Landmark Rules on Certification for Cross-Border Data Processing
Landmark Rules on Certification for Cross-Border Data Processing
In June 2022, the National Information Security Standardization Technical Committee of China (the “Committee") issued the Safety Certification Specifications for Personal Information Cross-border Processing Activities (the “Rules"), marking a key milestone as the “next-step" legislative move following the Personal Information Protection Law of the People's Republic of China (the “PIPL") under the current cross-border data processing (“CDP") framework. The PIPL outlines four alternative legal mechanisms as described below that allow a personal information processor to engage in CDP activities: (1) pass a required security assessment by the supervisory authority (the “Security Assessment"); (2) get certification from a specialized agency under applicable rules (the “Agency Certification"); (3) conclude a standard agreement with an overseas CDP recipient (the “Standard Agreement"); or (4) satisfy other conditions prescribed by applicable laws or administrative regulations or required by the Cyberspace Administration of China(CAC). As the latest legislative development in the area of CDP, the Rules establish detailed requirements for CDP that make the Agency Certification mechanism under the PIPL operable.
1. Structure of the Rules
The Rules contain the following chapters:
-
Application Scope of The Rules;
-
Subjects Eligible to Be Certified;
-
Primary Principles;
-
Essential Requirements; and
-
Protection of Rights of Personal Information Subjects (“PIS").
Among these chapters, the application scope of the Rules, subjects eligible to be certified, and essential requirements present some innovative or insightful development from the original CDP regime under the PIPL, and therefore this paper will take a detailed look below. The remaining chapters are similar to the existing ones under the PIPL and will be introduced briefly.
We hope that this paper will help you better understand the following issues covered by the Rules:
-
What types of entities are eligible to utilize the Agency Certification mechanism for CDP?
-
How do entities apply for Agency Certification?
-
What are the key requirements that need close attention?
The Rules’ level of authority within the legislative system of PRC laws should also be noted. In the hierarchy of PRC laws, the Constitution of the PRC has the supreme authority; below it are laws promulgated by the National People's Congress (NPC) or its Standing Committee, such as the PIPL; then come administrative regulations or local regulations promulgated by the State Council or local authorities, which are subordinate to the Constitution and NPC laws; at the bottom of the hierarchy are national or industrial standards.
The Rules, currently a working document of the Committee, serves as a practical guidance for businesses which consider doing CDP through Agency Certification. Despite not having been enacted as a law with superior authority, the Rules correspond to and originate from the statutory requirement for CDP contained in Article 38 of the PIPL, which, as mentioned above, has superior legal authority under the PRC legal system. Therefore, it is necessary for businesses pursuing a good practice of CDP to have a thorough comprehension of the Rules.
2. What Do the Rules Apply to?
Under the Rules, Agency Certification is applicable to the following CDP activities:
-
CDP activities carried out within a multinational corporation or among subsidiaries or affiliates of the same economic/institutional entity; or
-
CDP activities as stipulated in Clause 2 in Article 3 of PIPL[1].
3. Who Can Apply for Agency Certification?
The Rules specifies two types of subjects who are eligible to apply for Agency Certification:
-
Subject 1: For multinational corporations or for subsidiaries or affiliates of the same economic/institutional entity having a presence in the Chinese mainland, their Chinese entities can apply for Agency Certification and be accountable for any violation of PRC laws or regulations; or
-
Subject 2: For entities conducting CDP activities under Clause 2 in Article 3 of PIPL, they can set up a specialized agency or appoint a representative in the Chinese mainland to apply for Agency Certification, and the specialized agency or representative will be liable for any violation of PRC laws or regulations.
Considering the jurisdiction of laws and the convenience of supervision, it is not surprising that, when CDP activities are conducted within a multinational corporation or an economic/institutional entity, its Chinese presence will be burdened to answer compliance inquiries and take responsibility. As for an entity conducting CDP activities under Clause 2 in Article 3 of the PIPL, a more cost-effective way for an overseas entity is to appoint a natural person as its representative, especially, for example, when research information (specifically, personal information) is exchanged between a Chinese entity and a foreign one for an academic purpose, the foreign entity would find it financially unfeasible to set up a branch in the Chinese mainland just to comply with the Rules, given that it would be more profitable to run business locally. Moreover, the Rules do not require the “representative" to be a PRC branch of a foreign entity. Therefore, we conclude that, for Subject 2, it would be more practical to appoint a natural person with data compliance skills to apply for Agency Certification.
4. What Are the Primary Principles under the Rules?
The Rules set out the following six primary principles that should be followed when CDP activities are conducted under Agency Certification:
-
Legality, propriety, necessity, and good faith;
-
Openness and transparency;
-
Ensuring information quality;
-
Equal protection;
-
Clear responsibility; and
-
Voluntary certification.
The principles are the same as those required by the PIPL except for voluntary certification, under which, applying for Agency Certification is recommended, not mandatory. But we still suggest that businesses apply to be certified since it is more efficient and less risky compared with the other three mechanisms under the PIPL. Take one of the three mechanisms - the Security Assessment - for example, after the required documents are submitted, it will take as long as up to 60 business days to complete the assessment, not to mention there is a possibility that the Committee will reject the application.
5. What Are the Essential Requirements under the Rules?
The Rules lay down four essential requirements for conducting CDP activities under Agency Certification. These requirements pertain to binding legal documents, organizational management, unified CDP rules, and personal information impact assessment on personal information protection (“PIA"). Following is a summary of these requirements:
One observation about the essential requirements are worth sharing. The binding legal documents requirement operates with a long-arm jurisdictional function by requiring overseas importers of personal information to be governed by applicable PRC laws and regulations and accept supervision by the PRC certifying body.
6. How to Protect the Rights of PIS When Conducting CDP under the Agency Certification Mechanism?
The Rules emphasize the following two aspects in regard to protecting the rights of PIS:
-
Entities conducting CDP activities and overseas importers of personal information shall protect PIS’ s right to know, right to decide, right to restrict or object to processing, right of access, right of rectification and erasure, etc.
-
Entities conducting CDP activities and overseas importers of personal information shall obtain the separate consent from PIS before processing their personal information, be responsive when PIS exercise their legal rights, and abort CDP activities when the security of personal information cannot be ensured, etc.
In comparison with the PIPL, chapter 5 (Protection of Rights of Personal Information Subjects) of the Rules raise no new topics worthy of discussion.
7. Major Uncertainties of the Rules
The effort made by the Rules help multinational corporations and international collaborations get some clues as to how they can conduct legal CDP under the Agency Certification mechanism. But there are still some major uncertainties left unsolved by the Rules, including but not limited to the following:
-
First, the long-arm jurisdictional requirement may impose setbacks on international collaborations, as foreign entities may fear being fined by the PRC supervising authorities and be reluctant to enter into contracts with domestic corporations amid rapid changes in laws and regulations.
-
Second, there is inconsistency in that the application scope of the Rules allows the appointment of a natural person in the Chinese mainland to account for CDP activities, but the binding legal document requirement requires clarification of which “organization" in the Chinese mainland should be accountable, thus ruling out the natural person option.
-
Third, the PIPL provides four alternative mechanisms for CDP, but whether the certification approach preempts the requirements under the other mechanisms is still not clear yet.
Conclusion
The Rules delineate the implementation details of the Agency Certification mechanism established in the PIPL and provide guidelines for how CDP activities can be conducted lawfully in the future. Entities planning to engage in the CDP business may begin preparing themselves for it in line with the Rules. We will continue to keep abreast of the statutory development in this area and share with you our thoughts on the newest advances.
[Note]