China has released a new set of standards for the certification of companies engaged in cross-border personal information (PI) processing. The standards act as a guide for agencies that certify companies for cross-border processing of PI, which are in line with the requirements of China’s Personal Information Protection Law. This article outlines the contents of the standards and discusses the current requirements for companies in PI certification.
On 16 December 2022, the National Information Security Standardization Technical Committee (NISSTC) released the Cybersecurity Standards Practical Guide—Security Certification Specifications for Cross-Border Processing of Personal Information V2.0 (the “Security Certification Specifications”). The Security Certification Specifications outline the basic principles and PI protection standards for companies and overseas recipients of PI in the cross-border processing of PI, as well as the protection of the rights and interests of the PI subjects.
The Security Certification Specifications also provide a basis for certification agencies to carry out certification of PI processors’ cross-border processing activities and provide a reference for PI processors to regulate cross-border processing activities of PI.
For the purposes of this article, “PI processors” refers to companies, organizations, or individuals that process the PI of subjects in China.
Who Needs to Apply for Certification?
Companies that carry out cross-border processing of PI must undergo certain procedures to do so legally. There are currently three different procedures that companies must go through depending on the circumstances of the PI processing:
- Undergoing a security assessment by the Cybersecurity Administration of China (CAC)
- Signing a contract with the overseas recipient
- Receiving third-party certification
The latter two methods are only applicable to companies that engage in the cross-border data transfer (CBDT) of a relatively small volume of PI—the “sensitive” PI of under 10,000 people or the general PI of under 100,000 people in the previous year. Companies that exceed this threshold will be required to undergo a security assessment by the CAC. The Security Certification Specifications outline the requirements for the third method—receiving third-party certification.
For multinational companies that engage in cross-border PI processing between their own subsidiaries or affiliated companies located in another country, the domestic party can apply for certification and assume legal responsibility on behalf of both parties. Overseas PI processors as defined in the Personal Information Protection Law (PIPL) are also permitted to apply for certification through their specialized agencies or designated representatives set up in China, which can also assume legal responsibilities on their behalf.
Article 3 of the PIPL stipulates that the law also applies to PI processors that process the PI of people in China outside of China, under any of the following:
- To provide products or services to people in China
- To analyze and evaluate the behavior of people in China
- Other circumstances stipulated by laws and administrative regulations
What Counts as Cross-border PI Processing?
Currently, there is no specific definition for cross-border processing of PI, which is sometimes called the “cross-border provision” of PI, in either the Security Certification Specifications or any other laws or regulations. However, it is generally understood that it refers to the transmission of the PI that has been collected from an individual in China to a territory outside of China.
In addition to the physical transfer of PI overseas, our IT experts have also noted that if an overseas employee (whether they are within the same company or in a partner or affiliate company) remotely accesses the PI of an individual located in China, then this activity will also constitute cross-border processing, even if the PI is not actively exported to a location outside of China. For this reason, companies will have to follow all the applicable requirements outlined in the Security Certification Specifications and other relevant laws and regulations if their overseas employees need to access PI stored in China.
PI Protection Requirements
The Security Certification Specifications outline the basic principles that PI processors and the overseas recipient should adhere to when engaging in cross-border PI processing.
These basic principles are based on the requirements stipulated in China’s existing PI protection framework, most significantly the PIPL. They cover the basic obligations of the companies involved to comply with relevant laws and regulations, keeping the PI subjects informed of the activity, and the companies’ obligations to ensure the security of the PI, among others.
The table summarizes the basic principles for protecting the security of PI and the rights and interests of PI subjects.
Legally Binding Documents
Under the Security Certification Specifications, PI processors and their overseas recipients are required to sign legally binding and enforceable documents to ensure the protection of the rights and interests of PI subjects. At the very least, these documents should specify the following:
- The basic information of the PI processors and overseas recipients, including but not limited to name, address, contact name, and contact information
- Information on the cross-border PI processing activity, including but not limited to the purpose for the processing, the scope of PI and processing activity, the type, sensitivity level, and quantity of the PI being processed, the method for processing the PI, and the PI’s retention period and storage location
- The responsibilities and obligations of PI processors and overseas recipients to protect PI, as well as the technical and management measures taken to prevent possible security risks caused by cross-border processing of PI
- The rights of PI subjects and the methods for them to protect their rights
- Clauses on remedy, contract termination, liability for breach of contract, dispute resolution, and more
- A promise by the overseas recipient to abide by the same cross-border PI processing rules, and assurance that the level of PI protection is not lower than that of standards stipulated in China’s relevant laws and administrative regulations
- Acceptance by the overseas recipient to continuous supervision over the cross-border PI processing by the certification body
- Promises by the overseas recipient to accept the jurisdiction of China’s relevant laws and administrative regulations on PI protection
- Specification of the organization that assumes the legal responsibility within China, and its promise to fulfill the obligations to protect PI
- A statement that both the PI processor and the overseas recipient bear civil legal liability for violations of PI rights and interests, and clear agreement on the civil legal liability of each party
- Obligations stipulated in other laws and administrative regulations
Appointing a Person in Charge of PI Protection
According to the Security Certification Specifications, both the PI processor and the overseas recipient engaged in cross-border PI processing are required to appoint a person to oversee PI protection. This person must have professional knowledge of PI protection and relevant management work experience and should hold a decision-making position within the organization.
The person in charge of PI protection is required to undertake the following responsibilities:
- Clarify the main objectives, basic requirements, tasks, and protection measures of the PI protection work
- Ensure adequate human resources and financial and material support for the organization’s PI protection work, and ensure the availability of required resources
- Guide and support relevant personnel in carrying out the organization’s PI protection work to ensure that the work achieves the intended goals
- Report the PI protection work situation to the main person in charge of the organization and promote the constant improvement of the PI protection work
Setting Up a PI Protection Agency
PI processors and overseas recipients who carry out cross-border PI processing activities are required to set up PI protection agencies to perform the relevant obligations and carry out work such as preventing unauthorized access to PI, as well as leaks, tampering, and loss of PI. Specifically, the agency is required to undertake the following responsibilities for cross-border PI processing activities:
- Formulate and implement a plan for cross-border PI processing in compliance with relevant laws
- Organize a PI protection impact assessment
- Supervise the organization’s cross-border PI processing in accordance with the agreed rules and protect the rights and interests of PI subjects
- Take effective measures to ensure that cross-border PI is processed in accordance with the purpose, scope, and method of the PI processing that has been agreed upon, fulfilling PI protection obligations, and ensuring the security of the PI
- Review regularly the organization’s compliance with relevant laws and administrative regulations when processing PI conducting compliance audits
- Accept and handle requests and complaints from PI subjects
- Accept the continuous supervision of certification bodies on cross-border processing of PI, including answering inquiries, cooperating with inspections, and other liaising activities
Mutual Agreement Upon the Rules of PI Processing
PI processors and overseas recipients must agree upon and jointly abide by the same set of rules for cross-border PI processing. At the very least, the rules should include the following clarifications:
- The basic situation of cross-border processing of PI, including the amount and scope of PI that will be processed, the type and sensitivity level of the PI being processed, and so on
- The purpose of processing the PI and the method for and scope of the cross-border processing of PI
- The duration that the PI will be stored overseas, including a start and end date, and details on how the PI will be processed after this duration has ended
- The countries or regions to which the cross-border PI processing will be transferred
- The resources and measures needed to protect the rights and interests of PI subjects
- The rules on compensation for and handling of PI security incidents
PI Protection Impact Assessment
PI processors and overseas recipients who carry out cross-border PI processing activities are required to set up PI protection agencies to perform the relevant obligations and carry out work such as preventing unauthorized access to PI, as well as leaks, tampering, and loss of PI. Specifically, the agency is required to undertake an impact assessment report for cross-border PI processing activities, and the report should, at the very least, contain the following information:
- The legality, legitimacy, and necessity of the purpose for the cross-border PI processing, the scope of and method for processing the PI
- The scale, scope, type, and sensitivity level of the PI being processed, the frequency of cross-border PI processing activity, and the risks that this activity may pose to the rights and interests of the PI subjects
- The responsibilities and obligations promised by the overseas recipient, and whether their management, technical measures, and capabilities are sufficient to fulfill their responsibilities and obligations to guarantee the security of the cross-border PI processing activity
- Risks of leakage, damage, tampering, abuse, and other violations or breaches during the cross-border processing of PI and whether there are unobstructed channels for individuals to protect their rights and interests
- The impact of the PI protection policies and regulations in the country or region where the overseas recipient is located may have on their ability to fulfill their obligations to protect the PI and the rights and interests of the PI subjects. This may include (but is not limited to):
- The overseas recipient’s previous similar experience in cross-border transmission and processing of PI, whether any data security-related incidents have occurred under their authority, whether these incidents have been dealt with in a timely and effective manner, and whether they have ever received a request from a public authority in the country or region where they are located to provide PI, and how they responded to this request
- The current laws and regulations on PI protection in the country or region in which the overseas recipient is located, the generally applicable standards, and the differences between the relevant laws, regulations, and standards on PI protection in China
- Any regional or global PI protection organizations that the country or region in which the overseas recipient is located has joined and the binding international commitments it has made
- The mechanisms for PI protection that the country or region that the overseas recipient is in have implemented, such as whether there are supervisory and law enforcement agencies and relevant judicial agencies for PI protection
- Other matters that may affect the security of cross-border PI processing activity
The Rights of PI Subjects
The Security Certification Standards require PI processors and overseas recipients of PI to recognize the rights of the individual (the PI subject) regarding the cross-border processing of their PI. It also requires them to provide the conditions and mechanisms for the PI subjects to exercise their rights.
These rights are in line with the articles of Chapter IV of the PIPL on “the rights of individuals in the processing of personal information.” They are as follows:
- The PI subject must be a third-party beneficiary in a legally binding document signed by the PI processor and the overseas recipient, and has the right to require the PI processor and the overseas recipient to provide a copy of the part of the legal text that involves their rights and interests, and assert their rights to the PI processors and overseas recipients
- The PI subject has the right to know, decide, limit, or refuse others to process their PI, as well as the right to consult, copy, correct, supplement, delete their PI and the right to withdraw consent to the cross-border processing of their PI
- When the PI subject exercises the above rights, the PI subject may request the PI processor to take appropriate measures to realize it, or directly submit a request to the overseas recipient. If the PI processor cannot realize it, it should notify and ask the overseas receiver to assist in realizing it. PI subjects have the right to request PI processors and overseas recipients to explain their rules for the cross-border processing of PI
- The PI subject has the right to reject any decision to engage in cross-border processing of their PI made by the PI processor through an automated decision-making process
- The PI subject has the right to complain and report any illegal cross-border PI processing to the department responsible for protecting PI in China
- When a PI subject’s rights and interests are violated, they have the right to claim compensation from either the PI processor or the overseas recipient
- PI subjects have the right to file judicial proceedings with a competent court against PI processors and overseas recipients who carry out cross-border PI processing activities in accordance with the Civil Procedure Law of the People’s Republic of China
- Other rights stipulated by laws and administrative regulations
The Impact of the Security Certification Standards on Businesses
Most of the requirements and information outlined in the Security Certification Standards are based upon existing requirements stipulated in previous laws and regulations. Most businesses that have been building up their PI and data compliance capabilities in China will therefore be familiar with many of these obligations.
However, the standards do provide a useful framework for companies when it comes to the specific obligations that they have specifically when engaged in the cross-border processing of PI, as opposed to other PI and data protection obligations (such as the processing of PI within China), as well as the responsibilities of all their overseas partners. They also provide concrete guidelines for certification agencies and other stakeholders, helping to ensure that all parties are on the same page regarding their respective obligations.
At the same time, China’s cybersecurity and market standards authorities have not yet released a list of the certification agencies that are authorized to carry out certification procedures, nor have they issued specific guidelines for how the certification agencies are required to carry out the certification. More clarity is required on how the agencies will carry out the certification procedures to ensure that both the agencies and the target companies are compliant with all the regulations.
China’s PI and data security regulations are relatively complex and are developing very quickly. This is particularly true for the cross-border transfer and processing of data, which is a considerable headache for foreign companies and multinationals in China.