Under the Personal Information Protection Law, there are three methods to transfer personal information from mainland China to overseas: passing a government-led security assessment, obtaining a personal information protection certification issued by a specialised institution, and concluding a standard contract with the overseas recipient.

The security assessment regime has been up and running since 1 September 2022, while the market expects the Chinese authorities to finalise the standard contract by the end of 2022. Now it seems the Chinese authorities are pushing forward the certification regime, though it may take some time to be fully operational.

Practice, practice, practice

On 8 November, the National Information Security Standardisation Technical Committee of China (TC260) released a draft version 2.0 of the Cybersecurity Standards Practice Guide - Technical Specifications for the Security Certification of Personal Information Cross-Border Processing (Draft V2.0) seeking public opinion.

Back in June this year, we discussed V1.0 of the same practice guide (V1.0) and made reference to the Binding Corporate Rules (BCRs) under the EU’s General Data Protection Regulation (GDPR) due to their similarities. Through learnings gleaned from Europe and these iterations of the guide, a finished product is closer but the timetable for final publication is yet to be set.  

What catches the eye?

Below are some observations on Draft V2.0:

  • Educational, reference nature remains – As we discussed in the June article, a “practice guide” is NOT a national standard, and it only aims to “promote standards and knowledge about cybersecurity” and “provide standardised practice guidance” to certification institutions and personal information processors. Draft V2.0 is of the same nature as V1.0 so many have speculated whether, once finalised, Draft V2.0 could underpin a fully-functional certification regime. It is worth mentioning that the national standard on the certification requirements for cross-border transfer of personal information has just been included in TC260’s official to-draft-list of 2022. Normally, it would take more than 12 months to formulate a new national standard like this.
  • Scope of application expanded – One key change in Draft V2.0 is that it expands the scope of application to any “cross-border processing of personal information”, dropping the V1.0 “affiliate” requirement. Under V1.0, the China subsidiary of a multinational company could only utilise the certification regime for data transfer to its overseas parent company or other affiliates. Some market commentators believe that Draft V2.0 allows a company registered in China to utilise the certification regime for data transfers to its overseas suppliers or customers. That is clearly good news for businesses. With this expanded application scope, comparisons can also be made with the transfer certification mechanism between the EU and China – a similar transfer tool set out under Art. 46(2)(f) of GDPR, which remains to be implemented in the EU. That said, a key difference between the Chinese regime and the EU regime is that a transfer certification will be granted to a data exporter applicant in the former while to a data importer in the latter scenario.
  • Additional requirements on applicants – Draft V2.0 requires an applicant for certification to “acquire legal personality, operate in a normal manner, and have good reputation and good will.” The requirement suggests that branches or representative offices will not be able to submit a certification application for lack of legal personality. We understand “operate in a normal matter” should be straightforward and basically equals to “good standing”. The remaining “good reputation and good will” are a bit subjective, and it is not clear if the Chinese authorities would set specific standards for an applicant.
  • Consistent requirements for a legally binding agreement – Draft V2.0 supplemented the requirements for a legally binding agreement under a certification regime, in light of the draft standard contract and Data Export Security Assessment Measures. Businesses would be happy to see the co-ordination among these three cross-border data transfer mechanisms in terms of what should be agreed between a data transferor and a data recipient. This could then allow greater flexibility to move between different data export methods as an enterprise grows and adjusts its operational model.
  • New obligations on businesses – V1.0 already stated that both the personal information processor and the overseas recipient should respectively establish personal information protection agencies, e.g. a data protection department. Newly introduced under Draft V2.0 are the requirements to (a) conduct regular compliance audits regarding personal information protection; and (b) accept the supervision of, and co-operate with, the certification institution, e.g. responding to its queries and facilitating its inspections.
  • Enhanced data subject rights – Draft V2.0 also supplements the provisions regarding data subject rights, but the changes seem to elaborate what already appears in upper-level laws like PIPL.  Draft V2.0 does, however, emphasise that, in the event of damage to the interests of personal information, the data subject can claim compensation from either the onshore sender or the foreign recipient. Multinational companies may consider restructuring data flows and/or governance policies given their general preference to keep all potential lawsuits on the local level and not expose head offices to disputes.
  • Continuous obligations– The Chinese authorities would understandably like to impose certain continuous obligations on the parties to ensure what has been certified by the certification institutions remains accurate and valid. Draft V2.0 supplements the following obligations of personal information processors and the overseas recipients:
    • An overseas recipient must timely notify the personal information processor and the certification institution of any changes to the legal environment of the recipient;
    • Parties must objectively record the cross-border personal information processing activities and maintain these records for at least three years;
    • Each party must notify and report a data breach to its counterparties, data subjects, or government authorities, when required; and
    • Each party must also bear the burden to prove it has satisfied its obligations under the regime.

Certification rules 

To finish, the Chinese cyberspace regulator – the Cyberspace Administration of China – and the State Administration for Market Regulation, jointly issued other certification rules on personal information protection on 4 November. These certification rules prescribe the framework for the assessment of international transfer activities under the finalised provisions of Draft V2.0.

The certification scheme provides a balanced approach among the three transfer methods in terms of efficiency and cost. As the Draft V2.0 may be finalised and take effect in the next few months, businesses with data export needs may wish to monitor its development closely, especially for multinational companies that have a considerable China presence but are not yet big enough to trigger the mandatory security assessment regime.