The National Information Security Standardization Technical Committee of China ("TC260") released, on 8 November 2022, the revised draft Practice Guidelines for Cybersecurity Standards – Technical Specification for the Certification of Cross-Border Processing of Personal Information ("Guidelines V2.0") and sought public comments until 15 November 2022.
On 24 June 2022, TC260 issued Practice Guidelines for Cybersecurity Standards - Technical Specification for the Certification of Cross-Border Processing of Personal Information ("Guidelines V1.0"). Both Guidelines V1.0 and Guidelines V2.0 clarify that they aim to implement Article 38(1), item (2) of the Personal Information Protection Law ("PIPL"), which is “personal information protection certification conducted by professional agencies in accordance with the provisions of the State cyberspace authorities” from the original text. This time, Guidelines V2.0 supplements and revises some requirements in V1.0 in order to provide more explicit and specific guidelines for the security of cross-border processing of personal information, as well as the protection of the rights and interests of personal information subjects.
In order to help companies better understand the requirements of the certification mechanism of cross-border processing of personal information in China, we analyzes some key legal issues such as the applicability of certification, requirements for concerned parties, basic principles and requirements of certification, and protection of the rights and interests of personal information subjects. In addition, we also provide compliance advice based on the latest legislation updates on the certification.
For the other two different paths for the cross-border data transfer in China, the security assessment path (Cross-border Data Transfer: The Security Assessment Path) and the Standard Contract path (Cross-border PI Transfer: The Standard Contract Path), please see our previous articles for reference.
Guidelines V2.0 serves as the basis for certification agencies to offer personal information certification in the cross-border personal information processing and applies to cross-border personal information processing conducted by personal information processors.
It can be seen that Guidelines V2.0 does not directly apply to those organizations applying for certification on personal information protection; instead, Guidelines V2.0 provides a basis for certification agencies so as to regulate the relevant applicants' practice of cross-border personal information processing.
II. Concerned Parties Under Guidelines V2.0
According to the Guidelines V2.0, any personal information processor that applies for certification shall meet the basic principles and fall under either of the following two circumstances:
Figure 1 Concerned Parties
Compared with Guidelines V1.0, the basic principle is added to Guidelines V2.0. Article 102 of the Civil Code explicitly provides that "An unincorporated organization is an organization which does not have the legal person status but may engage in civil activities in its own name in accordance with law. Unincorporated organizations include sole proprietorships, partnerships, professional service institutions that do not have the legal person status, and the like. " Therefore, although an individual is qualified as a personal information processor under PIPL, he/she shall not apply for certification for personal information protection. In addition, service institutions without legal person status, such as sole proprietorship enterprises and partnership enterprises, are also not qualified to apply for certification for protection of personal information in cross-border processing.
III. Basic Principles of the Certification
According to the Guidelines V2.0, any party that applies for certification for the cross-border protection of personal information shall comply with the following principles:
Figure 2 Basic Principles of Certification Mechanism
Among the above-mentioned principles, the first five are all principles for personal information processing as explicitly required by PIPL. According to the Guidelines V2.0, the "clear accountability" means that "the personal information processor and the overseas receiving party shall protect the rights and interests of personal information subjects in cross-border processing of personal information, and designate one or more domestic parties or the domestic institutions set up by the overseas receiving party to be legally liable for illegal processing of personal information conducted by the overseas receiving party. " In this regard, in the above two application circumstances listed by Concerned Parties, the subjects who shall bear the liabilities shall be respectively as follows:
The sixth principle, "voluntary certification", specifies that applying for certification of personal information protection is not the only way to carry out cross-border processing of personal information. As provided in Article 38(1) of PIPL, a personal information processor may also, based on factors such as its identity, its type and quantity of personal information processed, transfer personal information overseas by means of passing a security assessment organized by the national cyberspace administration authority (the "Security Assessment") or entering into a standard contract with an overseas recipient (the "Standard Contract").
Guidelines V2.0 puts forward four basic requirements for personal information processors and overseas recipients that carry out cross-border processing of personal information, including:
Figure 4 Basic Requirements of Certification Mechanism
(1) Legally Binding Agreement
Guidelines V2.0 requires that personal information processors and overseas recipients that carry out cross-border processing of personal information shall enter into legally binding and enforceable documents to ensure that the rights and interests of personal information subjects are fully protected. There are also similar provisions in the Security Assessment and Standard Contract mechanism for the cross-border transfer of personal information, namely the "proposed legal documents" and "standard contracts". The table below compares the main contents of the above three similar documents:
Table 1 Comparison of the Main Contents of Relevant Legal Documents Under the Three Cross-Border Paths
In light of the above comparison, the main contents of the legally binding agreement under the Guidelines V2.0 are consistent with those of the Standard Contract in the Provisions on Standard Contracts for Cross-border Transfers of Personal Information (Draft for Comments), while are quite different from the main contents of the legal documents to be concluded under the Measures for the Security Assessment for Cross-Border Data Transfer. The most important reason for this difference is that both the Standard Contract and the Certification only apply to the cross-border transfer of "personal information", while the Security Assessment applies to important data in addition to the cross-border transfer of personal information. Therefore, the proposed legal documents emphasize the risk of data being illegally used, while the Standard Contracts and legally binding agreements emphasize the protection of personal information subjects' rights.
Compared with the Standard Contracts, the legally binding agreements supplement the overseas recipient's undertakings (including to be bound by the rules for the same cross-border processing of personal information, to be supervised by the certification agency and to be governed by laws and regulations in PRC) as well as commitments of both parties on assumption of liability. All these supplements the Guidelines V2.0 being a voluntary regulation and clarifying in the contents of both parties' specific responsibilities with respect to personal information protection.
In addition to the content in the legally binding agreements, the Guidelines V2.0 also requires that the overseas recipient shall undertake not to provide the personal information it receives to third parties. If it is necessary to provide such information, the overseas recipient shall comply with the requirements of the relevant laws and administrative regulations of PRC and take necessary measures to ensure the cross-border processing of third-party personal information meets the standards for the protection of personal information stipulated in PIPL.
(2) Organization Management
According to the Guidelines V2.0, both personal information processors and overseas recipients carrying out cross-border processing of personal information shall designate a person in charge of personal information protection and establish an institution for personal information protection. These provisions go beyond the provisions in PIPL, which only require that the personal information processors who process personal information more than the number that specified by the national cyberspace administration authority shall designate a person in charge of personal information protection.
Up to now, the national cyberspace administration authority has not issued any detailed rules to clarify the specified number in PIPL, however, as mentioned above, not all personal information processors are eligible to apply for certification under the Guidelines V2.0. Applicants should be a qualified legal person with normal operation, good reputation and goodwill, and be multinational corporations or overseas companies whose purpose is to provide products or services for domestic natural persons, or to analyze and evaluate the activities of domestic natural persons. Generally speaking, these companies have a large business volume, thus imposing a higher organizational and managemental obligation on such companies is also in line with the legislative requirements of PIPL and the industry practice.
It is noteworthy that the Guidelines V2.0 specifies that the person in charge of personal information protection shall have professional knowledge of personal information protection and relevant management experiences and shall be a member of the decision-making level of the organization. This requires that the person in charge of personal information protection shall have a real say within the organization, which indicates that personal information protection shall become an important aspect of the company's compliance governance.
(3) Rules for Cross-Border Processing of Personal Information
As mentioned above, the overseas recipient shall undertake to comply with the same rules for cross-border processing of personal information in a legally binding agreement. With respect to the rules for cross-border processing of personal information, the Guidelines V2.0 requires at least the following matters to be included:
Figure 5 Main Contents of the Rules for Cross-Border Processing of Personal Information
(4) Impact Assessment of Personal Information Protection
In accordance with Articles 55 and 56 of PIPL, if a personal information processor transfers personal information abroad, it shall conduct an assessment on the impact of the protection of personal information in advance and keep a record of processing. The assessment report on the impact of the protection of personal information and records on processing shall be kept for at least three years. This provision does not limit the outbound paths selected by the personal information processor. Therefore, it should be understood that prior to transferring personal information abroad, whether by Security Assessment, Certification or Standard Contract path, an impact assessment of personal information protection shall be conducted.
As mentioned above, the security assessment path is not only applicable to the cross-border processing of personal information, but also applies to the cross-border transfer of important data. Therefore, under the Security Assessment path, data processors should carry out self-assessment of data export risks before applying for security assessment for data to be transferred abroad, instead of only conducting an impact assessment of personal information protection.
The table below compares the main items for the assessment under the three paths:
Table 2 Comparison of Main Contents of Relevant Self-Assessments Under the Three Cross-Border Paths
As can be seen from the table above, the content of the personal information protection impact assessment stipulated by Guidelines V2.0 is basically consistent with the content of the Security Assessment and the Standard Contract, but the Guidelines V2.0 further specifies the specific content of the impacts of the personal information protection policies and regulations of the overseas recipient's country or region on the fulfillment of the obligations of personal information protection and the protection of personal information rights and interests.
In addition, the contents of the Guidelines V2.0 on this issue is basically consistent with that in the Standard Contract, referring to as “the impact of the personal information protection policies and regulations of the country or region where the overseas recipient is located on the performance of this Standard Contract.”
Ⅴ. Protection of Personal Information Subjects' Rights and Interests
According to the PIPL, subjects of personal information have the right to know, the right to decide, the right to restrict or refuse others to process their personal information, and also the right to access and copy, the right to request personal information processors to rectify or supplement relevant information, and the right to delete, to withdraw the consent to cross-border processing of their personal information, and to request personal information processors to interpret the rules of processing personal information they developed, etc. In addition to these rights, Guidelines V2.0 also provides that subjects of personal information are third-party beneficiaries in the legal agreement between the personal information processor and the overseas recipient.
To exercise the above rights, the subjects of personal information can make a request to the personal information processor or directly make a request to the overseas recipient. If the rights and interests of personal information are damaged, the subjects of personal information have the right to claim compensation against either the personal information processor or the overseas recipient. The party bearing domestic legal liabilities of the overseas recipient shall undertake to provide conveniences for the subjects of personal information to exercise their rights and shall be liable for legal compensation when the rights and interests of the subjects of personal information are damaged by the cross-border processing of personal information.
The subjects of personal information also have the right to file a lawsuit in the court of their habitual residence against the personal information processor which engages in cross-border processing of personal information and the overseas recipient.
In order to protect the above rights and interests of the subjects of personal information, in addition to the relevant requirements listed above, personal information processors and overseas recipients shall also:
Figure 6 Other Responsibilities and Obligations of Personal Information Processors and Overseas Recipients
Just over four months after the promulgation of the Guidelines V1.0, TC260 furthermore issued Guidelines V2.0, which reflects the conflict between the strong demand for the cross-border transfer of personal information by enterprises and the fact that the security assessment mechanism which came into force on September 1st, 2022 does not apply to all cross-border data transfer situations, as well as the regulatory authorities’ eagerness to quickly promulgate certification standards in order to ease the burden on administrative resources brought by such conflict.
It is worth noting that less than one week after the promulgation of the Guidelines V2.0, TC260 also issued the Notice on Seeking Participants for the Compilation of the Information Security Technology - Certification Requirements for Cross-border Transmission of Personal Information. Unlike the Guidelines V1.0 and V2.0, this is a recommended national standard. Although it is also under the jurisdiction of TC260, it was promulgated by the State Administration for Market Regulation and the Standardization Administration of China. Therefore, it is a higher standard than the Guidelines in terms of the legal effect.
In addition, the State Administration for Market Regulation and the Cyberspace Administration of China jointly issued the Announcement on Implementing Certification for Personal Information Protection on November 18, 2022, which provides for the basic principles and requirements of certification for the collection, storage, use, processing, transmission, provision, publication, deletion, cross-border processing and other processing activities of personal information by personal information processors. Although it is not specifically applicable to cross-border processing of personal information, the Implementing Rules on Certification for Personal Information Protection attached to it provides that personal information processors that carry out cross-border processing activities shall comply with not only the requirements of the Information Security Technology - Personal Information Security Specification (GB/T 35273), but also the Guidelines. Therefore it can be inferred that the Implementing Rules on Certification for Personal Information Protection may be further revised to provide that the cross-border transfer of personal information shall also comply with the requirements of the Information Security Technology - Certification Requirements for Cross-border Transmission of Personal Information, or the substantive content of the latter one shall remain consistent with the Guidelines.
Therefore, it is recommended that enterprises who intend to provide personal information to overseas parties by means of the certification mechanism, firstly, should determine whether they are qualified applicants or not. Also, relevant enterprises should also pay close attention to the updates of the Guidelines and revision of the Information Security Technology - Certification Requirements for Cross-border Transmission of Personal Information, as well as the publication of the directory of the relevant certification institutions, in order to carry out compliance in accordance with the latest certification standard.
（Thanks to intern Fan Zhang for his contribution to this article.）