China Rolls Out Personal Information Protection Certification Regime
On 18 November 2022, the State Administration for Market Regulation (“SAMR”) and the Cyberspace Administration of China (“CAC”) jointly issued an announcement to implement a personal information protection certification regime (“PI Protection Certification”) and published the implementing rules (“Certification Rules”). In this article, we highlight the key provisions of the Certification Rules and set out our observations.
BACKGROUND
China’s Cyber Security Law (“CSL”) provides that the government will promote certification, testing and risk assessment for cybersecurity. The Data Security Law (“DSL”) also states that the government will encourage data security assessment and certification services. In June 2022, SAMR and the CAC announced they would establish the regime for data security management certification and published relevant rules for establishing the regime.
Under the Personal Information Protection Law (“PIPL”), the CAC will coordinate the relevant ministries to support personal information protection assessment and certification services. In June 2022, the National Information Security Standardization Technical Committee (“TC260”) published the first version of the Guidance for Cross-border Personal Information Processing Activities (TC260-PG-20222A) (“PI Export Certification Guidance”), which was updated in December. The PI Protection Certification is a further move by the government to complete the certification regime for personal information protection.
KEY PROVISIONS AND OBSERVATIONS
I. Certification standards
Personal information processors1 (“PI Processors”) are required to comply with the Personal Information Security Specification (GB/T 35273) (“PI Specification”), which is a set of non-mandatory national standards on data protection originally published in 2017. The TC260 updated the PI Specification in March 2020 but there has been no further update since.
As the latest version of the PI Specification was released over a year before the PIPL was introduced, some of the provisions in the PI Specification are inconsistent with the PIPL, for instance, the scenarios where PI Processors could rely upon other legal bases rather than consent for processing of personal information (“PI”). Therefore, the current version of the PI Specification may not be suitable to provide the standards for the PI Protection Certification. Consequently, PI Processors that apply for certification run the risk of violating the PIPL.
The reference to PI Processors in the Certification Rules seems to suggest that an entrusted party defined in the PIPL as a party that processes PI on behalf of a PI Processor, will not be able to apply for the PI Protection Certification; further an applicant can only apply for PI Protection Certification in relation to the processing activities that the applicant itself has conducted in its capacity as a PI Processor. It is not clear whether this is the intention of the CAC.
The Certification Rules also require PI Processors that export personal information, to comply with the PI Export Certification Guidance, which therefore applies the Certification Rules to PI export certification as well.
II. Certification process
The certification process consists of four steps:
1. Application:
- the certification applicant will submit to the certification institutions the application materials that include the applicant’s basic information, certification engagement document, and
relevant supporting documents; - the certification institutions will review the application materials to determine whether the application is acceptable;
- if acceptable, the certification institutions will prepare and notify the applicant of the certification plan that covers the types and amount of PI, the scope of processing and information of technical verification institutions, which are supposed to conduct technical assessment of the applications;
2. Technical verification:
- the technical verification institutions will carry out technical verification according to the certification plan and issue relevant report(s);
3. Onsite inspection:
- the certification institution will inspect the applicant’s operations on site and issue relevant report(s);
4. Assessment and approval:
- the certification institution will issue a certificate to the applicant that meet the certification requirements or require rectification within a specified time limit. A failure to rectify within the specified time may result in a failed certification application.
The Certification Rules do not specify in detail what constitutes the application materials, what the certification plan is, or the scope of the technical verification and onsite inspection. The list of certification institutions and technical verification institutions are yet to be published.
Further, at the commencement of the application for certification the certification institutions are required to specify the time frame within which each of the above steps need to be completed. However, the Certification Rules do not provide guidance as to length of any time frame.
Once granted, the certification will be valid for three years. If the PI Processor wishes to renew the certification, it must apply within six months before the existing certification’s expiry. The certification institution will assess the application by way of post-certification supervision discussed below.
PI Processors must also apply for an update of its certification if its name or registered address, certification requirements or certification scope change. The certification institution will assess the application and may conduct a technical verification and/or onsite inspection if necessary.
III. Post-certification supervision
The certification institution is required to continuously supervise a PI Processor by conducting a “comprehensive assessment” on a periodical basis after a PI Processor receives its PI Protection Certification. PI Processors that fail to pass the assessment will have their certification suspended or withdrawn.
However, the Certification Rules do not specify the scope of the assessment for the post-certification process, in particular, whether it will involve ongoing technical verifications or onsite inspection.
CONCLUSION
The PI Protection Certification provides the PI Processors with a way to assess their own PI protection level with accreditation from independent third-party institutions. The Certifications Rules establish the framework of the certification regime but currently lack key details to ensure that the regime is workable. We expect further details when the implementing rules are published in 2023 to provide for such details.
