Jun 142022

Understanding China’s Data Regulatory Regime: China Solicits Public Comments on Certification Rules for Cross-Border Data Processing Activities

Lei Li and Lianying Wang
, ,

Certification by a professional institution is one of the mechanisms permitted under China’s Personal Information Protection Law (PIPL) to legitimize cross-border transfers of personal information. Other permitted mechanisms include governmental security review and standard contractual clauses to be issued by the Chinese government. However, to date, there have been no clear rules on the criteria and procedures for obtaining the PIPL certification.

On April 29, 2022, the National Information Security Standardization Technical Committee (known as “TC260”) published the draft Practical Guide to Cyber Security Standards – Technical Specification for Certification of Cross-Border Data Processing Activities (the Certification Rules) for public comment. The Certification Rules provide some potential clarity on the requirements that companies must follow in order to have their cross-border data processing activities certified (more details below), but also leave some important questions open, e.g., which professional institutions are authorized to issue certification.

Companies cannot obtain a certification at the moment; the certification option will only become available in practice after the Cyberspace Administration of China (CAC) finalizes the Certification Rules and designates the certification institutions. We expect that CAC will designate several institutions to issue certification in accordance with the Certification Rules. There is, however, no published timeline on when this will happen.

Application Scope
The Certification Rules would only apply to the following two situations:

  1. cross-border data processing activities within a multinational corporation or the same economic, business entity; and
  2. processing of Chinese individuals’ personal information by an overseas data controller which is subject to the exterritorial application of PIPL.

It is unclear what is meant exactly by “a multinational corporation or the same economic, business entity.” We expect that cross-border transfers of personal information among affiliated companies in one group can be certified in accordance with the proposed Certification Rules, although these companies may be independent legal persons or entities in different jurisdictions.

It seems that non-affiliated entities are excluded from the application scope of these proposed Certification Rules, although PIPL itself does not limit the certification mechanism to affiliated companies only.

General Principles
The proposal prescribes the following principles for certification of cross-border data processing activities:

  1. lawfulness, fairness, necessity and integrity;
  2. public disclosure and transparency;
  3. information quality;
  4. equal protection;
  5. accountability; and
  6. voluntary certification.

Certification Requirements
Cross-border data processing activities would be required to comply with a series of legal, contractual and organizational requirements in order to be certified in accordance with the Certification Rules. For example, the parties involved in the cross-border data processing activities would be required to:

  1. sign a legally binding and enforceable instrument, which shall include, among other requirements, the parties’ commitments to accept supervision from the certification institution, and to be governed by Chinese privacy laws and regulations;
  2. appoint a data protection officer who shall be a member of the decision-making body of the relevant party, and set up a data protection institution to handle data subject requests and monitor the cross-border data processing activities;
  3. formulate and adhere to a uniform set of data processing rules, which shall include:
    • mapping of the categories, sensitivity and amount of the personal information to be processed;
    • the purpose, method and scope of the cross-border data processing;
    • the period during which personal information will be stored outside of China and the measures to be taken when the storage period expires;
    • any transit country or region required by the cross-border data processing;
    • resources and measures required for protection of data subjects’ rights and interests; and
    • rules for compensation and handling of data security incidents;
  4. conduct data protection impact assessments;
  5. respect the following rights of data subject:
    • the right to be a third-party beneficiary of the parties’ agreement pertaining to protection of data subjects and to obtain a copy of the relevant provisions;
    • the right to make complaints and reports to the competent Chinese authorities;
    • the right to initiate lawsuits in Chinese courts against the relevant parties involved in the cross-border data processing; and
    • all other existing statutory rights under PIPL.

Our Observations
China’s regulatory regime for cross-border data transfers is still evolving. Compared with the other two transfer mechanisms under the Chinese data regime (i.e., governmental security review and standard contractual clauses), the certification route has received relatively less attention from international companies.

The proposed Certification Rules seem to have been specifically tailored to the needs of multinational companies and overseas data controllers, and provide an alternative to the standard contractual clauses route for companies that are not subject to a mandatory security review. There is no published timeline on when the Certification Rules will be finalized.  But, given the standard contractual clauses have not been published yet, it is possible that the Certification Rules may be finalized and take effect earlier. International companies may accordingly wish to keep a close watch on the development of this alternative data transfer mechanism.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Lei Li

Beijing, Shanghai

lei.li@sidley.com

Lianying Wang

Beijing

lianying.wang@sidley.com

You might also like
EU Formally Adopts Cyber Law for Connected Products

On 12 March 2024, the European Parliament approved the EU Cyber Resilience Act (“CRA”) with a large majority of 517-12 votes in favor of the legislation (with 78 abstentions). The CRA aims to ensure that “products with digital elements” (“PDE”) i.e., connected products such as smart devices, and remote data processing solutions, are resilient against cyber threats and provide key information in relation to their security properties.

Chambers 2024 Global Practice Guides for Data Protection & Privacy and Cybersecurity
The newest editions of the Chambers Global Practice Guides have been published and, once again, Sidley lawyers have contributed to two guides: Data Protection & Privacy 2024 and Cybersecurity 2024. These publications cover important developments across the globe and offer insightful legal commentary for businesses on issues related to data privacy and cybersecurity, such as regulatory enforcement and litigation, global cooperation to combat cybercrime, international agreement on ‘Software Security by Design,’ a global approach to policy on artificial intelligence, and more. Sidley partner Alan Charles Raul is a contributing editor to both guides in addition to authoring the introductions. The UK chapters of Cybersecurity 2024, covering “UK Law and Practice” and “UK Trends and Development” were authored by Sidley lawyers William Long, Francesca Blythe, Denise Kara, and Eleanor Dodding.
EU Formally Adopts World’s First AI Law

On March 13, 2024, the European Parliament formally adopted the EU Artificial Intelligence Act (“AI Act”) with a large majority of 523-46 votes in favor of the legislation. The AI Act is the world’s first horizontal and standalone law governing AI, and a landmark piece of legislation for the EU.