After more than seven months since China’s Personal Information Protection Law (《个人信息保护法》, “PIPL”) went into effect, Chinese regulators have issued several new (draft) rules over the past few days to implement the cross-border data transfer requirements of the PIPL.  In particular, Article 38 of the PIPL sets out three legal mechanisms for lawful transfers of personal information outside of China, namely: (i) successful completion of a government-led security assessment, (ii) obtaining certification under a government-authorized certification scheme, or (iii) implementing a standard contract with the party(-ies) outside of China receiving the data.  The most recent developments in relation to these mechanisms concern the standard contract and certification.

Chinese Government Issues Draft SCCs

On June 30, 2022, the Cyberspace Administration of China (“CAC”) released draft Provisions on the Standard Contract for the Cross-border Transfers of Personal Information (《个人信息出境标准合同规定(征求意见稿)》, “Draft Provisions”) for public consultation.  The full text of the Draft Provisions can be found here (currently available only in Mandarin Chinese).  The public consultation will end on July 29, 2022.

Three takeaways from China’s draft standard contract:

  1. The release of the Draft Provisions marks a major step towards implementing the legal mechanisms for cross-border data transfers under the PIPL.  However, only companies that meet certain thresholds can rely on the standard contract to transfer personal information overseas. 
  2. With the parties to the standard contract limited to a “personal information processing entity” (referenced hereinafter as “entity”, which is essentially equivalent to a “data controller” under the General Data Protection Regulation, “GDPR”) and the overseas data recipient, it seems that China’s standard contract could be applicable to (i) PRC controller to non-PRC controller, and (ii) PRC controller to non-PRC processor.  China-based entrusted parties (essentially equivalent to “data processors” under GDPR) appear to be unable to rely on this mechanism.
  3. The signed standard contract would need to be filed with Chinese government.  It is unclear whether any redaction would be allowed. 

Pursuant to Article 38 of the PIPL, the standard contract is one of the legal mechanisms that an entity may choose to implement to lawfully transfer personal information outside of China.

As set out in the Draft Provisions, a standard contract can be relied upon for cross-border transfers only if an entity can meet all of the following requirements:

  • it is not a Critical Information Infrastructure (CII) operator;
  • it processes the personal information of less than 1 million individuals;
  • it has transferred the personal information of less than 100,000 individuals on a cumulative basis since January 1 of the previous year; and
  • it has transferred the sensitive personal information of less than 10,000 individuals on a cumulative basis since January 1 of the previous year.

In other words, if an entity is required to undergo a CAC-led security assessment according to the draft Measures for the Security Assessment of Cross-border Data Transfers released by the CAC in October 2021, it will not be eligible to use the standard contract as a transfer mechanism.

Further, under the Draft Provisions, certain content needs to be specified in the standard contract, which is set out as a template standard contract attached to the Draft Provisions.  In an explanatory note, the CAC explains that the template contract is drafted based on the requirements set out in the Draft Provisions, and parties may negotiate additional provisions and attach them as an annex to the template contract.  It is unclear whether parties must use the template contract, and if so, whether parties may edit the terms in the main body of the template in addition to inserting additional terms in the template contract. 

Within 10 working days of the standard contract taking into effect, an entity that implements them is required to submit a file to the provincial branch of CAC containing: (1) the standard contract; and (2) a report that includes the personal information protection impact assessment conducted with respect to the transfer, which is required to be carried out before transferring personal information overseas.

China Releases Final Certification Guidelines for Cross-Border Data Transfers

On June 24, 2o22, following public consultation, China’s National Information Security Standardization Technical Committee (TC260) released the Practical Guidelines for Cybersecurity Standards –Specification for Security Certification of Cross-Border Processing of Personal Information (《网络安全标准实践指南—个人信息跨境处理活动安全认证规范》, “Certification Specification”), which takes effect immediately.  The full text can be found here (currently available only in Mandarin Chinese).

The Certification Specification is intended to provide a basis for the implementation of one of the personal information protection certification schemes under the PIPL, namely, the certification for processing activities involving certain cross-border data transfers. 

Under the Certification Specification, a certification can be obtained for the following cross-border processing activities:

  • cross-border processing of personal information among subsidiaries or affiliates of a multinational company or the same economic entity;
  • personal information processing activities covered by PIPL’s extraterritorial reach according to paragraph 2, Article 3 of the PIPL. 

An entity can apply for this certification when it complies with (i) the requirements under the GB/T 35273 Information Security Technology – Personal Information Security Specification (《信息安全技术 个人信息安全规范》), which is a non-binding but highly influential national standard issued pre-PIPL, for their in-country processing of data, and (ii) the requirements under the Certification Specification when it carries out cross-border processing activities. 

It is unclear at this stage whether the certification can be relied upon as one of the valid transfer mechanisms under Article 38 of the PIPL.  The language of the first draft seems to suggest that a certification obtained under the Certification Specification can be applied as such, but the reference to Article 38 was removed from the final draft.  Consequently, it is unclear whether the regulators still intend to acknowledge the certification scheme as a valid transfer mechanism, or not.

Finally, the Certification Specification is not a certification plan that lists all the relevant controls a certification body might review when a company applies for the certification.  Instead, it provides only a high-level description of the criteria that will likely be considered during the certification process.  Accordingly, and confusingly, the Certification Specification does not address a number of key issues typical of a certification of this sort, such as identifying qualified certification bodies or detailing how the certification process will be run by such certification bodies.

In many respects, the Certification Specification is comparable to the EU Binding Corporate Rules (“BCR”) under the GDPR.  For instance, both are intended for use by multinational companies and both set forth detailed information to be specified in a legally binding and enforceable agreement between/among the parties.  However, there are some noteworthy differences.  Notably, under the Chinese Certification Specification, the overseas recipient needs to promise to accept the supervision of the Chinese certification body and “accept the jurisdiction of the relevant Chinese laws and regulations on personal information protection”, while in the BCR, the EU party with delegated responsibilities commits to submit to the jurisdiction of the courts, or other competent authorities in the EU, in case of violation of the BCR by a non-EU party.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the…

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the rapidly-evolving Chinese cybersecurity and data privacy rules. Her work includes high-stakes compliance advice on strategic issues such as data localization and cross border data transfer, as well as data protection advice in the context of strategic transactions. She also advises leading Chinese technology companies on global data governance issues and on compliance matters in major jurisdictions such as the European Union and the United States.

Yan regularly contributes to the development of data privacy and cybersecurity rules and standards in China. She chairs Covington’s membership in two working groups of China’s National Information Security Standardization Technical Committee (“TC260”), and serves as an expert in China’s standard-setting group for Artificial Intelligence and Ethics.

Photo of Xuezi Dan Xuezi Dan

Xuezi Dan is an associate in the Beijing office of Covington and Burling LLP. Her practice focuses on data privacy and cybersecurity. Xuezi helps clients understand and navigate the increasingly complex privacy regulatory issues in China. She has worked closely with many leading…

Xuezi Dan is an associate in the Beijing office of Covington and Burling LLP. Her practice focuses on data privacy and cybersecurity. Xuezi helps clients understand and navigate the increasingly complex privacy regulatory issues in China. She has worked closely with many leading international companies on matters ranging from cross-border data transfer, data localization, data protection program, and cybersecurity regulatory compliance.