Scope of Application
The Draft Guidance on Network Security Standardized Practice – Technical Specification for Certification of Personal Information Cross-Border Processing Activities (Draft Specification) addresses two scenarios in which certification may be pursued as part of international transfer compliance: (i) intra-group data transfers, in which a China-based businesses transfers personal information to an offshore affiliate; and (ii) offshore processing by organizations subject to PIPL’s extraterritorial reach.2
Part (i) of the scope of the Draft Specification suggests that certification will not be a compliance option for cross-border transfers of personal information between unrelated entities (i.e., use of standard contractual clauses will be required in these cases).
By addressing offshore processing, part (ii) of the scope has surprised observers who have been reading PIPL’s Article 38 to only apply to handlers of personal information based in China seeking to provide personal information to other organizations outside of China – not to offshore collection from data subjects by organizations outside of China. Based on the Draft Specification, offshore organizations would need to pursue certification through their China-based representatives appointed pursuant to Article 53 of PIPL, the qualifications and procedures for appointing such China-based representatives have not yet specified.
Highlights of the certification requirements
The Draft Specification elaborates detailed requirements for the certification. Below are key takeaways:
- Binding agreements between exporters and importers of personal information. Certification in respect of intra-group transfers would require that some form of legally-binding agreement be in place between the data exporter and the offshore recipients. Agreements would be required to specify the categories of personal information being transferred, the purpose of processing, the applicable protection measures, as well as commitments to comply with personal information processing rules meeting China’s data protection standards and acceptance of supervision by the certification body.
- Organization management. The Draft Specification expands on the organizational protection measures required under the PIPL. Any onshore data exporter and offshore data recipient would be required to appoint data protection officers and establish data protection organizational measures related to the data exportation.
- Processing rules for exportation. Exporters and importers would be required to agree and abide by processing rules in respect of the cross-border transfer, including agreeing the countries or regions of transit, the retention period by the offshore recipient, and procedures for addressing personal information security incidents.
- Data protection impact assessments. Exporters would be required to carry out data protection impact assessments (DPIA) covering, in particular, the potential impact of the foreign legal environment and network security environment on data subject rights. Voluntary DPIA requirements are already provided under non-binding national standards. It remains to be seen if certification as envisaged by the Draft Specification would create a prescriptive standard for DPIA that will have broader implications for China’s data protection laws.
- Data subject rights. The Draft Specification proposes to designate data subjects as third party beneficiaries of the agreement between the data exporter and the data importer, as well as rights to receive a copy of extracts in the agreement concerning data subject rights.
- Responsibilities of relevant parties. Notably, the Draft Specification would require that the onshore party, i.e. the domestic affiliates or the local representative/agency, indemnify data subjects in respect of any losses arising from non-compliance.
The Draft Specification provides further insights to a key aspect of China’s emerging approach to PIPL implementation: the regulation of international data transfers. This draft, however, raises at least as many questions as it answers.
It is not clear, for example, why transfers between unrelated entities fall outside the scope of certification, which presumably leaves the usage of standard contractual clauses (which are yet to be seen in draft) as the only compliance option in such cases.
More fundamentally, imposing a certification requirement on organizations collecting personal information from abroad seems to be an extraordinary bureaucratic challenge in practice. The legal exposure that local representatives would face once appointed will also create significant friction for compliance efforts.
Whether or not the Draft Specification will see revision remains to be seen. Its release has also heightened the anticipation surrounding the CAC’s standard contractual clauses, which appear to be all the more important given they may be the only compliance option available for international transfers between unrelated entities.