China issues draft specification for certification of cross-border transfers of personal information

China's Personal Information Protection Law (PIPL) took effect 1 November 2021, significantly raising the bar for data protection compliance in China.

One of the key concerns is the regulation of international transfers of personal data from China.  In addition to obtaining consent from data subjects, organizations must either go through an official security assessment, obtain certification by a specialized body, or enter into standard contractual clauses prescribed by the Cyberspace Administration of China (CAC).1   Until recently these requirements remained unspecified. 

On 29 April 2022, the National Information Security Standardization Technical Committee (TC260, an important policy making body under the CAC) issued the Draft Guidance on Network Security Standardized Practice – Technical Specification for Certification of Personal Information Cross-Border Processing Activities,  shedding some light on the certification mechanism set forth in the PIPL.

Scope of Application

The Draft Guidance on Network Security Standardized Practice – Technical Specification for Certification of Personal Information Cross-Border Processing Activities (Draft Specification) addresses two scenarios in which certification may be pursued as part of international transfer compliance: (i) intra-group data transfers, in which a China-based businesses transfers personal information to an offshore affiliate; and (ii) offshore processing by organizations subject to PIPL’s extraterritorial reach.2

Part (i) of the scope of the Draft Specification suggests that certification will not be a compliance option for cross-border transfers of personal information between unrelated entities (i.e., use of standard contractual clauses will be required in these cases).

By addressing offshore processing, part (ii) of the scope has surprised observers who have been reading PIPL’s Article 38 to only apply to handlers of personal information based in China seeking to provide personal information to other organizations outside of China – not to offshore collection from data subjects by organizations outside of China.  Based on the Draft Specification, offshore organizations would need to pursue certification through their China-based representatives appointed pursuant to Article 53 of PIPL, the qualifications and procedures for appointing  such China-based representatives have not yet specified.

Highlights  of the certification requirements

The Draft Specification elaborates detailed requirements for the certification.  Below are key takeaways: 

  • Binding agreements between exporters and importers of personal information.  Certification in respect of intra-group transfers would require that some form of legally-binding agreement be in place between the data exporter and the offshore recipients.  Agreements would be required to specify the categories of personal information being transferred, the purpose of processing, the applicable protection measures, as well as commitments to comply with personal information processing  rules meeting China’s data protection standards and acceptance of supervision by the certification body. 
  • Organization management. The Draft Specification expands on the organizational protection measures required under the PIPL.  Any onshore data exporter and offshore data recipient would be required to appoint data protection officers and establish data protection organizational measures related to the data exportation.
  • Processing rules for exportation.  Exporters and importers would be required to agree and abide by processing rules in respect of the cross-border transfer, including agreeing the countries or regions of transit, the retention period by the offshore recipient, and procedures for addressing personal information security incidents.
  • Data protection impact assessments.  Exporters would be required to carry out data protection impact assessments (DPIA) covering, in particular, the potential impact of the foreign legal environment and network security environment on data subject rights.  Voluntary DPIA requirements are already provided under non-binding national standards.  It remains to be seen if certification as envisaged by the Draft Specification would create a prescriptive standard for DPIA that will have broader implications for China’s data protection laws.   
  • Data subject rights.  The Draft Specification proposes to designate data subjects  as third party beneficiaries of the agreement between the data exporter and the data importer, as well as rights to receive a copy of extracts in the agreement concerning data subject rights.
  • Responsibilities of relevant parties.  Notably, the Draft Specification would require that the onshore party, i.e. the domestic affiliates or the local representative/agency, indemnify data subjects in respect of any losses arising from non-compliance. 

Conclusions

The Draft Specification provides further insights to a key aspect of China’s emerging approach to PIPL implementation: the regulation of international data transfers.  This draft, however, raises at least as many questions as it answers.

It is not clear, for example, why transfers between unrelated entities fall outside the scope of certification, which presumably leaves the usage of standard contractual clauses (which are yet to be seen in draft) as the only compliance option in such cases. 

More fundamentally, imposing a certification requirement on organizations collecting personal information from abroad seems to be an extraordinary bureaucratic challenge in practice.  The legal exposure that local representatives would face once appointed will also create significant friction for compliance efforts. 

Whether or not the Draft Specification will see revision remains to be seen.   Its release has also heightened the anticipation surrounding the CAC’s standard contractual clauses, which appear to be all the more important given they may be the only compliance option available for international transfers between unrelated entities.

 

Authored by Mark Parsons, Sherry Gong, and Tong Zhu.

 

References
1 Article 38 of PIPL also requires that organizations considered to be operators of “critical information infrastructure” or meeting certain data volume thresholds specified by relevant authorities complete an official security assessment
2 Pursuant to Article 3, PIPL applies to organizations outside of China where personal information is processed as part of: (i) the provision of products or services to individuals in China; or (ii) analysing or assessing the activities of natural persons in China.

 

This website is operated by Hogan Lovells Solutions Limited, whose registered office is at 21 Holborn Viaduct, London, United Kingdom, EC1A 2DY. Hogan Lovells Solutions Limited is a wholly-owned subsidiary of Hogan Lovells International LLP but is not itself a law firm. For further details of Hogan Lovells Solutions Limited and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2022 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.