After more than seven months since China’s Personal Information Protection Law (《个人信息保护法》, “PIPL”) went into effect, Chinese regulators have issued several new (draft) rules over the past few days to implement the cross-border data transfer requirements of the PIPL. In particular, Article 38 of the PIPL sets out three legal mechanisms for lawful transfers of personal information outside of China, namely: (i) successful completion of a government-led security assessment, (ii) obtaining certification under a government-authorized certification scheme, or (iii) implementing a standard contract with the party(-ies) outside of China receiving the data. The most recent developments in relation to these mechanisms concern the standard contract and certification.
Chinese Government Issues Draft SCCs
On June 30, 2022, the Cyberspace Administration of China (“CAC”) released draft Provisions on the Standard Contract for the Cross-border Transfers of Personal Information (《个人信息出境标准合同规定(征求意见稿)》, “Draft Provisions”) for public consultation. The full text of the Draft Provisions can be found here (currently available only in Mandarin Chinese). The public consultation will end on July 29, 2022.
Three takeaways from China’s draft standard contract:
- The release of the Draft Provisions marks a major step towards implementing the legal mechanisms for cross-border data transfers under the PIPL. However, only companies that meet certain thresholds can rely on the standard contract to transfer personal information overseas.
- With the parties to the standard contract limited to a “personal information processing entity” (referenced hereinafter as “entity”, which is essentially equivalent to a “data controller” under the General Data Protection Regulation, “GDPR”) and the overseas data recipient, it seems that China’s standard contract could be applicable to (i) PRC controller to non-PRC controller, and (ii) PRC controller to non-PRC processor. China-based entrusted parties (essentially equivalent to “data processors” under GDPR) appear to be unable to rely on this mechanism.
- The signed standard contract would need to be filed with Chinese government. It is unclear whether any redaction would be allowed.
Pursuant to Article 38 of the PIPL, the standard contract is one of the legal mechanisms that an entity may choose to implement to lawfully transfer personal information outside of China.
As set out in the Draft Provisions, a standard contract can be relied upon for cross-border transfers only if an entity can meet all of the following requirements:
- it is not a Critical Information Infrastructure (CII) operator;
- it processes the personal information of less than 1 million individuals;
- it has transferred the personal information of less than 100,000 individuals on a cumulative basis since January 1 of the previous year; and
- it has transferred the sensitive personal information of less than 10,000 individuals on a cumulative basis since January 1 of the previous year.
In other words, if an entity is required to undergo a CAC-led security assessment according to the draft Measures for the Security Assessment of Cross-border Data Transfers released by the CAC in October 2021, it will not be eligible to use the standard contract as a transfer mechanism.
Further, under the Draft Provisions, certain content needs to be specified in the standard contract, which is set out as a template standard contract attached to the Draft Provisions. In an explanatory note, the CAC explains that the template contract is drafted based on the requirements set out in the Draft Provisions, and parties may negotiate additional provisions and attach them as an annex to the template contract. It is unclear whether parties must use the template contract, and if so, whether parties may edit the terms in the main body of the template in addition to inserting additional terms in the template contract.
Within 10 working days of the standard contract taking into effect, an entity that implements them is required to submit a file to the provincial branch of CAC containing: (1) the standard contract; and (2) a report that includes the personal information protection impact assessment conducted with respect to the transfer, which is required to be carried out before transferring personal information overseas.
China Releases Final Certification Guidelines for Cross-Border Data Transfers
On June 24, 2o22, following public consultation, China’s National Information Security Standardization Technical Committee (TC260) released the Practical Guidelines for Cybersecurity Standards –Specification for Security Certification of Cross-Border Processing of Personal Information (《网络安全标准实践指南—个人信息跨境处理活动安全认证规范》, “Certification Specification”), which takes effect immediately. The full text can be found here (currently available only in Mandarin Chinese).
The Certification Specification is intended to provide a basis for the implementation of one of the personal information protection certification schemes under the PIPL, namely, the certification for processing activities involving certain cross-border data transfers.
Under the Certification Specification, a certification can be obtained for the following cross-border processing activities:
- cross-border processing of personal information among subsidiaries or affiliates of a multinational company or the same economic entity;
- personal information processing activities covered by PIPL’s extraterritorial reach according to paragraph 2, Article 3 of the PIPL.
An entity can apply for this certification when it complies with (i) the requirements under the GB/T 35273 Information Security Technology – Personal Information Security Specification (《信息安全技术 个人信息安全规范》), which is a non-binding but highly influential national standard issued pre-PIPL, for their in-country processing of data, and (ii) the requirements under the Certification Specification when it carries out cross-border processing activities.
It is unclear at this stage whether the certification can be relied upon as one of the valid transfer mechanisms under Article 38 of the PIPL. The language of the first draft seems to suggest that a certification obtained under the Certification Specification can be applied as such, but the reference to Article 38 was removed from the final draft. Consequently, it is unclear whether the regulators still intend to acknowledge the certification scheme as a valid transfer mechanism, or not.
Finally, the Certification Specification is not a certification plan that lists all the relevant controls a certification body might review when a company applies for the certification. Instead, it provides only a high-level description of the criteria that will likely be considered during the certification process. Accordingly, and confusingly, the Certification Specification does not address a number of key issues typical of a certification of this sort, such as identifying qualified certification bodies or detailing how the certification process will be run by such certification bodies.
In many respects, the Certification Specification is comparable to the EU Binding Corporate Rules (“BCR”) under the GDPR. For instance, both are intended for use by multinational companies and both set forth detailed information to be specified in a legally binding and enforceable agreement between/among the parties. However, there are some noteworthy differences. Notably, under the Chinese Certification Specification, the overseas recipient needs to promise to accept the supervision of the Chinese certification body and “accept the jurisdiction of the relevant Chinese laws and regulations on personal information protection”, while in the BCR, the EU party with delegated responsibilities commits to submit to the jurisdiction of the courts, or other competent authorities in the EU, in case of violation of the BCR by a non-EU party.