Compliance with requirements on cross-border data transfers has become increasingly important for businesses operating in China. The Personal Information Protection Law (PIPL) mandates that personal information (PI) processors conducting cross-border data transfers must comply with one of three mechanisms: passing a security assessment organized by the Cyberspace Administration of China (CAC), concluding a standard contract with the overseas recipient (China SCC), or obtaining personal information protection certification from a specialized body.
On November 18, 2022, the CAC and the State Administration for Market Regulation (SAMR) issued the Implementation Rules for Personal Information Protection Certification (PI Certification Rules). These rules outline essential principles and requirements for certifying the collection, storage, usage, processing, transmission, provision, disclosure, deletion, and cross-border transfer of personal data. For cross-border PI transfers, the National Information Security Standardization Technical Committee issued the Network Security Standard Implementing Guidance – Certification Technical Specification for Cross-border Personal Information Transfers V2.0 (PI Certification Guidance V2.0) on December 16, 2022. The PI Certification Guideline V2.0 offers detailed instructions for implementing certification for cross-border PI transfers. On March 16, 2023, the Secretariat of the National Information Security Standardization Technical Committee issued the Information Security Technology–Certification Requirements for Cross-border Transfers of Personal Information (Draft for Comment) for public comment (Draft Guidelines). The deadline for comments is May 15, 2023.
This article provides an overview of the PI certification for cross-border data transfer and its significance for businesses operating in China.
What is the PI Certification?
The PI certification is an optional process for businesses that not only applies to the transfer of PI across borders in China but also to general data processing activities. This certification ensures that businesses adhere to the PIPL and other relevant regulations while safeguarding the rights of PI subjects during the transfer process.
Who is Eligible for the CAC Certification?
Under the PI Certification Guideline V2.0, it only applies to two scenarios, namely
- Cross-border PI processing activities among the subsidiaries and affiliates of a multinational company or an economic or public entity; or
- Processing activities conducted by overseas PI processors that are subject to the extraterritorial effect of the PIPL, where the processing occurs outside of China, with the purpose of providing products or services to individuals in China or analyzing and evaluating their behavior.
However, based on our consultation with the CCRC (the China Cybersecurity Review Technology and Certification Centre, the only official agency authorized to conduct the certification process for cross-border data transfer), it accepts a PI certification application under scenarios where cross-border PI transfer occurs outside of a group if the PI processor can provide information about the overseas recipient that satisfies the requirements of PI certification. The Draft Guidelines also removes such requirements.
Additionally, to be eligible for PI certification, the applicant must have legal personality, operate normally, and have a good reputation and goodwill. As such, entities without legal personalities, such as non-governmental organizations and representative offices, are not eligible to apply for certification.
How to get prepared for cross border data transfer certification
To prepare for cross-border data transfer certification, a PI processor must ensure that the level of PI protection meets the standards outlined in the applicable PRC laws and administrative regulations on PI protection. This includes obtaining separate consent from data subjects, concluding a legally binding agreement with the overseas recipient, conducting a Personal Information Assessment (PIA) and reporting its results, making cross-border PI processing rule, obtaining necessary information from the overseas recipient and meeting the organization requirements.
Legally binding agreement
A legally binding agreement between the PI processor and its overseas recipient (Parties) is necessary to ensure the rights and interests of PI subjects are adequately protected during cross-border data transfer. This agreement must specify the basic information of the Parties, the details of the cross-border data transfer, the responsibilities and obligations of the Parties to protect PI, the rights of PI subjects and how to protect them, remedy and dispute resolution, the overseas recipient’s undertakings to comply with relevant PRC laws and regulations on PI protection and to accept continuous supervision by a certification agency, the Parties’ entities in PRC who will bear legal liability for PI protection, and other obligations as stipulated by applicable laws and regulations. To protect the PI subjects’ rights, they have the right to request a copy of the above legal text regarding the part of their rights.
Companies may consider entering into the China SCCs as a starting point, and supplementing them as appropriate (i.e. including requirements such as ongoing monitoring by the CAC certification body).
Cross-border PI processing rule
Both Parties involved in cross-border data transfer must agree and jointly abide by the same cross-border PI processing rule. This rule includes details such as the purpose, method, and scope of the cross-border PI transfer, PI retention, and measures to protect the rights of PI subjects.
PIA
Conducting a PIA for cross-border data transfer is a necessary step in applying for PI certification. The PIA report must be issued and retained for at least three years to ensure that businesses have identified and addressed any potential risks to PI during cross-border transfer. In the PIA, the overseas recipient must provide information such as its previous experience with similar cross-border transfers and processing of PI, any data security incidents that have occurred in the past, and any PI provided to public authorities in its country or region as required by such authorities. The overseas recipient must also provide and clarify the technical and management measures taken to protect PI.
Organizational Requirements
Both the PI processor and the overseas recipient must meet certain organizational requirements to ensure compliance with PI protection obligations. These requirements include appointing a PI Protection Officer who has expertise and relevant management experience in PI protection and is a member of the PI processor/overseas recipient’s management. However, it is not clear how this aligns with the “representative” concept for non-PRC PI processors in the PIPL, which requires non-PRC PI processors to establish a special agency or appoint a representative within the territory of the PRC to be responsible for PI protection-related affairs.
Both Parties must also establish a PI protection department responsible for ensuring compliance with PI protection obligations. This department is responsible for tasks such as accepting and handling requests and complaints from PI subjects and conducting a PIA and regularity audits. However, it is not clear how a non-PRC PI processor should establish such a department.
What is the PI certification process?
The PI certification process involves several steps, including a preliminary review, on-site inspection, and testing of relevant systems and processes. Based on our consultation, the CCRC requires no more than 110 working days to complete the process, not including the time required for rectifications by the applicant. The CCRC also conducts follow-up surveillance after the certification is issued to ensure continued compliance with relevant regulations. The basic process is as follows:
How to Choose between PI Certification and China SCC
The PI certification and the China SCC share similar objectives of ensuring data security during cross-border data transfer. However, there are some key differences between the two.
In general, if the PI processor does not trigger the obligation for a security assessment, both cross-border data transfer mechanisms could be applied. However, the China SCC has an advantage for basic, temporary, and short-term cross-border business transactions under simple and clear-cut scenarios. For example, cross-border data transfer between a company and its business partner. On the other hand, the PI certification has an advantage for frequent and long-term, continuous cross-border data transfer among multiple transfers initiated by the same domestic PI processor. For example, intra-group cross-border data transfer by a data exporter located in China.
Other differences between the two mechanisms include their validity term and the time required to conduct cross-border data transfer legally. In China SCC, the validity term is stipulated in the contract while in PI certification, the validity term is 3 years with no discretion. In terms of time to conduct cross-border data transfer legally, in China SCC it is the date when a standard contract comes into effect while in PI certification it is the time of passing the PI protection certification.
Challenges and Uncertainties
The PI certification process in China is relatively new and there are some challenges and uncertainties associated with it. There is a lack of clarity regarding the specific requirements for certification and some relevant standards/guidance/rules may be issued in the future, which may provide more details and requirements. The certification process can be time-consuming and expensive, and there is a risk that businesses may fail to obtain certification due to a lack of understanding of the requirements or other factors. Furthermore, the certification process requires the cooperation of overseas recipients, which can be challenging to obtain in some cases.
Takeaway:
All three mechanisms for transferring PI across borders from China have been finalized or are close to being finalized. If you haven’t already, now is the time to get ready.
PI certification is an important tool for businesses operating in China that transfer PI across borders. However, obtaining certification takes time and requires providing a significant amount of information.
While it is possible to make a general comparison between China SCC and PI certification, the choice between the two can vary depending on the specific needs and concerns of each business. Both routes have their own uncertainties and challenges.
To ensure compliance with the PIPL and other relevant regulations while protecting the rights of PI subjects during the transfer process, businesses should consult with legal and cybersecurity experts.