A new set of draft technical specifications provide guidance for MNCs and other entities with presence in multiple countries to comply with China’s requirements for cross-border personal information processing as stipulated in the Personal Information Protection Law (PIPL). The specifications define rules for contracts, the obligations of persons in charge, and requirements for conducting data protection impact assessments (DPIA). We offer an overview of the draft technical guidance in this article and how MNCs can prepare for compliance.
On April 29, the National Information Security Standardization Technical Committee (NISSTC), a government body under the State Administration for Market Regulation, released a draft version of the Practice Guidelines for Cyber Security Standards – Technical Specifications for Certification of Cross-Border Processing of Personal Information (the “technical specifications”) for public comment until May 13, 2022.
The technical specifications are the latest addition to China’s legislative framework for protecting the personal information of users and consumers in China. Under China’s Personal Information Protection Law (PIPL), companies are required to meet certain requirements and undergo a security assessment in order to transfer or process the personal information of Chinese users and customers outside of China.
However, many of these requirements were not fully clarified or expanded upon in the law itself, leaving many companies uncertain of their obligations under the law and how to comply with its requirements.
The new technical specifications provide some more clarity on some aspects of the law’s requirements, in particular for how large multinationals and entities with locations in both China and overseas can legally share personal information across borders.
They also act as a guide for companies and certification agencies that assist companies in transferring the personal information of Chinese citizens overseas, putting forward the basic principles for processing and protection of personal information, requirements for all relevant parties in cross-border processing activities, and protection of the rights and interests of personal information subjects. Finally, they provide companies with a reference guide for regulating cross-border processing activities of personal information.
Note that for the purposes of this article, “companies” refer to any market entity that engages in the processing of personal information. These are normally referred to as “personal information processors” in the official legislation and regulation documents.
WEBINAR – China Cyber and Data Security Compliance – What Your Business Needs to Do
July 20, 2022 | 9 AM Los Angeles / 12 PM New York / 6 PM Brussels
Partner, Kyle, will provide businesses with an overview of China’s cyber security environment, which laws are relevant for businesses doing business in and with China, and what companies should do now about the regulations.
This webinar is free to attend.
The technical specifications specifically state that they serve to clarify conditions in Article 38 of the PIPL, which deals with the cross-border processing of personal information.
This article of the PIPL stipulates that companies that have to provide personal information outside of China – due to business needs – must meet certain requirements and undergo a security review.
According to this article of the PIPL, companies must meet one of the following criteria in order to transfer personal information over a certain scale overseas:
Article 38 also states that companies must adopt necessary measures to guarantee that the overseas recipient of the personal information also complies with the requirements and regulations for processing and protecting personal information stipulated in the PIPL.
“Personal information” is defined very broadly in the PIPL, and is described as “various kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding the information processed anonymously”.
This means personal information can include any data points or information that can be used to identify an individual, such as names, phone numbers, and IP addresses. Separately, the PIPL also defines “sensitive” personal information, which is subject to stricter protection requirements. Sensitive personal information includes:
However, it does not include data that has been anonymized or abstract data that doesn’t contain any specific personal information on individuals, such as aggregated information.
Meanwhile, the “processing” of personal information is defined as “the collection, storage, use, processing, transmission, provision, publication, and erasure of personal information”.
Note that if overseas employees remotely access and process the personal information of Chinese users stored in China, then it is also considered cross-border processing and is subject to the same requirements as if the company was transferring the personal information to overseas facilities.
The technical specifications clarify the basic requirement for certification agencies that conduct personal information protection certification for companies that need to engage in cross-border processing of personal information.
They are applicable in the following scenarios:
The technical specifications clarify some aspects of the certification procedure for the cross-border processing of personal information.
For the cross-border processing of personal information within a multinational company or within the same economic or business entity, the domestic party may apply for certification and bear legal responsibility.
Furthermore, to engage in the overseas processing of personal information for purposes specified above, foreign companies can apply for certification from specialized agencies or set up a designated representative in China, which will also bear the legal responsibility.
The technical specifications largely reiterate the principles for personal information processing, stating them in specific terms for cross-border processing of personal information while expanding upon some principles.
The PIPL broadly states that personal information shall be processed in accordance with the principles of legality, legitimacy, necessity, and good faith, and shall not be processed through deception, fraud, coercion, or other dishonest means.
The technical specifications expand upon this with reference specifically to the cross-border processing of personal information, reiterating the need to adhere to “the principles of lawfulness, legitimacy, necessity, and good faith”. They also recognize that “personal information is directly related to the personal dignity of the information subject”.
According to the technical specifications, cross-border processing of personal information must also adopt the “Principle of Least Privilege”, which means that the person or company processing the personal information is only allowed to access the minimum amount of data required to complete a certain task. This principle is also stipulated in the PIPL, which states that “the collection of personal information shall be limited to the minimum scope to achieve the purpose of processing, and excessive collection of personal information shall be prohibited”.
The technical specifications specify transparency and disclosure requirements for cross-border processing of personal information, which are also mentioned in the PIPL in broader terms.
Companies engaging in cross-border processing of personal information must:
One principle that is not mentioned in the PIPL is the principle of voluntary certification for cross-border personal information processing. The technical specifications state that eligible parties involved in cross-border personal information processing can volunteer to undergo certification “at the recommendation of the state” and are encouraged to do so. They also state that the purpose of the certification is to strengthen personal information protection and improve the efficiency of cross-border processing of personal information.
The technical specifications clarify requirements for companies to be eligible to engage in cross-border processing of personal information. These include contract requirements for domestic and overseas parties, requirements for the appointment of responsible persons, data protection impact assessments (DPIA), and more.
One of the conditions under which companies are permitted to engage in cross-border personal information processing is if they have a signed contract with the domestic or foreign party, which clearly stipulates the obligations and liabilities of both parties.
The technical specifications clarify the contract must contain the following information:
The technical specifications require all parties involved in the cross-border processing of personal information to designate a person to be in charge of personal information protection. This person must have professional knowledge of personal information protection and relevant management work experience, which must be undertaken by members of the decision-making level of the organization.
The person in charge of personal information protection is required to take the following responsibilities:
The technical specifications clarify the roles and responsibilities of the various organs and persons responsible within the organization that is engaged in the cross-border processing of personal information.
All parties involved in the cross-border processing of personal information are required to set up a personal information protection agency to perform the relevant obligations, such as preventing unauthorized access to personal information and preventing leaks, tampering, and loss of the data.
The agency is also required to undertake a variety of responsibilities with regard to cross-border personal information processing activities. These responsibilities have now been clarified in the technical specifications as:
In alignment with the PIPL, the technical specifications also outline the specific rules for the cross-border processing of personal information.
As mentioned above, the contract between the different related parties must provide that all relevant parties must abide by consistent rules for the cross-border processing of personal information.
According to the technical specifications, these must include at least the following rules:
Companies engaged in or planning to engage in cross-border processing of personal information are required to carry out a DPIA in order to assess whether they are eligible to conduct overseas processing of personal information. The DPIA must assess whether the provision of the personal information overseas is legal, legitimate, and necessary, whether the necessary protection measures have been implemented, and whether these measures are effective and appropriate for the level of risk to the personal information.
The DPIA must be carried out in accordance with the Information security technology—Guidance for personal information security impact assessment (standards number GB/T 39335), which came into effect in June 2021.
The technical specifications now also clarify that the DPIA must include the following information:
The technical specifications end by reinforcing the rights that the subjects have to their own personal information under the PIPL and other relevant regulations. These include rights that must be granted by the parties involved in the cross-border processing through the contracts that they are required to sign.
The technical specifications clarify the rights that users have specifically in the case of cross-border processing of their personal information.
They first specify that the users of the personal information, most commonly the users of online services, must be made the beneficiary of the relevant clauses on personal information rights and interests in the legal documents signed by the parties involved in the cross-border processing of personal information. The user also has the right to request the relevant parties to provide a copy of the legal text involving their rights and interests.
Moreover, users also have the right to:
The parties involved in the cross-border processing of personal information also have legal obligations toward the users, which include keeping them informed of the personal information processing activity, providing access to the personal information, and ensuring the users have the necessary means to exercise their rights.
According to the technical specifications, the companies involved in data processing are required to inform the users of the basic information of the parties involved through means such as email, instant messaging, mail, and fax. They must also inform them of:
The company must then obtain consent from the users.
In addition, the parties involved must also give the users access to their personal information. In the event that the user requests to access, copy, amend, supplement or delete their personal information, the company must provide it to them in a timely manner. If the company refuses their request, it must explain the reasons and relief methods.
It is the domestic party that is responsible for ensuring the conditions for the users to exercise their rights. The domestic party is also responsible for any legal compensation liability in the event that the cross-border processing of personal information damages the rights and interests of the user.
The new technical specifications provide another piece of the puzzle of China’s data protection and cybersecurity landscape.
The requirements and criteria that companies need to meet in order to transfer personal information overseas have been a matter of considerable concern for foreign companies, and in particular multinationals that regularly need to send data overseas or remotely access data in China in order to conduct normal operations.
The technical specifications offer clarity on a number of steps that companies need to take to comply with the PIPL, such as defining the contents of the contract for cross-border personal information processing and the required scope of conducting a DPIA.
At the same time, they also flesh out China’s personal information protection framework, expanding upon concepts raised in the PIPL and applying them specifically to the cross-border processing and transfer of personal information. The PIPL required companies to appoint a person to be in charge of personal information protection, while the technical specifications require companies to appoint a person to be in charge specifically of cross-border data processing. The technical specifications also define the scope of this person’s responsibilities and obligations to users in clearer terms, thereby providing a clear point of contact for users to take action should they feel their rights have been violated.
Some questions still remain, however. For instance, the PIPL states that companies seeking to transfer over a certain amount of personal information set by the CAC will be required to undergo a cybersecurity review by the CAC. This requirement is also indirectly referenced in the technical specifications, which refer to this article in the PIPL as the basis for the document.
However, the CAC has not yet determined what amount of personal information can be transferred abroad without the need for a security review, or defined in specific terms the requirements for the cybersecurity review for this scenario. A set of draft measures on cybersecurity reviews for data export puts the amount at 1 million users, but these are yet to be finalized and entered into law.
A set of cybersecurity review measures issued by the CAC took effect on February 15, 2022, but these currently only apply to companies that seek to list on overseas stock exchanges, or for companies engaged in data processing activity that may affect national security. While this does include cross-border processing of personal data, the threshold for the amount of personal information that requires a cybersecurity review was also not defined in this document.
China has only begun building up its cybersecurity and data protection regime relatively recently, and it is therefore only natural that some gaps remain in the framework. We do, however, expect the Chinese cybersecurity authorities to clarify these issues in the future and for more guidance and regulation to be released in coming months and years.
In the face of uncertainty, companies are encouraged to maintain close communication with local cybersecurity authorities to ensure compliance wherever possible. Where regulations are not clear, authorities are likely to look favorably upon companies that take a proactive approach to compliance, rather than passively wait for the authorities to enforce it.
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at email@example.com.
Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.
Previous Article « Legal and Financial Checklist before Entering the Chinese Market – A Guide for British Businesses
Next Article China Releases Draft 2022 Encouraged Catalogue, Signals New Opportunities »
Dezan Shira & Associates´ brochure offers a comprehensive overview of the services provided by the firm. With...
Doing Business in China 2023 is designed to introduce the fundamentals of investing in China. Compiled by the ...
With businesses continuously affected by the COVID-19 pandemic and other economic headwinds, financial health ...
Tax, Accounting, and Audit in China 2022/23 offers a comprehensive overview of the major taxes foreign investo...
China remains the world’s hottest market for several industries, with high prospects for growth, innovation,...
A firm understanding of China’s laws and regulations related to human resources and payroll management is ab...
Dezan Shira & Associates helps
businesses establish, maintain,
and grow their operations.
Stay Ahead of the curve in Emerging Asia. Our subscription service offers regular regulatory updates,
including the most recent legal, tax and accounting changes that affect your business.