The draft of Practical Guide to Cybersecurity Standards – Specification on Certification Technologies for Cross-border Personal Information Processing Activities (hereinafter “Draft Specification”) was issued for soliciting comments by the National Information Security Standardisation Technical Committee on 29 April 2022. This is the first official guideline for professional institutions on the certification mechanism applicable to cross-border personal information (PI) processing activities. Such certification is one of the statutory pre-conditions to be met for a PI processor to share PI with a recipient outside the PRC as per Article 38 of the Personal Information Protection Law (the “PIPL“).
Scope of application
The Draft Specification states its standards may be applicable to two types of situations:
- cross-border PI processing within a multinational company or within the same economic or business entity; and
- PI processing of domestic natural persons’ information by overseas processors, where the purpose is to provide domestic natural persons with products or services; or where the activities of domestic natural persons are analysed and evaluated.
Situation 2. above seems to imply that the conditions to the outbound flow of PI from the PRC set out in Article 38 of the PIPL may be extended to offshore PI processors that directly collect PI from individuals residing in the PRC. Note that the Specification is not mandatory and thus the certification requirements thereunder are voluntary. It remains to be seen whether any further regulations will impose any additional legal requirements on offshore PI processors.
Notable requirements for certification
The Draft Specification provides that a binding and enforceable document (which is not the standard contract of the Cyberspace Administration of China) shall be signed between the parties of cross-border PI processing activities, and sets out the specific content required to be contained therein.
There are other basic requirements in relation to the organisation structure, PI protection impact assessment, and rights protection for the PI subjects to complete the certification. For instance, the parties of cross-border PI processing activities shall:
- designate PI protection officers who shall have professional knowledge of PI protection and relevant management work experience, and the position shall be undertaken by members of the decision-making level at the PI processor;
- set up PI protection divisions; and
- comply with the unified cross-border PI processing rules.
Conclusion
Notwithstanding the foregoing, the Draft Specification is still silent on identifying the eligible institutions to carry out the certification or specifying the certification procedures. It expected that further rules or standards will be made or improved for practical implementation.
Deacons will pay close attention to the status of legislation on PI protection in China, and provide updates on developments that may impact your business. For tailored measures and practical advices to manage risks in personal information processing, please contact us.
For further information, please contact:
Edwarde Webre, Partner, Deacons
edwarde.webre@deacons.com