On 16 March 2023, the National Information Security Standardization Technical Committee (“TC260”) published draft national standards on Certification Requirements for Cross-border Transmission of Personal Information (“Draft Certification Standards”). The public have three months within which to submit their comments, with time expiring on May 15.
In this article, we highlight the key observations of the Draft Certification Standards.
BACKGROUND
Certification is one of the safeguards which personal information processors[1] may adopt in order to export personal information under the Personal Information Protection Law (“PIPL”) if they do not reach the statutory thresholds for a security assessment on export conducted by the Cyberspace Administration of China (“CAC”). Another safeguard is the standard data export contract released by the CAC. (For our comments on the standard contract, please click here),
On 24 June 2022, the TC260 issued a technical guidance document entitled the Specification for Certification for of Personal Information Cross-border Processing (“Certification Specification”); (for our comments on this version of Certification Specification, please click here). The Certification Specification was intended to provide guidance for implementing the certification regime. On 18 November 2022, the CAC and the State Administration for Market Regulation confirmed in the Rules for the Implementation of Personal Information Protection Certification (for our comments on these rules, please click here) that the Certification Specification will be used as the basis for assessing certification requirements of cross-border data processing activities. The Certification Specification as a low-level technical guidance, falls short of the legal authority of national standards.
In 16 December 2022, the TC260 released a second version of the Certification Specification, which enhanced the requirements of the certification; (for our comments on the second version, please click here).
In both of our comments on the Certification Specification, we raised some issues that need to be addressed. In this article, we will discuss whether the Draft Certification Standards has resolved any of the issues and set out the notable changes.
KEY OBSERVATIONS
- No material change to the Certification SpecificationThe provisions under the Draft Certification Standards essentially mirror those under the current version of the Certification Specification. Apparently, the purpose of publishing the Draft Certification Standards is address the issue that the Certification Specification, as a technical guidance, lacks the legal effect and authority of national standards, which we raised in our previous comments.Unfortunately, the other issues we raised remain unresolved in the Draft Certification Standards, in particular the onerous requirements that could deter companies from utilising this new certification regime for their intra-group cross-border data transfer remain unchanged.
- New definitions
The Draft Certification Standards also add definitions for personal information, sensitive personal information and separate consent. We note that the Draft Certification Standards have adopted the same definitions for personal information and sensitive personal information found in the Personal Information Security Specification, published by the TC260 in 2020. However, the definitions thereunder are not identical with those under the PIPL. With the enactment of the PIPL in 2021, it is expected that TC260 will ensure that the key definitions under its certification standards are consistent with those under the PIPL. If not, different definitions of the same phrases could give rise to confusion amongst companies in the implementation of the certification regime.
The Draft Certification Standards defines “separate consent” as personal consent to each item of personal information, excluding a single (bundled) consent, to processing of multiple items of personal information or multiple types of processing activities. The Draft Certification Standards requires both the exporters and importers to obtain a separate consent from the individuals before personal information is exported.
If this definition is adopted in the final draft of the certification standards, it could mean that both the data exporters and importers taking part in the certification regime must obtain a separate consent for each item of personal information that will be exported, and companies would be required to obtain a number of consents for data export from the same individuals, which would be impractical for most companies.
CONCLUSION
The TC260 published the Draft Certification Standards with the intention to elevate the legal effect of the Certification Specification from a low-level technical guidance document to non-mandatory national standards. As such, most of the requirements remain unchanged, and therefore the issues we raised previously have not been addressed.
The newly-added definitions are not consistent with those under the PIPL, in particular, the definition of separate consent and the demands for both data exporters and importers to obtain separate consents for each item of personal information to be exported, which would likely render it unfeasible for many companies to obtain the necessary consents for data exports.
For further information, please contact:
James Gong, Partner, Bird & Bird
james.gong@twobirds.com
[1] A personal information processor is defined as an organisation or individual that independently determines the purposes and means of the processing under the PIPL. This is similar to the concept of “controller” under the GDPR.