On June 24, 2022, the National Information Security Standardization Technical Committee (“TC260”) circulated the final version Technical certification specification for Certification of cross-border processing of personal information (“Certification Specification”). The certification specification makes some interesting changes to its draft version released by TC260 in April 2022 (“Draft Certification Specification”) (For our comments on the draft certification specification, please click here).

In this article, we highlight the main modifications of the Certification Specifications and present our observations.

MAIN CHANGES AND OBSERVATIONS

I. Security Specification Compliance as a Prerequisite

In its extract, the Cahier des Charges de Certification explicitly requires personal information (“IP”) processors, who will apply for certification, to comply with the requirements of non-binding national standards Information Security Technology – Personal Information Security Specification published by the TC260 (“Security specification”).

The Security Specification sets out detailed requirements on the processing of personal information, which are intended to serve as a best practice guide for entities that process personal information in China. Notably, the Security Specification is a set of recommended national standards published before the Personal Information Protection Act (“PIPL”) and some of the requirements may be incompatible with the PIPL. To make these requirements effective within the current legal framework, the TC260 should update the safety specification as soon as possible.

Nevertheless, the certification specification seems to treat the security specification as a prerequisite for the application of the certification scheme. Thus, PI processors must ensure that the entire processing lifecycle is aligned with the security specification.

II. Applicability of the certification scheme

The certification specification applies in the following scenarios:

  • First scenario: cross-border personal information processing activities between subsidiaries and affiliates of a multinational company or an economic or public entity; and
  • Scenario 2: processing activities subject to the extraterritorial effect of the PIPL.

For Scenario One, the Cahier des Charges de Certification affirms that the certification scheme applies to intra-group transfer within the same group of companies and modifies the wording to make it less ambiguous.

For Scenario Two, while the Certification Specifications specify that it applies to persons subject to the extraterritorial effect of the PIPL. As we have seen previously, the extension of the certification scheme lacks a legal basis and does not provide enough incentive for these entities to obtain certification. More importantly, the entire certification specification provides very little guidance on the requirements for this scenario two. Hopefully TC260 will explain in more detail how it envisions the certification regime will be implemented in scenario two.

III. Certification requirements

The basic requirements of the certification specification remain the same, namely a legally binding agreement, organizational management measures and protection of individuals’ rights to personal information, and most of the detailed requirements remain unchanged.

The Certification Specification makes it clear that it is PI processors and overseas recipients who will be bound by these requirements, although the precise term should be the PI processor in China or an PI exporter.

Legally Binding Agreement

The binding and enforceable document is expressly called a legally binding agreement, and therefore the IP Processor and the Foreign Recipient must enter into such an agreement. Interestingly, under the agreement, only the foreign recipient, instead of all parties involved, must agree to abide by the rules of cross-border processing of personal information, accept the supervision of the institution of certification and be governed by Chinese personal information protection law and regulations. The rationale for this change appears to be that IP processors located in China will automatically be subject to these requirements. However, the IP processor in China is not necessarily subject to the rules of cross-border processing or the supervision of the certification institution in the absence of any mandatory legal requirements, which is certainly missing from the certification specification.

Unless mandatory regulation requires it, it is still necessary for IP processors in China to make such commitments in the agreement, which is at least a binding obligation enforceable by the parties thereto. Furthermore, the certification specification does not specify the law governing the agreement, which appears to be an omission from TC260 that could result in undesirable flexibility for the parties.

Privacy Impact Assessment (“PIPIA”)

The IP processor in China must conduct a PIPIA on cross-border processing activities. Certification specification removes requirement to use non-binding national standards Guidance for Personal Information Security Impact Assessment as a guide for the PIPIA. As indicated in our previous comments, this national standard came into force before the PIPL and will need to be updated if it is to be used for the realization of the PIPIA.

Guarantees of the rights of individuals

The certification specification adds a requirement that IP processors in China and importers must take corrective action to promptly address data breach incidents and notify relevant government authorities and notify individuals when such an incident has occurred. or is likely to occur.

CONCLUSION

The Certification Specifications retains most of the requirements of the previous project while trying to provide some clarifications and additions. However, most of the questions we raised in our comments on the previous draft remain unresolved. The certification specification is a useful attempt by TC260 to establish the certification regime for China’s data export, but the regime will not be completed without higher-level mandatory regulations.