China’s Draft Certification Standards for Cross-Border Personal Information Transfer (Updated)
China has released a new set of standards for the certification of companies engaged in cross-border personal information processing. The standards act as a guide for agencies that certify companies for cross-border processing of personal information, in line with the requirements of China’s Personal Information Protection Law. We outline the contents of the standards and discuss the current requirements for companies in personal information certification.
UPDATE: On March 22, 2024, China’s cybersecurity regulator adopted new regulations to ease the compliance requirements for cross-border data transfer. The new regulations increase the thresholds of personal information volume that a company can handle before having to sign a standard contract with the overseas recipient of the personal information and stipulate scenarios in which a company may be exempted from undergoing a security review. The certification machanism discussed in this article were subsequently amended to align with the new regulations.
UPDATE: On March 16, 2023, the National Information Security Standardization Technical Committee released and began soliciting public feedback on the Certification requirements for cross-border transmission of personal information, an official set of standards for the third-party certification of companies engaged in the cross-border transfer of personal information. The draft certification requirements are virtually identical to the Security Certification Specifications for Cross-Border Processing of Personal Information V2.0, which are described in this article, except for a few additional clarifications on the definitions. However, the draft certification requirements are subject to public feedback until May 15, 2023. As such, the contents of the security certification specifications described below may also be pending further changes. The following article has consolidated the information from both documents.
On December 16, 2022, the National Information Security Standardization Technical Committee (NISSTC) released the Cybersecurity Standards Practical Guide – Security Certification Specifications for Cross-Border Processing of Personal Information V2.0 (the “Security Certification Specifications”). The Security Certification Specifications outline the basic principles and personal information (PI) protection standards for companies and overseas recipients of PI in the cross-border processing of PI, as well as the protection of the rights and interests of the PI subjects.
On March 16, 2023, the NISSTC re-released the Security Certification Specifications as an official set of standards, called the Information security technology-Certification requirements for cross-border transmission of personal information (the “draft certification requirements”), for public comment until May 15, 2023. This document is almost identical to the Security Certification Specifications, except for additional clarifications of certain definitions. These requirements were formulated with the input of various government agencies, educational and research institutes, and technology companies, and serve as a legal basis for certification agencies.
The Security Certification Specifications also provide a basis for certification agencies to carry out certification of PI processors’ cross-border processing activities and provide a reference for PI processors to regulate cross-border processing activities of PI.
For the purposes of this article, “PI processors” refers to companies, organizations, or individuals that process the PI of subjects in China.
Who needs to apply for certification?
Companies that carry out cross-border processing of PI must undergo certain procedures in order to do so legally. There are currently three different procedures that companies must go through depending on the circumstances of the PI processing: undergoing a security assessment by the Cybersecurity Administration of China (CAC), signing a contract with the overseas recipient, or receiving third-party certification.
The latter two methods are only applicable to companies that engage in the cross-border data transfer (CBDT) a relatively small volume of PI – the “sensitive” PI of under 10,000 people or the general PI of between 100,000 and 1 million people in the current year. Companies that exceed this threshold will be required to undergo a security assessment by the CAC.
The Security Certification Specifications outline the requirements for the third method – receiving third-party certification.“
Sensitive” PI is defined in the draft certification requirements as PI that, once leaked, illegally provided, or misused, may endanger the safety of an individual or their property, damage the individual’s personal reputation, physical or mental health, or lead to discriminatory treatment of the individual. This includes Biometric data (such as fingerprints, iris recognition, facial recognition, and DNA), data pertaining to religious beliefs or specific identities, medical history, financial accounts, location and whereabouts, and any personal information of minors under the age of 14.
For multinational companies that engage in cross-border PI processing between their own subsidiaries or affiliated companies located in another country, the domestic party can apply for certification and assume legal responsibility on behalf of both parties. Overseas PI processors as defined in the Personal Information Protection Law (the PIPL) are also permitted to apply for certification through their specialized agencies or designated representatives set up in China, which can also assume legal responsibilities on their behalf.
Article 3 of the PIPL stipulates that the law also applies to PI processors that process the PI of people in China outside of China, under any of the following circumstances
- To provide products or services to people in China;
- To analyze and evaluate the behavior of people in China;
- Other circumstances stipulated by laws and administrative regulations.
What counts as cross-border PI processing?
Currently, there is no specific definition for cross-border processing of PI, which is sometimes called the “cross-border provision” of PI, in either the Security Certification Specifications or any other laws or regulations. However, it is generally understood that it refers to the transmission of the PI that has been collected from an individual in China to a territory outside of China.
In addition to the physical transfer of PI overseas, our IT experts have also noted that if an overseas employee (whether they are within the same company or in a partner or affiliate company) remotely accesses the PI of an individual located in China, then this activity will also constitute cross-border processing, even if the PI is not actively exported to a location outside of China. For this reason, companies will have to follow all of the applicable requirements outlined in the Security Certification Specifications and other relevant laws and regulations if their overseas employees need to access PI stored in China.
PI protection requirements
The Security Certification Specifications outline the basic principles that PI processors and the overseas recipient should adhere to when engaging in cross-border PI processing.
These basic principles are based on the requirements stipulated in China’s existing PI protection framework, most significantly the PIPL. They cover the basic obligations of the companies involved to comply with relevant laws and regulations, keeping the PI subjects informed of the activity, and the companies’ obligations to ensure the security of the PI, among others.
Below we have summarized the basic principles for protecting the security of PI and the rights and interests of PI subjects.
Basic Principles of Cross-Border PI Processing for PI Processors and Overseas Recipients | |
Principles of lawfulness, propriety, necessity, and good faith |
|
Principles of openness and transparency |
|
Principle of equal protection |
|
Principle of clear responsibility |
|
Principle of voluntary certification |
|
Legally binding documents
Under the Security Certification Specifications, PI processors and their overseas recipients are required to sign legally binding and enforceable documents to ensure the protection of the rights and interests of PI subjects. At the very least, these documents should specify the following:
- The basic information of the PI processors and overseas recipients, including but not limited to name, address, contact name, contact information, and so on;
- Information on the cross-border PI processing activity, including but not limited to the purpose for the processing, the scope of PI and processing activity, the type, sensitivity level, and quantity of the PI being processed, the method for processing the PI, and the PI’s retention period and storage location;
- The responsibilities and obligations of PI processors and overseas recipients to protect PI, as well as the technical and management measures taken to prevent possible security risks caused by cross-border processing of PI;
- The rights of PI subjects and the methods for them to protect their rights;
- Clauses on remedy, contract termination, liability for breach of contract, dispute resolution, and more
- A promise by the overseas recipient to abide by the same cross-border PI processing rules, and assurance that the level of PI protection is not lower than that of standards stipulated in China’s relevant laws and administrative regulations.
- Acceptance by the overseas recipient to continuous supervision over the cross-border PI processing by the certification body;
- Promises by the overseas recipient to accept the jurisdiction of China’s relevant laws and administrative regulations on PI protection;
- Specification of the organization that assumes the legal responsibility within China, and its promise to fulfill the obligations to protect PI;
- A statement that both the PI processor and the overseas recipient bear civil legal liability for violations of PI rights and interests, and clear agreement on the civil legal liability of each party;
- Obligations stipulated in other laws and administrative regulations.
Appointing a person in charge of PI protection
According to the Security Certification Specifications, both the PI processor and the overseas recipient engaged in cross-border PI processing are required to appoint a person to be in charge of PI protection. This person must have professional knowledge of PI protection and relevant management work experience and should hold a decision-making position within the organization.
The person in charge of PI protection is required to undertake the following responsibilities:
- Clarifying the main objectives, basic requirements, tasks, and protection measures of the PI protection work;
- Ensuring adequate human resources and financial and material support for the organization’s PI protection work, and ensuring the availability of required resources;
- Guiding and supporting relevant personnel in carrying out the organization’s PI protection work to ensure that the work achieves the intended goals; and
- Reporting the PI protection work situation to the main person in charge of the organization, and promoting the constant improvement of the PI protection work.
Setting up a PI protection agency
PI processors and overseas recipients who carry out cross-border PI processing activities are required to set up PI protection agencies to perform the relevant obligations and carry out work such as preventing unauthorized access to PI, as well as leaks, tampering, and loss of PI. Specifically, the agency is required to undertake the following responsibilities for cross-border PI processing activities:
- Formulating and implementing a plan for cross-border PI processing in compliance with relevant laws;
- Organizing a PI protection impact assessment;
- Supervising the organization’s cross-border PI processing in accordance with the agreed rules and protecting the rights and interests of PI subjects;
- Taking effective measures to ensure that cross-border PI is processed in accordance with the purpose, scope, and method of the PI processing that has been agreed upon, fulfilling PI protection obligations, and ensuring the security of the PI;
- Regularly reviewing the organization’s compliance with relevant laws and administrative regulations when processing PI conducting compliance audits;
- Accepting and handling requests and complaints from PI subjects;
- Accepting the continuous supervision of certification bodies on cross-border processing of PI, including answering inquiries, cooperating with inspections, and other liaising activities.
Mutual agreement upon the rules of PI processing
PI processors and overseas recipients must agree upon and jointly abide by the same set of rules for cross-border PI processing. At the very least, the rules should include the following clarifications:
- The basic situation of cross-border processing of PI, including the amount and scope of PI that will be processed, the type and sensitivity level of the PI being processed, and so on;
- The purpose of processing the PI and the method for and scope of the cross-border processing of PI;
- The duration that the PI will be stored overseas, including a start and end date, and details on how the PI will be processed after this duration has ended;
- The countries or regions to which the cross-border PI processing will be transferred;
- The resources and measures needed to protect the rights and interests of PI subjects; and
- The rules on compensation for and handling of PI security incidents.
PI protection impact assessment
PI processors are required to conduct a personal information protection impact assessment (PIPIA) for activities that have the intention of providing PI overseas and compile a PIPIA report. This report should be kept for at least three years.
The PIPIA report should at the very least contain the following information:
- The legality, legitimacy, and necessity of the purpose for the cross-border PI processing, the scope of and method for processing the PI;
- The scale, scope, type, and sensitivity level of the PI being processed, the frequency of cross-border PI processing activity, and the risks that this activity may pose to the rights and interests of the PI subjects;
- The responsibilities and obligations promised by the overseas recipient, and whether their management, technical measures, and capabilities are sufficient to fulfill their responsibilities and obligations to guarantee the security of the cross-border PI processing activity;
- Risks of leakage, damage, tampering, abuse, and other violations or breaches during the cross-border processing of PI and whether there are unobstructed channels for individuals to protect their rights and interests;
- The impact of the PI protection policies and regulations in the country or region where the overseas recipient is located may have on their ability to fulfill their obligations to protect the PI and the rights and interests of the PI subjects. This may include (but is not limited to):
- The overseas recipient’s previous similar experience in cross-border transmission and processing of PI, whether any data security-related incidents have occurred under their authority, whether these incidents have been dealt with in a timely and effective manner, and whether they have ever received a request from a public authority in the country or region where they are located to provide PI, and how they responded to this request;
- The current laws and regulations on PI protection in the country or region in which the overseas recipient is located, the generally applicable standards, and the differences between the relevant laws, regulations, and standards on PI protection in China;
- Any regional or global PI protection organizations that the country or region in which the overseas recipient is located has joined and the binding international commitments it has made; and
- The mechanisms for PI protection that the country or region that the overseas recipient is located in have implemented, such as whether there are supervisory and law enforcement agencies and relevant judicial agencies for PI protection.
- Other matters that may affect the security of cross-border PI processing activity.
The rights of the PI subjects
The Security Certification Standards require PI processors and overseas recipients of PI to recognize the rights of the individual (the PI subject) with regard to the cross-border processing of their PI. It also requires them to provide the conditions and mechanisms for the PI subjects to exercise their rights.
These rights are in line with the articles of Chapter IV of the PIPL on “the rights of individuals in the processing of personal information”. They are as follows:
- The PI subject must be a third-party beneficiary in a legally binding document signed by the PI processor and the overseas recipient, and has the right to require the PI processor and the overseas recipient to provide a copy of the part of the legal text that involves their rights and interests, and assert their rights to the PI processors and overseas recipients;
- The PI subject has the right to know, decide, limit, or refuse others to process their PI, as well as the right to consult, copy, correct, supplement, delete their PI and the right to withdraw consent to the cross-border processing of their PI;
- When the PI subject exercises the above rights, the PI subject may request the PI processor to take appropriate measures to realize it, or directly submit a request to the overseas recipient. If the PI processor cannot realize it, it should notify and ask the overseas receiver to assist in realizing it. PI subjects have the right to request PI processors and overseas recipients to explain their rules for the cross-border processing of PI;
- The PI subject has the right to reject any decision to engage in cross-border processing of their PI made by the PI processor through an automated decision-making process;
- The PI subject has the right to complain and report any illegal cross-border PI processing to the department responsible for protecting PI in China;
- When a PI subject’s rights and interests are violated, they have the right to claim compensation from either the PI processor or the overseas recipient;
- PI subjects have the right to file judicial proceedings with a competent court against PI processors and overseas recipients who carry out cross-border PI processing activities in accordance with the Civil Procedure Law of the People’s Republic of China; and
- Other rights stipulated by laws and administrative regulations.
The impact of the Security Certification Standards on businesses
The majority of the requirements and information outlined in the Security Certification Standards are based upon existing requirements stipulated in previous laws and regulations. Most businesses that have been building up their PI and data compliance capabilities in China will therefore be familiar with many of these obligations.
However, the standards do provide a useful framework for companies when it comes to the specific obligations that they have specifically when engaged in the cross-border processing of PI, as opposed to other PI and data protection obligations (such as the processing of PI within China), as well as the responsibilities of all of their overseas partners. They also provide concrete guidelines for certification agencies and other stakeholders, helping to ensure that all parties are on the same page with regard to their respective obligations.
At the same time, China’s cybersecurity and market standards authorities have not yet released a list of the certification agencies that are authorized to carry out certification procedures, nor have they issued specific guidelines for how the certification agencies are required to carry out the certification. More clarity is required on how the agencies will carry out the certification procedures to ensure that both the agencies and the target companies are compliant with all of the regulations.
China’s PI and data security regulations are relatively complex and are developing very quickly. This is particularly true for the cross-border transfer and processing of data, which is a considerable headache for foreign companies and multinationals in China. For assistance with data and PI processing compliance, contact our China-based IT experts at China@dezshira.com.
This article was originally published on January 9, 2023 and was last updated on March 28, 2023 to reflect the latest changes.
About Us
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at china@dezshira.com.
Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.
- Previous Article Cross-Border Data Transfer – New Measures Clarify Security Review Requirements
- Next Article China’s Economy Expands 5.3% in Q1 2024