The National Information Security Standardisation Technical Committee of China (TC260) issued the final iteration of version 2.0 of the Cybersecurity Standards Practice Guide – Technical Specifications for the Security Certification of Personal Information Cross-Border Processing (V2.0) on 16 December 2022 (Final Form), a little over one month after its consultation draft on 8 November 2022 (Draft Form). With the formal release of V2.0, the rules for the data export certification regime are all now in place. The system will be operational, once the cyberspace authorities have confirmed the initial batch of certification institutions.

Compared with the Draft Form, there are not many substantial changes in the Final Form of V2.0. We have summarised the main changes below:

Scope of certification: To align with the Implementation Rules on Certification of Personal Information Protection released on 4 November (Implementation Rules), the certification in the Final Form is labelled as a “personal information protection certification”, instead of “certification on cross-border processing of personal information”. Note the full name of the V2.0 does not reflect such change - some market commentators suspect it was too complicated procedurally to change the name of the practice guide. The name change should remind businesses, though, that a personal information protection certification could be used more broadly when facing customers and other counterparties which will put value on general data compliance, and therefore could be considered as part of a marketing strategy.

Scope of application: The Final Form does not provide any clarity regarding the applicability of the certification regime to data exports made to non-affiliated organisations. The Draft Form, in comparison to version 1.0 of the practice guide, seemed to indicate that the certification regime might be applicable in cross-border data transfers between non-affiliated organisations. However, it remains to be seen in practice how widely the certification regime can be applied, considering the scope of application obviously being key to how many organisations will look to implement it as a data transfer solution.

Continuous supervision: The personal information processor and the overseas data recipient must accept continuous supervision from the certification institution. This adjustment in the Final Form echoes the requirement of continuous supervision in the Implementation Rules. Under the Implementation Rules, certification institutions should determine a reasonable frequency and approach for continuous supervision, and certification may be suspended or revoked for failure to pass supervision activities. Organisations observing V2.0 will need to build compliance monitoring into back-office functions, adding to the cost of implementation.

Legal responsibilities: The Draft Form provided that the personal information processor must bear liability if the allocation of liability was not otherwise clear. However, the Final Form mentions that the personal information processor and the overseas recipient must agree in the binding documentation that the allocation of liability is to be borne between them, respectively. This unsurprisingly aligns with the risk allocation principles set up to favour data subjects in a number of recently released rules (e.g. agreements between joint controllers under article 20 of the Personal Information Protection Law of China and the proposed requirements for China’s standard contract which ensure the data subject is protected).

While the Draft Form arguably left uncertainty as to the type of legal liability that the data exporter and importer might face, this is clarified in the Final Form as being civil liability in the key circumstances. For example, the binding documentation agreed by the parties should specify that both organisations will bear civil liability towards a data subject for personal information processing activities that jeopardise the individual’s rights.

Expansion of claim venues for data subjects: Under the Draft Form, an individual is entitled to file a claim with the court at the data subject’s place of domicile. On the other hand, in the Final Form this special rule is deleted, and individuals may bring claims against personal information processors or overseas data recipients at the courts prescribed as having jurisdiction under China’s Civil Procedural Law. Considering that V2.0 is non-binding, this adjustment to remove any special rules regarding the choice of venue for data subjects is understandable in terms of avoiding any conflicts with higher level rules. Once the changes are implemented, the Final Form should give a data subject more choice of courts to better protect their data rights (depending on whether tort or contract claims are brought).

What’s next?

In the past two months, we have seen several rules being released, such as the issuance of: the Draft Form V2.0; the Final Form V2.0; and the Implementation Rule, along with a new national standard on the certification requirements for the cross-border transfer of personal information being drafted by the TC260. This national standard will replace V2.0 with a more authoritative manual for businesses to adopt once it is released in the latter half of 2023.

The certification regime for cross-border transfer of personal information is gradually taking shape and we can expect that we are getting closer and closer to the final touches. Businesses with data export needs may wish to monitor these developments more closely from now. This regime may be a good fit for multinational companies that have a considerable China presence but whose data exports are not substantial enough to trigger the mandatory security assessment regime.

Stay tuned for any further updates as we see them!