The National Information Security Standardisation Technical Committee of China is currently looking over industry’s comments on the committee’s consultation draft of the Information Security Technology – Certification Requirements for Cross-border Transmission of Personal Information (Draft Standard). Released for comment in mid-March, once finalised, the Draft Standard will replace version 2.0 of the Cybersecurity Standard Practice Guide – Security Certification Specifications for Cross-border Processing of Personal Information (Practice Guide 2.0).
Don’t judge a (rule)book by its cover
It is fair to say that neither document bears an overly catchy name. However, they do serve as important rulebooks for China’s data export certification regime – one of the three mechanisms currently prescribed under the Personal Information Protection Law (PIPL). For details on the different methods to transfer personal information out of mainland China, see our previous summary here.
We have received numerous enquiries on the certification regime lately, so we thought it worth summarising some of the key points evident in its latest iteration. More information about how the certification system would work, can be found here and here.
Much of a muchness
Stop press: unfortunately, there is not too much innovation to sing about regarding the Draft Standard.
In short, it retains the substantive terms from the main body of Practice Guide 2.0 – i.e. Chapter 4 - Basic Principles, Chapter 5 - Basic Requirements, and Chapter 6 - Protection of Interests of the Personal Information Subject – with only minor edits. Importantly, this means that:
- a legally binding agreement is still needed between the data exporter and overseas importer. From a logistics perspective, therefore, the certification mechanism will not allow multinationals or their technology and other service providers to avoid re-papering existing arrangements – one of the more burdensome consequences of running an international data management programme.
- there is no express clarification that offshore controllers caught by the extraterritorial application of the PIPL must follow the certification mechanism to ensure compliance with the PIPL (despite previous market chatter to that effect). Interestingly, the Draft Standard omits the statement in Chapter 2 of Practice Guide 2.0 that an offshore entity can adopt the certification regime for data exports from China. However, when we consulted the China Cybersecurity Review Technology and Certification Centre (CCRC) on the implications of this, we were informed that this change does not affect the rules’ scope of application.
The certification in practice
Until now, the China Cybersecurity Review Technology and Certification Centre (CCRC) has been the only designated certification institution for the certification regime. To fill any void of disappointment from the notes above, we would like to share the following take-aways from our recent discussions with CCRC staff, as these do provide some helpful insights on the new regime:
- CCRC is processing a fair number of applications, even if no certification has yet been completed. Applicants include both domestic- and foreign-invested enterprises (all registered in mainland China). The nature of enterprises which see the certification regime as suitable for them were not disclosed though.
- Regardless of whether offshore entities subject to the extraterritorial application of the PIPL can adopt the regulator-led security assessment or China standard contract to complete cross-border transfers, the CCRC confirmed that the certification regime is available to these enterprises, provided that each offshore entity has already designated a representative (an entity or an individual) in China in compliance with the PIPL. Notably, the CCRC has not received such an application so far.
- The certification review process includes an onsite testing stage, which the CCRC admits may pose a challenge to overseas applicants that do not collect personal information via their local representatives. This is because the CCRC may not be able to certify an offshore entity outside of the jurisdiction. Yet, moving IT infrastructure onshore for this reason alone will unlikely suit most multinationals.
- The certification process will likely be time-consuming. The CCRC asserts that it takes up to 110 working days to complete its review after officially accepting an application – the exact timeline being determined by the complexity of the certification review and the workload of the CCRC at the time.
Contractual alternative
Some market commentators believe that the standard contract approach to data exports would not work for offshore entities that are subject to PIPL. The reason is that there is no data exporter in China with business substance to sign the standard contract and bear responsibility for the security of the personal information transferred.
Of course, if such an interpretation is true, businesses adopting an offshore model to serve Chinese customers must study the certification regime carefully as it would be the only viable approach for data exports that are not subject to the Cyberspace Administration of China’s mandatory security assessment. We have not received responses from the CAC on such comments, but will keep monitoring for more feedback. However, the long-awaited guidance on the standard contract will be released in the next few days and will clear up a lot of open issues!
Please reach out to us if you have any questions. Stay tuned for any further updates as we see them!
Multinational organizations should view data protection, privacy and cybersecurity rules in the larger context of nations asserting policies, diplomacy and other tools that favour their economic competitiveness.
https://www.weforum.org/agenda/2023/02/data-protection-laws-global-patchwork/
unknownx500
/Passle/5f6c57568cb62a0d7c9eadee/SearchServiceImages/2024-02-27-12-47-18-449-65ddd9d65f7b5f15f56b5a86.jpg)
