August 2022
Joyce Wen and Teresa Huang
Article 38 of the Personal Information Protection Law of the People’s Republic of China (hereinafter, the “Law”), which came into effect on November 1, 2021, provides for four ways in which personal information can be legally exported. One of the ways is “personal information protection certification by a professional institution in accordance with the provisions of the national cyberspace administration authority.” On June 24, 2022, the National Information Security Standardization Technical Committee issued the Cybersecurity Practices Guidelines-Technical Specifications for Certification of Cross-border Personal Information Processing Activities (hereinafter, the “Specifications”), which provide certification basis for the personal information protection certification system established in the Law, so that the certification system of cross-border transmission of personal information has rules to follow.
The Specifications specifies the circumstances under which information certification applies. Information certification is voluntary, and the circumstances in which it applies include the cross-border processing of personal information within a multinational company or subsidiaries of the same economic or business entity or the affiliated companies, as well as the processing of personal information of domestic natural person outside the country by overseas personal information processors as stipulated in Article 3, Paragraph 2 of the Law. The certification of cross-border processing activities of personal information between affiliated companies is a circumstance newly indicated in this Specifications, which will greatly expand the scope of certification applicable to cross-border processing activities of personal information.
The Specifications provides for the information certification entities. For cross-border processing activities of personal information within a multinational company or subsidiaries of the same economic or business entity or the affiliated companies, the domestic party shall apply for certification, while for the activities of overseas personal information processors handling personal information of domestic natural person overseas as stipulated in Article 3, Paragraph 2 of the Law, the dedicated agency or designated representative set up domestically by the overseas organization shall be the application entity.
The Specifications follows the protection of the rights and interests of personal information subjects by the Law, and defines the rights of personal information subjects to know, decide, consult, copy, supplement, delete and so on. Further, by comparing with the previous draft, the right of withdrawal is newly added, i.e. the personal information subject may withdraw its consent to the cross-border processing of personal information. According to Article 15 of the Law, the withdrawal of an individual’s consent does not affect the effectiveness of the personal information processing activities that have been carried out based on the individual’s consent before the withdrawal. In addition, the personal information subject has a right to file a judicial lawsuit against the processor and overseas receiver who carry out cross-border processing activities of personal information in the court where his/her habitual residence is located.
The Specifications expands the “equal protection principle” to be followed in the transmission of personal information under the Law. Article 38 of the Law stipulates that personal information processors should take necessary measures to ensure that the activities of overseas recipients in processing personal information meet the personal information protection standards specified in this Law. In the Specifications, the provision of the “equal protection principle” is “to ensure that the cross-border processing of personal information meets the personal information protection standards specified in the relevant laws and regulations of the People’s Republic of China on personal information protection”. From the wording of the two provisions, it is obvious that the Specifications expands the standard of equal protection. Certification should not only comply with the provisions of the Law, but also comply with the laws and administrative regulations related to the protection of personal information, such as the Data Security Law, Measures for Security Assessment of Cross-Border Data Transfer of Personal Information and Important Data to be issued in the future, and the Regulations on the Administration of Network Data Security.
In addition, the Specifications also stipulates the information certification requirements in various aspects, such as legal constraints, organizational management, cross-border processing rules, personal information protection impact assessment, and the responsibilities and obligations of relevant parties. The above certification requirements are basically consistent with the relevant provisions of the Law. In particular, it should be noted that a legally binding and enforceable document should be signed between the parties involved in the cross-border processing of personal information to ensure that the rights and interests of the personal information subjects can be fully protected.
The Specifications provides a certification basis for certification bodies to implement certification of cross-border personal information processing activities, and also provides a reference for personal information processors that conduct cross-border personal information processing activities. This has greater practical implications to the cross-border transmission of personal information by multinational companies. Although there are more explicit provisions than the previous draft of the Specifications, there is still no clear regulation on the specific certification bodies, the degree of information to be disclosed by companies applying for certification as well as the specific certification process. We are also looking forward to the subsequent introduction of detailed regulations to facilitate the true implementation of the certification system of cross-border personal information processing activities.