Draft Measures on Personal Information Protection Certification

Cyberspace Administration of China (CAC) recently released a draft Personal Information Protection Certification Measures for Cross-border Transfer of Personal Information (“Draft Certification Measures”) for seeking public opinion. The Draft Certification Measures aims to detail the requirements in relation to certification for cross-border personal information transfer to regulate the implementation of personal information protection certification.  

1. Backgrounds

(1) Personal information protection certification forms one of the legal bases for transferring personal information abroad.

China’s Personal Information Protection Law requires processors to complete any one of the followings before cross-border personal information transfer[1], in addition to obtaining the separate informed consent and conducting prior impact assessment:

• prior security assessment organized by CAC; or

• certification by professional institutions of personal information protection in accordance with provisions of CAC; or

• execution of contracts, based on a standard contract enacted by CAC, with overseas recipients specifying their respective rights and obligations.

Personal information protection certification forms one of the legal bases for transferring personal information abroad.

(2) Personal information protection certification certifies processors’ personal information protection system.

On November 4, 2022, CAC and State Administration for Market Regulation jointly issued Implementation Rules of Personal Information Protection Certification (the “Certification Implementation Rules”), calling for processors to improve personal information protection ability through such certification. Specifically, certification institutions shall certify processors’ personal information protection system and mechanism and issue PIP certificates or PIPCB certificates (subject to the scope of the certification).

(3) Certification Implementation Rules sets forth high-level rules for certification of cross-border personal information transfer.

• Personal information protection certification includes technical verification, onsite audit and daily supervision.

• Certification institutions shall certify processors’ personal information protection system and mechanism pursuant to the recommended national standards GB/T 35273 Information Security Technology - Personal Information Security Specification.

• In the event of cross-border personal information transfer, processors shall additionally meet the requirements of TC260-PG-2022A Security Certification Rules of Personal Information Cross-border Processing Activities (V2.0-202212).

(4) Draft Certification Measures further refines the requirements for cross-border personal information transfer activities outlined in Certification Implementation Rules.

The Certification Implementation Rules covers the certification rules regarding the regular personal information processing and cross-border transfer processing. In contrast, the Draft Certification Measures focuses specifically on the certification of cross-border transfer processing. Additionally, the Draft Certification Measures provides detailed requirements regarding the application scope, certification process, evaluation criteria, and regulatory measures for cross-border personal information transfer.

2. Highlights of Draft Certification Measures

(1) Cross-border personal information transfer includes the following situations:

• personal information processor transmits overseas any personal information collected and generated during business operation within the territory of the Chinese Mainland;

• overseas entity, organization or individual may access, acquire, download, export any personal information collected, generated and stored by personal information processor within the territory of the Chinese Mainland;

• other types of cross-border personal information transfer including processing domestic natural persons’ personal information outside China.

More importantly, processors may apply for cross-border personal information transfer certification only when all the following conditions are satisfied:

• It is not a critical information infrastructure operator;

• It has accumulatively transferred abroad personal information of more than 100,000 but not more than 1,000,000 individuals since January 1 of the current year or it has accumulatively transferred abroad sensitive personal information of not more than 10,000 individuals since January 1 of the current year; and

• No important data is included in the personal information to be transferred abroad.

(2) The personal information certification for cross-border personal information transfer is voluntary

Processors may voluntarily apply for such certification. For those overseas processors, they may apply for certification through their designated domestic agency or representative.

(3) Certification institutions must make filings with CAC for carrying out personal information protection certification 

Currently, the China Cybersecurity Review and Certification Center (CCRC) is the primary institution providing personal information protection certification services.

(4) Personal information protection certification for cross-border personal information transfer should certify the following:

• lawfulness, fairness and necessity of the purpose, scope and means of transferring personal information abroad;

• the impact on the security of personal information transferred abroad by the personal information protection policies and laws, and network and data security environment in the country/region of the overseas processor or overseas recipient;

• whether the personal information protection level of the overseas processor or overseas recipient meets the requirements of the laws, administrative regulations and mandatory national standards of China;

• whether the personal information processor and overseas recipient have made clear their respective obligations in terms of personal information protection in their legally binding document to be concluded;

• whether organizational structures, management systems, technical measures of the personal information processor and overseas recipient can sufficiently and effectively safeguard data security and rights and interests of personal information; 

• other matters that the certification institute deems necessary pursuant to the relevant personal information protection certification standards.

3. Briefing on the Personal Information Protection Certification for Cross-border personal information 

transferGenerally speaking, any processor who has the intention to transfer personal information abroad may apply for such certification. Specifically, pursuant to the Security Certification Rules of Personal Information Cross-border Processing Activities, (1) for those personal information cross-border processing activities within a multi-national company or within a group, its Chinese subsidiary may apply for certification; and (2) an overseas processor may apply for certification through its designated domestic agency or representative[2].

Basic requirements for certifying personal information cross-border processing activities are summarized as below:

4. Comparison between Personal Information Protection Certification and Standard Contract Clauses

Generally, if a processor intends to transfer personal information abroad, it may choose to apply for personal information protection certification or conclude standard contract clauses with overseas recipient, unless its personal information transfer falls into the mandatory CAC-led security assessment. The chart below sets forth the major differences between personal information protection certification and standard contract clauses:

【1】The activities or processors that fall within the exemptions issued by CAC are not required to adopt the security assessment, personal information certification or standard contract clauses before transferring personal information out of China.

【2】Article 7 of the Draft Certification Measures provides that CAC together with other governmental departments will formulate standards, technical rules and certification procedures and implementation measures relevant to the personal information protection certification. Therefore, it is likely that the Security Certification Rules of Personal Information Cross-border Processing Activities will be replaced by such new standards, rules, procedures and measures upon their promulgation.