China has released a new set of standards for the certification of companies engaged in cross-border personal information processing. The standards act as a guide for agencies that certify companies for cross-border processing of personal information, in line with the requirements of China’s Personal Information Protection Law. We outline to contents of the standards and discuss the current requirements for companies in personal information certification.
On December 16, 2022, the National Information Security Standardization Technical Committee (NISSTC) released the Cybersecurity Standards Practical Guide – Security Certification Specifications for Cross-Border Processing of Personal Information V2.0 (the “Security Certification Specifications”). The Security Certification Specifications outline the basic principles and personal information (PI) protection standards for companies and overseas recipients of PI in the cross-border processing of PI, as well as the protection of the rights and interests of the PI subjects.
The Security Certification Specifications also provide a basis for certification agencies to carry out certification of PI processors’ cross-border processing activities and provide a reference for PI processors to regulate cross-border processing activities of PI.
For the purposes of this article, “PI processors” refers to companies, organizations, or individuals that process the PI of subjects in China.
Companies that carry out cross-border processing of PI must undergo certain procedures in order to do so legally. There are currently three different procedures that companies must go through depending on the circumstances of the PI processing: undergoing a security assessment by the Cybersecurity Administration of China (CAC), signing a contract with the overseas recipient, or receiving third-party certification.
The latter two methods are only applicable to companies that engage in the cross-border data transfer (CBDT) a relatively small volume of PI – the “sensitive” PI of under 10,000 people or the general PI of under 100,000 people in the previous year. Companies that exceed this threshold will be required to undergo a security assessment by the CAC. The Security Certification Specifications outline the requirements for the third method – receiving third-party certification.
For multinational companies that engage in cross-border PI processing between their own subsidiaries or affiliated companies located in another country, the domestic party can apply for certification and assume legal responsibility on behalf of both parties. Overseas PI processors as defined in the Personal Information Protection Law (the PIPL) are also permitted to apply for certification through their specialized agencies or designated representatives set up in China, which can also assume legal responsibilities on their behalf.
Article 3 of the PIPL stipulates that the law also applies to PI processors that process the PI of people in China outside of China, under any of the following circumstances
Currently, there is no specific definition for cross-border processing of PI, which is sometimes called the “cross-border provision” of PI, in either the Security Certification Specifications or any other laws or regulations. However, it is generally understood that it refers to the transmission of the PI that has been collected from an individual in China to a territory outside of China.
In addition to the physical transfer of PI overseas, our IT experts have also noted that if an overseas employee (whether they are within the same company or in a partner or affiliate company) remotely accesses the PI of an individual located in China, then this activity will also constitute cross-border processing, even if the PI is not actively exported to a location outside of China. For this reason, companies will have to follow all of the applicable requirements outlined in the Security Certification Specifications and other relevant laws and regulations if their overseas employees need to access PI stored in China.
The Security Certification Specifications outline the basic principles that PI processors and the overseas recipient should adhere to when engaging in cross-border PI processing.
These basic principles are based on the requirements stipulated in China’s existing PI protection framework, most significantly the PIPL. They cover the basic obligations of the companies involved to comply with relevant laws and regulations, keeping the PI subjects informed of the activity, and the companies’ obligations to ensure the security of the PI, among others.
Below we have summarized the basic principles for protecting the security of PI and the rights and interests of PI subjects.
Under the Security Certification Specifications, PI processors and their overseas recipients are required to sign legally binding and enforceable documents to ensure the protection of the rights and interests of PI subjects. At the very least, these documents should specify the following:
According to the Security Certification Specifications, both the PI processor and the overseas recipient engaged in cross-border PI processing are required to appoint a person to be in charge of PI protection. This person must have professional knowledge of PI protection and relevant management work experience and should hold a decision-making position within the organization.
The person in charge of PI protection is required to undertake the following responsibilities:
PI processors and overseas recipients who carry out cross-border PI processing activities are required to set up PI protection agencies to perform the relevant obligations and carry out work such as preventing unauthorized access to PI, as well as leaks, tampering, and loss of PI. Specifically, the agency is required to undertake the following responsibilities for cross-border PI processing activities:
PI processors and overseas recipients must agree upon and jointly abide by the same set of rules for cross-border PI processing. At the very least, the rules should include the following clarifications:
The impact assessment report should at the very least contain the following information:
The Security Certification Standards require PI processors and overseas recipients of PI to recognize the rights of the individual (the PI subject) with regard to the cross-border processing of their PI. It also requires them to provide the conditions and mechanisms for the PI subjects to exercise their rights.
These rights are in line with the articles of Chapter IV of the PIPL on “the rights of individuals in the processing of personal information”. They are as follows:
The majority of the requirements and information outlined in the Security Certification Standards are based upon existing requirements stipulated in previous laws and regulations. Most businesses that have been building up their PI and data compliance capabilities in China will therefore be familiar with many of these obligations.
However, the standards do provide a useful framework for companies when it comes to the specific obligations that they have specifically when engaged in the cross-border processing of PI, as opposed to other PI and data protection obligations (such as the processing of PI within China), as well as the responsibilities of all of their overseas partners. They also provide concrete guidelines for certification agencies and other stakeholders, helping to ensure that all parties are on the same page with regard to their respective obligations.
At the same time, China’s cybersecurity and market standards authorities have not yet released a list of the certification agencies that are authorized to carry out certification procedures, nor have they issued specific guidelines for how the certification agencies are required to carry out the certification. More clarity is required on how the agencies will carry out the certification procedures to ensure that both the agencies and the target companies are compliant with all of the regulations.
China’s PI and data security regulations are relatively complex and are developing very quickly. This is particularly true for the cross-border transfer and processing of data, which is a considerable headache for foreign companies and multinationals in China. For assistance with data and PI processing compliance, contact our China-based IT experts at China@dezshira.com.
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at firstname.lastname@example.org.
Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.
Previous Article « How Will the Downgrade of COVID-19 to a Class B Infection Affect Companies’ Employee Management？
Next Article China Clarifies 2023 VAT Incentives for Small-Scale Taxpayers and Lifestyle and Production Oriented Services »
Dezan Shira & Associates´ brochure offers a comprehensive overview of the services provided by the firm. With...
Doing Business in China 2023 is designed to introduce the fundamentals of investing in China. Compiled by the ...
With businesses continuously affected by the COVID-19 pandemic and other economic headwinds, financial health ...
Tax, Accounting, and Audit in China 2022/23 offers a comprehensive overview of the major taxes foreign investo...
China remains the world’s hottest market for several industries, with high prospects for growth, innovation,...
A firm understanding of China’s laws and regulations related to human resources and payroll management is ab...
Dezan Shira & Associates helps
businesses establish, maintain,
and grow their operations.
Stay Ahead of the curve in Emerging Asia. Our subscription service offers regular regulatory updates,
including the most recent legal, tax and accounting changes that affect your business.