According to Article 38 of the Personal Information Protection Law (“PIPL"), companies must meet one of the following criteria in order to transfer personal information of certain scale overseas:

1. Undergo a security review organized by the Cyberspace Administration of China (“CAC"), except where exempted in relevant laws and regulations; 

2. Undergo personal information protection certification by a professional institution in accordance with the regulations of the CAC; 

3. Sign a contract with a foreign party stipulating the rights and obligations of each party in accordance with standards set by the CAC; and

4. Meet other conditions set by the CAC or relevant laws and regulations,

whereas the scale of the personal information is not fully clarified in the current legislation yet.

The Certification Specification was formulated to specify the detailed guidance for the second criteria listed above, i.e., the personal information protection certification.

The Certification Specification provides that the certification mechanism applies to cross-border personal information transfers in the following scenario:

1. cross-border personal information processing activities among the subsidiaries and affiliates of a multinational company or an economic or public entity; and

2. processing activities that are subject to the extra-territorial effect of Article 3 of the PIPL, namely overseas companies aiming to provide services to natural persons in China or evaluate the activities of natural persons in China.

Scenario 1) relates to multinational company group; and Scenario 2) relates to foreign companies that providing services to natural persons in China.

It should be noted that the Certification Specification appears to expand the extra-territorial effect of the PIPL by requiring overseas data controllers providing services to natural person in China to comply with the certification mechanism. While according to Article 38 of PIPL, such certification may be applied only when the companies transfer personal information overseas.

However, given that the Certification Specification are silent on the threshold for the scale of personal information where a company shall apply for such certification, the actual implementation of the Certification Specification remains to be further clarified by the authority.

According to the Article 2 of the Certification Specification, the local representatives established or designated by overseas personal information processors can be apply for the certification, as mandated by Article 53 of the PIPL.

Article 2 further provides that the local representatives shall bear the legal responsibility accordingly. Nevertheless, the detailed requirements on the local representatives as well as what legal responsibility shall be borne are not yet clarified in the Certification Specification.

Article 3(f) of the Certification Specification further provides that “the certification of cross-border processing of personal information is a voluntary certification recommended by the state. Qualified data controllers and foreign recipients are encouraged to voluntarily apply for certification of cross-border processing of personal information when processing personal information across borders". 

In practice, most overseas data controllers are reluctant to voluntarily apply for certification and subject themselves to complex and costly compliance. Unfortunately, the Certification Specification failed to give further explanation on this nor the detailed procedures for the application of certification. Whether overseas data controllers will be required to apply for certification shall wait for further clarifications of the Certification Specification.

In addition, although the Certification Specification already came into effect, it does not provide information about which professional agencies are qualified to conduct the certification, nor how to apply for a certification.

The basic requirements under the Certification Specification generally align with those under the PIPL but more detailed, namely:

Data controllers and the foreign recipients of the personal information shall sign a legally binding agreement, which should specify at least the following:

1. the data controller and the foreign recipient;

2. the categories of personal information being transferred;

3. the purpose of processing;

4. the applicable measures to protect the rights and interests of data subjects;

5. the responsible party within China;

6. an obligation of the foreign recipient to comply with the data laws of China, acceptance of supervision by the certification body and acceptance of jurisdiction of relevant laws; and

7. other obligations stipulated by applicable laws and regulations.

The Certification Specification requires both the data controller and the foreign recipient to designate a data protection officer and establish a relevant department focusing on ensuring the fulfillment of requirements for protection of personal data security. This extends the present provisions of the PIPL and imposes an obligation on both the data controller and foreign recipient.

Moreover, data processors and foreign recipients must comply with the requirements on the cross-border personal information processing and data controllers are required to carry out data protection impact assessments in order to address the potential impact of changes in the foreign legal environment and cybersecurity environment on data subjects’ rights.

The Certification Specification provides more detailed guidance on the certification mechanism introduced by the PIPL, but many essential questions remain to be addressed. For instance, the Certification Specification are silent on the threshold for the scale of personal information, certification bodies in charge, and the certification procedures. 

In light of the above, data controllers and foreign recipients will have to wait for future enforcement actions and further clarifications of the Certification Specification, which will reveal whether overseas data controllers will be required to apply for certification and clarify further details in this regard.

On the other hand, the rapid finalization of the Certification Specification and the issuance of the finalized Security Assessment Measures (数据出境安全评估办法) and Standard Contracts for Cross-border Transfers of Personal Information (Draft for Comments) (个人信息出境标准合同规定（征求意见稿）) highlight the Chinese government’s recent focus on cross-border data transfers and imply that greater regulatory scrutiny is yet to come.

Given the questions left unanswered by the Certification Specification, data controllers and foreign recipients involved in cross-border personal information transfer activities should pay close attention to future developments in order to pre-empt any regulatory scrutiny.