At the end of January, the China Cybersecurity Review Technology and Certification Center (or CCRC) released a webpage on personal information protection certification along with an online application portal. This marks the start of operation of the certification regime for data exports from mainland China.
For details on the different methods to transfer personal information from mainland China, please see here. For more information about how the certification system would work, please see here and here.
We would like to share the following information from our discussions with CCRC staff to-date:
- Currently, CCRC is the only designated institution that can handle personal information protection certification.
- CCRC has already received some certification applications and is reviewing them.
- The certification regime is not limited to companies within the same group. A company’s application can cover cross-border data transfer with its vendors if the company has a degree of control over the vendors' data processing activities.
- Applicants should apply online via the platform, but a telephone call to CCRC beforehand is required to register an account.
Please see below a flow chart for the certification for your reference. As we explained previously, the certification regime works for multi-national companies that have a considerable China presence but are not yet big enough to trigger the mandatory security assessment regime.
Please reach out to us if you have any questions. Stay tuned for any further updates as we see them!
(Thanks to our researcher Zhipei Wang for her support in preparing this article.)
Industry will be relieved that there is, hopefully, not an additional mechanism that could derail cross-border business activities.