Revised Specification for Certification of Cross-border Transfers of Personal Information Issued in China – Takeaways
The Secretariat of the National Information Security Standardisation Technical Committee (TC260) released a draft revision of the Technical Specification for Certification of Cross-Border Transfers of Personal Information (Certification Specification V2.0) on 8 November 2022, nearly five months after it issued the finalised specification of the same name (Certification Specification V1.0) (see our previous Legal Update on Certification Specification V1.0).
Background
Personal information processors (data controllers) who wish to transfer personal information outside of the People’s Republic of China (PRC) have to utilise one of three mechanisms provided under Article 38 of the Personal Information Protection Law (PIPL), known together as the Transfer Mechanisms.
One of the Transfer Mechanisms is a “personal information protection certification conducted by a specialised body” (Certification) as set out under Article 38(2) of the PIPL.
Certification Specification V1.0 was intended to set out provisions to implement the Certification. The other two Transfer Mechanisms are by way of a standard contract or a security assessment.
The Draft Provisions on Standard Contracts for the Export of Personal Information (Draft Standard Contracts Provisions) were issued on 30 June 2022, while the finalised Measures for Security Assessment for Cross-Border Data Transfers (Security Assessment Measures) were issued on 7 July 2022 (see our previous Legal Updates on the Draft Standard Contracts Provisions and Security Assessment Measures).
The revisions made by the TC260 appear to have been motivated by concerns raised following the issuance of Certification Specification V1.0. The nuances of these revisions are discussed below.
Scope of Application
Certification Specification V1.0 stipulated that the Certification mechanism (Certification Mechanism) applies only to cross-border personal information transfers in the following circumstances:1
(a) cross-border transfers within a multinational company, or among subsidiaries or affiliates of the same economic or public entity; and
(b) personal information processing activities subject to the PIPL’s extraterritorial reach.2
This limitation has now been removed from Certification Specification V2.0, which means that the application of the Certification Mechanism has been extended to all cross-border personal information transfers.3
This change addresses concerns over the narrow application of Certification Specification V1.0, and provides eligible companies with another mechanism other than the standard contract to transfer personal information outside of the PRC.
However, Certification Specification V2.0 does not dispel concerns arising from the direct collection of personal information from data subjects in the PRC by overseas organisations. Article 38 of the PIPL ostensibly only applies to data controllers transferring personal information outside of the PRC, though both Certification Specification V1.0 and V2.0 provide that “the certification of cross-border processing of personal information is a voluntary certification recommended by the state. Qualified data controllers and foreign recipients are encouraged to voluntarily apply for certification of cross-border processing of personal information when processing personal information across borders”.4
The question of whether overseas data controllers are subject to the Transfer Mechanisms of the PIPL is therefore still up in the air.
From a practical perspective, overseas data controllers should pay close attention to future enforcement actions and further clarifications to the laws to pre-empt any regulatory scrutiny.
Who May Apply for Certification?
Certification Specification V2.0 additionally requires entities applying for certification to be legal entities in the PRC that ”operate normally” and maintain “good reputation and goodwill”.5
Key Certification Requirements
Similar to the Draft Standard Contracts Provisions and the Security Assessment Measures, Certification Specification V2.0 articulates the following detailed requirements for certification:
1) Legally Binding Agreement
Data controllers and foreign recipients of the personal information are required to sign a legally binding agreement, which should specify the following as a minimum:6
(a) basic information of the data controller and the foreign recipient, including but not limited to name, address, contact person and contact information;
(b) purpose, scope, type, sensitivity, quantity, method, retention period and storage locations of the processing;
(c) responsibilities and obligations of the data controller and foreign recipient in respect of personal information protection, and technology and management measures for risk prevention in processing;
(d) rights and interests of data subjects, and applicable measures to protect the rights and interests of data subjects;
(e) relief, termination, liability for breach and dispute resolution;
(f) obligation of the foreign recipient to comply with PRC data laws, acceptance of supervision by the certification body, and acceptance of jurisdiction of relevant PRC laws;
(g) the responsible party within the PRC;
(h) undertaking of both the data controller and foreign recipient to bear legal liability for breaches, and a provision whereby the data controller will assume legal liability in case of lack of clarity over responsibilities; and
(i) other obligations as may be stipulated by applicable laws and regulations.
Notably, the TC260 made changes to the above (a), (b) and (d), and added (c) and (e), aligning the contractual requirements with those specified in the Draft Standard Contracts Provisions.7 These changes reveal an increasing overlap of the requirements under the Certification and the standard contract, suggesting that Certification is a less attractive Transfer Mechanism given the greater number of steps required.
2) Organisational Management
The requirements imposed on both the data controller and foreign recipient have been retained in Certification Specification V2.0, including obligations to designate a data protection officer and set up a department to assume responsibility over the protection of personal information.8
Certification Specification V2.0 goes a step further, prescribing responsibilities of the relevant department to include:
(a) taking effective measures to ensure purpose, scope and method of processing;9
(b) carrying out a compliance audit periodically;10 and
(c) accepting supervision by the relevant certification bodies, including responding to inquiries and cooperating with the investigation.11
Inclusion of these requirements in effect means additional compliance obligations for foreign recipients and appears to go beyond the present provisions of the PIPL.12
Furthermore, there are question marks surrounding the practical enforceability of these requirements, particularly where they apply to data recipients outside of the PRC.
3) Personal information protection impact assessment
Drawing on the non-binding national standards,13 and the Draft Standard Contracts Provisions, Certification Specification V2.0 provides more detail regarding the actual assessment, and stipulates it should include, as a minimum, details on the following:14
(a) legality, propriety and necessity of the purpose, scope and method of cross-border transfers;
(b) potential risks arising from the scale, scope, type, sensitivity and frequency of cross-border transfer;
(c) responsibilities and obligations of the foreign recipient, and whether the foreign recipient can ensure the safety of transfer in respect of management, technical measures and ability;
(d) potential risks of leakage, distortion, loss or abuse after the cross-border transfer, and whether there is a well-established channel for data subjects to protect their rights and interests;
(e) potential impacts of the foreign legal environment; and
(f) a catch-all of “other issues that may affect the security of personal information cross-border transfers”.
It is worth noting that the impact assessment under Certification Specification V2.0 is substantially similar to the self-assessment set out under the Draft Standard Contracts Provisions, as well as the self-assessment prescribed in the Security Assessment Measures.
In particular, Certification Specification V2.0 also provides details on how to assess the potential impact of the foreign legal environment, which should include an assessment of the following factors:15
(a) previous similar cross-border transfers by the foreign recipient, whether any security incidents have occurred and whether the foreign recipient dealt with them in a timely and effective manner, and whether the foreign recipient has ever received any requests from foreign authorities to provide such information.
(b) policies and regulations of the country or region where the foreign recipient is located, and the difference between these policies and regulations and those of the PRC.
(c) any regional or international organisations that the country or region where the foreign recipient is located has joined, as well as any international commitments it has made.
(d) any enforcement mechanisms in the country or region, such as whether there are any law enforcement agencies or judicial authorities that oversee personal information protection.
At this juncture, it is not clear whether the above assessment would amount to a requirement for data controllers to engage local counsel in foreign jurisdictions to provide an opinion on how local laws will impact the foreign recipient’s performance of their contractual obligations.
Additional Obligations on Foreign Recipients
Certification Specification V2.0 also imposes additional requirements on foreign recipients, which include obligations to:
(a) immediately notify the data controller and the certification body if they become aware of any changes in the regulations and policies of the country or region where they are located that may lead to failure to meet requirements under the Certification;16
(b) undertake not to provide third parties with personal information they have received; and where such provision is authorised, ensure the relevant third party adheres to the requirements prescribed under the PIPL;17 and
(c) retain records of the personal information processing activities carried out for at least three years.18
These obligations mirror similar requirements under the Draft Standard Contracts Provisions and appear to go beyond the requirements set out in the PIPL.
Again, notwithstanding the onerous requirements imposed on foreign recipients, it is unclear how this will be enforced in practice.
Nevertheless, data controllers that carry out cross-border transfers of personal information outside of the PRC should be mindful that Certification Specification V2.0 explicitly provides that where liability is unclear, data controllers will be liable for the breach of laws in cross-border transfers.19
Takeaways
Certification Specification V2.0 is expected to be finalised soon, especially in light of the recent issuance of the Notice on Implementation of Personal Information Protection Certification on 18 November 2022, which sets out procedures and details for obtaining certification.20
As highlighted above, Certification Specification V2.0 echoes the Draft Standard Contracts Provisions. This strongly suggests that the Cyberspace Administration of China (CAC) is intensifying efforts to reduce disparities in substantive requirements between the Certification Mechanism and the standard contract Transfer Mechanism.
Considering the added compliance costs, companies may not be that keen on using the Certification Mechanism, though this may nonetheless serve as an indicator to the authorities, business partners and clients/customers of a company’s high level of personal information protection compliance.
Companies with business interests in the PRC involving cross-border transfers should consider undertaking an assessment of their eligibility status for the various Transfer Mechanisms before determining which one they wish to rely on for cross-border transfers. Given the rapid pace of development of data laws in the PRC, companies should remain alert to such regulatory changes and developments.
The authors would like to thank Roslie Liu, Intellectual Property Officer at Mayer Brown, for her assistance with this legal update.
1 Article 1 of the Certification Specification V1.0
3 Article 1 of the Certification Specification V2.0
4 Article 3(f) of the Certification Specification V1.0; Article 4(f) of the Certification Specification V2.0
6 Article 5.1 of the Certification Specification V2.0
7 Article 6 of the Draft Standard Contracts Provisions
8 Article 5.2 of the Certification Specification V2.0
9 Article 5.2.2 (d) of the Certification Specification V2.0
10 Article 5.2.2 (e) of the Certification Specification V2.0
11 Article 5.2.2 (g) of the Certification Specification V2.0
12 See Article 52 of the PIPL, which provides that data controllers are only required to appoint a data protection officer if the personal information being processed reaches a certain threshold
13 See Information Security Technology – Guidance for Personal Information Security Impact Assessment, released by TC260 on 19 November 2020
14 Article 5.4 of the Certification Specification V2.0
16 Article 6.2 (b) of the Certification Specification V2.0
17 Article 6.2 (d) of the Certification Specification V2.0
18 Article 6.2 (f) of the Certification Specification V2.0
19 Article 5.1 (j) of the Certification Specification V2.0
20 Original texts can be found here: http://www.cac.gov.cn/2022-11/18/c_1670399936658129.htm