On April 29, 2022, National Information Security Standardization Technical Committee issued the Practice Guidelines for Cybersecurity Standards—Technical Specifications for Certification of Cross-Border Processing of Personal Information (Draft for Comment) (“Specifications Draft for Comment”) to solicit opinions from the public. The Specifications Draft for Comment is the first official document to explore personal information protection certification, designed to enable implementation of the personal information protection certification system stated in Article 38 paragraph 1 item 2 of the Personal Information Protection Law of the People’s Republic of China and to facilitate cross-border processing of personal information. As Chinese lawyers engaged in foreign related issues for a long time, we will sort out and summarize the key points of personal information protection certification in the Specifications Draft for Comment below.
I. Source and Nature: One of the Systems of Cross-border Transmission of Personal Information
Article 38 of the Personal Information Protection Law of the People’s Republic of China provides for four systems of cross-border transmission of personal information which do not require security assessment by the government. This Specifications Draft for Comment is derived from Article 38 paragraph 1 item 2 of the Personal Information Protection Law of the People’s Republic of China, which stipulates that where personal information processors truly need to provide personal information to any party outside the territory of the People’s Republic of China (“PRC”) for business needs among others, they shall have such personal information protection certification conducted by a specialized institution according to the provisions of the national cyberspace administration.
II. Scope of Applicability: Cross-border Data Transmission by Multinational Companies and Personal Information Processors Outside the Territory of the PRC
This Specifications Draft for Comment is applicable to cross-border processing of personal information within multinational companies or an economic entity or business entity, and processing outside the territory of the PRC of personal information of natural persons within the territory of the PRC by personal information processors outside the territory of the PRC stipulated in Article 3 paragraph 2 of the Personal Information Protection Law of the People’s Republic of China. For the former, the party concerned within the territory of the PRC may apply for the certification and bear the relevant legal liabilities. For the latter, the specialized agency set up or the representative designated, within the territory of the PRC, by the personal information processor outside the territory of the PRC may apply for the certification and bear the relevant legal liabilities.
It is noteworthy that the Personal Information Protection Law of the People’s Republic of China just provides that certification shall be conducted by a specialized institution according to the provisions of the national cyberspace administration. This Specifications Draft for Comment does not contain specific provisions about the conditions to be met by such specialized institution but specifies that such specialized institution shall supervise the fulfillment of promises of the parties concerned.
In addition, the Specifications Draft for Comment has excluded the following two situations:
1. Cross-border processing of personal information that requires security assessment organized by the national cyberspace administration according to the relevant provisions of laws, administrative regulations and departmental rules shall be submitted to the national cyberspace administration for security assessment.
2. Where the international treaties and agreements that the PRC has concluded or joined have provisions on the conditions for providing personal information outside of the PRC, such international treaties and agreements shall prevail.
III. Legal Requirement: Signing of a Binding and Enforceable Document
According to the requirements of the Specifications Draft for Comment, the parties concerned in the cross-border processing of personal information shall sign a legally binding and enforceable document to ensure the protection of the rights and interests of the individuals whose personal information is processed. This document is not necessarily a standard cross-border data transmission contract and can be concluded in other forms, such as data processing agreement or letter of undertaking. Regardless of the form, such following contents shall be specified:
1. the parties concerned in the cross-border processing of personal information;
2. the purpose of the cross-border processing of personal information, the category and scope of the personal information;
3. measures to protect the rights and interests of the individuals;
4. all the parties concerned shall undertake to abide by the unified personal information processing rules, and ensure that the level of personal information protection is not lower than the standard stipulated in the relevant laws and administrative regulations of the PRC on personal information protection;
5. all the parties concerned shall undertake to accept the supervision of the certification institution;
6. all the parties concerned shall undertake to accept the jurisdiction of the relevant laws and administrative regulations of the PRC on personal information protection;
7. the organization that bears the legal liabilities within the territory of the PRC;
8. other obligations stipulated by laws and administrative regulations.
IV. Conditions for Certification: Comprehensive Multidimensional Provisions
Except for the legal requirement, the Specifications Draft for Comment also provides the comprehensive conditions for certification from the dimensions of organizational management, cross-border processing rules, personal information protection impact assessment, and protection of the rights and interests of the individuals.
1. Organizational management
The Specifications Draft for Comment specifies that a person in charge of the personal information protection shall be appointed and a personal information protection institution shall be set up. It also specifies the responsibilities of such person and such institution.
2. Rules of cross-border processing of personal information
In order to complete the certification, it can be necessary to establish some internal rules in the enterprises, including without limitation:
1) Basic information of the personal information involved in the cross-border processing, including its category, sensitivity, and quantity among others;
2) Purpose, means and scope of cross-border processing of personal information;
3) The starting time and end time of the storage of personal information outside the territory of the PRC and the means of processing after the end time;
4) Transit countries or regions involved in the cross-border processing of personal information;
5) Resources required and measures taken to protect the rights and interests of the individuals;
6) Compensation for and rules of handling personal information security incidents.
3. Personal information protection impact assessment
Personal information protection impact should be assessed based on the latest version of Information Security Technology—Guidance for Personal Information Security Impact Assessment (GB/T 39335). The matters to be assessed include:
1) Whether the cross-border provision of personal information is in compliance with the laws and administrative regulations;
2) The impact of the cross-border processing on the rights and interests of the individuals;
3) The impact of the legal environment and cybersecurity environment of the overseas countries and regions on the rights and interests of the individuals;
4) Other matters required for the protection of the rights and interests of the individuals.
4. Protection of the rights and interests of the individuals
The rights and interests of the individuals are one of the focuses of the certification, which may be associated with the revision of the privacy policy. The Specifications Draft for Comment specifies eight rights of the individuals and eight obligations of the parties concerned. Some of the important issues related to foreign investors include but not limited to:
1) Abiding by the provisions of the Personal Information Protection Law of the People’s Republic of China, protecting the rights of the individuals, including the right to information, the right to make decisions, the right to consult, duplicate, rectify and delete the personal information, and the right to refuse automated decision making;
2) Informing the individuals in writing of the basic information of the parties concerned in the cross-border processing of personal information, the purpose of the cross-border provision of personal information, the category and storage period of such personal information and obtaining the consent of each individual;
3) Terminating the cross-border processing of personal information promptly in case of difficulty in ensuring the personal information security;
4) The parties responsible for the legal liabilities within the territory of the PRC shall provide assistance when the individuals exercise their rights and bear relevant liabilities for damages;
5) Undertaking to accept the supervision of cross-border processing of personal information by Chinese certification institutions, including responding to inquires, and cooperating with regular checks;
6) Undertaking to abide by Chinese laws and regulations and accepting the jurisdiction of Chinese courts.
This Specifications Draft for Comment has no stipulations about the certification institution, period of certification, means of certification, and the specific procedures. Clarifications will depend on the improvement of the Specifications Draft for Comment or the introduction of other supporting documents to provide more detailed guidelines for the implementation of the certification system. If you have any questions about cross-border processing of personal information involving China, please contact us via administrator@35.93.49.201.