On April 29, the ‘Practical guide to cybersecurity standards—Technical specifications for certification of cross-border processing of personal information (draft for comments)‘(hereafter called‘Technical specifications for approval‘) was published by the National Information Security Standardization Technical Committee. This is the first document to explore certification of personal information protection under Section 38 of the Personal Information Protection Act (PIPL).
Article 38 provides four mechanisms for transferring personal information overseas, one of which is certification by professional agencies. The other three are (i) the performance of a security review by government agencies, (ii) a mechanism similar to the CSC, i.e. the conclusion of standard contracts with recipients of data abroad , and (iii) a catch-all provision, i.e. conditions as stipulated by the applicable regulations. laws or regulations. Although the security review mechanism specifies that it applies to operators of critical information infrastructures and data managers who process a certain threshold of personal information, the applicable scopes of other mechanisms are unclear, including certification.
The Certification Technical Specifications sets out to define the scope of cross-border transfers of personal information by certification. It also lists the factors to be assessed during certification. Although it is a guideline rather than a mandatory regulation if adopted, it would have a reference value before the competent authorities promulgate rules in this regard.
the‘Technical specifications for approval‘ applies to the following situations:
- Cross-border processing of personal information within a multinational company or within the same economic or commercial entity;
- The overseas personal information handlers stipulated in the second paragraph of Article 3 of the PIPL process the personal information of domestic natural persons outside of China.
For a) and b), it is essentially a judgment on what is‘data export behavior‘. The key question is whether the data is contacted by foreign subjects. Based on this standard, the transfer of data between jurisdictions or, although the data has not crossed the border, access by foreign subjects, are all data export behaviors.
This provision extends the application to the second paragraph of Article 3 of the PIPL, which is generally understood as an extraterritorial application of the PIPL. Since the birth of the PIPL, the question of whether the requirements of cross-border data transfer apply to the extraterritorial application of processing activities has been controversial. Now judging by‘Technical specifications for approval‘the answer is yes.
It is also provided in this provision that the activities of cross-border processing of personal information that must pass the security assessment must be reported to the national cybersecurity and information service in accordance with applicable laws and regulations. He emphasizes that this certification is not an alternative route to security assessment, but a parallel route. A safety assessment must be carried out when the situation calls for it.
II. Who can apply for certification
For cross-border processing of personal information within a multinational company or within the same economic or commercial entity, the national party may request certification and take legal responsibility for it.
The overseas personal information processor specified in paragraph 2 of Article 3 of the PIPL may apply for certification through its specialized agencies or designated representatives established by overseas organizations in China.
III. Basic principles
In addition to the principles of legality, legitimacy, necessity, the principle of openness and transparency, the principle of quality of information and the principle of accountability stipulated in the PIPL that all personal information processing activities must follow, the‘Technical specifications for approval‘ also clarifies the principle of equal protection and voluntary certification, both derived from Article 38 of the PIPL.
The principle of equal protection requires that the cross-border processing of personal information meet the standards of protection of personal information stipulated in relevant laws and regulations of China.
IV. Certification agency
The list of certification agencies must be officially designated. The China Cybersecurity Review Technology and Certification Center (CCRC) is likely to become one of the designated certification bodies. the‘Technical specifications for approval‘ clearly mentions that its drafting process is supported by the CCRC.
V. The content of the certification
According to the certification technical specifications, the content of the certification includes at least the following 6 dimensions.
- Legal constraints: legally binding and enforceable documents, i.e. a data export contract, must be signed between the parties concerned;
- Management bodies: these are the personal information protection officer and the personal information protection department;
- Rules for Cross-Border Processing of Personal Information;
- Personal Information Protection Impact Assessment: See PIPL Sections 55, 56 and another public standard “Information Security Technology—-Guidance for Personal Information Security Impact Assessment” for details;
- Rights of the Subject of Personal Information;
- Responsibilities of Related Parties.
VI. Key points to remember
Section 38 of the PIPL provides four pathways for the cross-border transfer of personal information: security assessment, certification, model contract, and other terms. Previously, the Cyberspace Administration of China issued the‘Information Security Technology Guidelines for Businesses
Information Security Impact Assessment‘. He covered the possible content of the security assessment and model contracts. the‘Technical specifications for approval‘ is the first document to explore privacy certification.
Certification of Cross-Border Personal Information Processing Activities is a state-recommended voluntary certification. Eligible parties involved in cross-border personal information activities are encouraged to seek certification. The applicable scope suggests that certification would be a preferable option for multinational corporations that frequently transfer personal information across borders.
the‘Technical specifications for approval‘ proposes requirements in terms of basic principles, scope and method of certification, and content of certification. It provides a basis for future certification agencies to implement certification of cross-border personal information processing activities. It also provides a reference for personal information managers to the certification framework.
the‘Technical specifications for approval‘ also leaves many issues unresolved. for example whether the effectiveness of the certification can defend against compliance inspections, how long the certification is valid, how many scenarios, the objectives that a single certification can cover, which agencies would be in charge of the certification, etc. . It is necessary for the Cyberspace Administration of China to issue additional measures in the future.