On 1 November 2021, the Personal Information Protection Law of the People’s Republic of China (“PIPL”) took effect and became the first Chinese law dedicated to protecting the personal information rights of individuals. However, due to a lack of implementation regulations and clarity, many companies face a situation where they are unsure how to comply with the PIPL in some areas.
Nowhere is this more of an issue than with Article 38 of the PIPL, which provides several conditions (or legal paths) that must be met before a cross-border data transfer may occur. According to Article 38, entities may send personal data to foreign recipients by taking one of the following legal paths:
Legal Path 1 – Government Security Assessment: A security assessment organised by the national cyberspace authority has been passed by the entity in accordance with Article 40 of this Law;
Legal Path 2 – Standard Contract: A contract in compliance with the standard contract provided by the national cyberspace authority has been concluded with the overseas recipient, establishing the rights and obligations of both parties.
Legal Path 3 – Certification: the entity has acquired a certification of personal information protection by a professional certification institution in accordance with the regulations of the national cyberspace authority; and
On Legal Path 1 (Government Security Assessment), please see “China Issues Cross-border Data Transfer Security Assessment Rules.” For Legal Path 2 (Standard Contract), please see “China Releases Draft Standard Contract for Cross–border Data transfers” and “Cross–border data transfers: A Comparison of the EU and Chinese Standard
This article discusses China’s new rules on Legal Path 3 (Certification).
TC260 Issues Rules for Legal Path 3 (Certification)
On 24 June 2022, the National Information Security Standardization Technical Committee (also known as “TC260”) issued its “Technical Specifications for the Certification of Cross–Border Processing of Personal Information” (“Specifications”). The Specifications state the criteria that MNCs or other economic or business entities and overseas processors should meet to obtain certification as described in Article 38 of the PIPL (i.e., Legal Path 3). At a high level, TC260’s Specifications seem to describe something like the Binding Corporate Rules (“BCRs”) under the GDPR.
Please note that the Specifications are not compulsory. In other words, parties to cross-border personal information transfers can decide if they want to go through this Legal Path 3 and obtain certification or go through other Legal Paths as they think appropriate to legitimatise their cross-border data transfers. However, if they choose to put themselves under this certification regime, the rules under the Specifications are binding on them and relevant certification institutions.
Applicability of the Specifications
The Specifications describe certification scenarios, certification applicants and those who should bear responsibility for cross-border personal information transfers. Within an MNC, one of its entities in China can apply for certification and undertake to assume legal responsibility for the MNC’s global organisation, while for an overseas entity having a not substantial presence in China, its specialised agency or designated representative in China can apply for certification and undertake to bear legal responsibility for the overseas entity.
Legally Binding Documents
Parties to cross-border personal information processing activities must sign legally binding and enforceable documents (“LBDs”) to ensure that the rights and interests of individuals are fully protected. At a minimum, LBDs should contain:
- The relevant parties involved in cross-border personal information processing;
- The purpose of cross-border personal information processing and the types and scope of personal information;
- Measures to protect the rights and interests of individuals;
- Undertakings by each party to comply with uniform personal information processing rules and ensure that thelevelof personal information protection is not lower than the standards stipulated by relevant Chinese laws and regulations on the protection of personal information;
- Undertakings to accept the supervision of certification bodies;
- Provisions stating that relevant Chinese laws and regulations on the protection of personal information governthe arrangements;
- Details of the organisational bodies that will bear legal responsibility within China; and
- Provisionsforcompliance with other legal and regulatory obligations.
Uniform Processing Rules
Uniform processing rules, described in 4. above, must contain:
- Theparticularsof cross-border personal information processing, including the type, sensitivity, quantity, etc., of personal information;
- The purpose, method, and scope of cross-border personal information processing;
- Thestartand end time of overseas storage of personal information and the processing method after expiration;
- Transitcountries involved in cross-border personal information processing;
- Resources and measures required to protect the rights and interests of individuals; and
- Rulesforcompensation and disposal of personal information security incidents.
Both the data exporter and foreign data importer must appoint a person to take charge of personal information protection. The persons in charge must have relevant knowledge and experience and be a part of the decision- making level of their entity. Their duties include:
- Clarifyingorganisationalpersonal information protection objectives, basic requirements, work tasks, and protection measures;
- Ensuring the availability of human resources, financial support and materials for personal information protection withinthe organisation;
- Guidingandsupporting relevant personnel in carrying out the organisation’s personal information protection efforts and ensuring that personal information protection efforts achieve the expected goals; and
- Reportingto the organisation’s leaders on personal information protection and promoting the continuous improvement of personal information protection efforts.
Personal Information Protection Organisation
Both the data exporter and foreign data importer should set up personal information protection internal organisations that are tasked with preventing “unauthorised access and leakage, falsification and loss of personal information” and undertaking the following duties:
- Formulatingandimplementing plans for cross-border personal information processing;
- Organising and carrying out personal information protection impact assessments (“PIPIAs”);
- Supervisingcross-borderpersonal information transfers under rules agreed to by the relevant parties; and
- Acceptingandhandling requests and complaints from data subjects.
Personal Information Protection Impact Assessments (PIPIAs)
Specification is provided on what a PIPIA should contain in cross-border transfer scenarios. In particular, a PIPIA must cover:
- Whethertheprovision of personal information to overseas countries complies with laws and administrative regulations;
- The impact on the rights and interests of individuals;
- Theimpactof the legal environment and network security environment of overseas countries and regions on the rights and interests of individuals;
- Other matters necessary to safeguard the rights and interests of personal information.
Items 2. and 4. above mirror the requirements of the PIPL, while Items 1. and 3. are more specific to cross-border transfer impact assessments and suggest the need for specialised country-by-country transfer impact assessments similar to those used for GDPR purposes. For Item 3 ., we note that the precise meanings of “legal environment” and “network security environment” are currently unclear.
Individuals have various rights over their personal information under the PIPL. Those rights include a right to access, right to correct, right to complete, right to erasure, right of portability and right to refuse processing. In addition to those rights, the Specifications provide that individuals are beneficiaries of LBDs and have the right to request a copy of the relevant LBD provisions relating to individuals’ legal rights and interests.
Being a beneficiary to LBDs might, theoretically, increase the range of rights available to individuals over and above those found in the PIPL. This is especially so if MNCs operating in multiple jurisdictions take a unified highest standard approach to personal information protection at a global level.
The right to access relevant LBD provisions raises issues from a confidentiality perspective. Thus, it would be wise to stipulate such matters in a standalone document to ensure that disclosures to individuals remain appropriate.
The Specifications also provide that individuals should be allowed to litigate in the Chinese courts of their habitual place of residence against the parties to the cross-border data transfers.
Obligations of the Parties to Cross–Border Data Transfers
The provisions within the Specifications on processor obligations generally reflect the terms of the PIPL. However, further requirements are imposed on parties to cross-border data transfers, including:
- Whensituationsarise where it is difficult to ensure the security of personal information transferred across borders, such processing must be “promptly terminated”.
- Theresponsibleparty in China should compensate individuals for breaches arising in the context of cross-border data processing activities.
- Thepartiesto cross-border data transfer activities should undertake to follow Chinese data protection laws, accept their application and enforcement, and cooperate with Chinese regulators’ enforcement activities, such as answering their inquiries and accepting routine inspections.
The Specifications make Legal Path 3 (Certification) of Article 38 of the PIPL possible – though not fully actionable as China has not published a list of certification institutions to handle certification applications from entities. Nevertheless, the Specifications have provided a skeleton of the certification regime for cross-border data transfers. We believe that the Chinese authorities may issue regulations, and TC260 may also issue further guidance to substantiate this certification regime.
It should be noted that, while an entity can choose between Legal Path 3 (Certification) and Legal Path 2 (Standard Contract) to legitimatise its cross-border data transfers, Legal Path 1 (Government Security Assessment) is not
optional – as long as statutory triggers exist, an entity will have to participate in a Security Assessment by the CAC
(For more information see “China Issues Cross–border Data Transfer SecurityAssessment Rules”).
At this stage, it is difficult to forecast if Legal Path 3 (Certification) would be more popular than Legal Path 2 (Standard Contract). In addition to signing a cross-border data transfer contract, the Specifications essentially require that both the data exporter and the overseas data recipients are subject to a set of unified data protection rules which are aligned with Chinese laws and subject to Chinese regulators’ supervision. We believe the compliance efforts would be more costly than “simply” signing the Standard Contract. However, it is possible that this certification path might be welcomed by some companies who see certification as a type of status or quality mark to signal to consumers that their personal information will be protected to higher standards.
As cross-border data transfers are a rapidly developing area of law, MNCs and overseas processors processing the personal information of people in China are advised to monitor developments in this area closely .