAC) in October 2021 for public consultation but have not yet been finalised. Industry players would hesitate to take the certification approach for data cross-border transfers if they do not know whether their transfers are subject to the government-led security assessment, which will then effectively render the certification process redundant.

Pending Chinese SCCs – As we have discussed before, entering into the standard form contract to be released by the CAC is anticipated to be the most business-friendly method to transfer personal information out of China. Data protection professionals often call this standard contract the “Chinese SCCs” (or Standard Contractual Clauses) as the Chinese drafters are understood to be heavily influenced by the SCCs deployed under the GDPR, such that the forthcoming template should have many of the same functions.

Although yet to be publicly released, we understand from our industry contacts that the Chinese SCCs will themselves take the form of a national standard, meaning businesses will be expected to have followed them although they will not be strictly mandatory.*

The Certification Specification also requires a “legally binding agreement” between the onshore personal information processor and the overseas recipient but, rather than a template contract, only prescribes certain minimum requirements that must be covered:

  • The purpose of the cross-border processing of personal information and the type and scope of personal information;
  • Measures to protect the rights and interests of personal information subjects;
  • Obligations on the overseas recipient to comply with the agreed rules for cross-border processing of personal information and ensure that protection levels are no less than the standards stipulated by the relevant Chinese laws and regulations; as well as subject to the supervision of the certification institution and comply with the Chinese personal information protection regime more broadly.

While without further guidance from the Chinese authorities, businesses will struggle to formulate a “legally binding agreement” assured of achieving certification, once the Chinese SCCs are released by the CAC, compliance teams can perhaps learn from these terms when drafting their own internal “legally binding agreement” for personal information cross-border processing.

Certification institutions – At least two professional institutions provided technical support in the drafting of the Certification Specification – the China Cybersecurity Review Technology and Certification Center and the China Electronics Standardisation Institute. However, this fact does not necessarily mean that these two institutions will be designated to conduct certifications. It seems more likely that the State Administration of Market Regulation (basically the same organisation as the Standardisation Administration of China) and the CAC (as the government’s principal supervisor of data protection) will release a list of authorised professional institutions to conduct these certifications. It remains to be seen who will be entrusted with this important and presumably profitable task.

All-in-all, it’s encouraging to see the rule-making progress regarding the personal information cross-border certification regime being given shape, but it remains too early to apply for certification. For now, China-based businesses should perhaps “let the bullets fly” for a while, and closely monitor developments on the various fronts – and of course follow our updates (as well as the latest movie releases)!

*Since publication of this article today, the Chinese SCCs have been released by the CAC for public consultation. Our team are reviewing and will provide our thoughts soon!