China Updates Certification Requirements for Personal Information Export

BACKGROUND

Certification is one of the two safeguards, to be released by the Cyberspace Administration of China (“CAC”), which the personal information processors (“PI Processors”) ^[1] may adopt in order to export personal information under the Personal Information Protection Law (“PIPL”) if they do not reach the thresholds for a security assessment conducted by the CAC. The other safeguard being the standard data export contract (“Standard Contract”).

On 24 June 2022, the TC260 issued the first version of the Certification Specification, which was intended to provide guidance for implementing the certification regime and released a draft of the Updated Version on 8 November 2022. On 18 November 2022, the CAC and the State Administration for Market Regulation confirmed that the Certification Specification will be used as the standards for certification of cross-border data processing activities in the rules for personal information protection certification (for our comments on the rules, please click here). As a low-level technical guidance, the rules falls short of the legal authority of national standards.

In our comments on the previous version of the Certification Specification (click here) and its consultation draft (click here), we raised some issues that need to be addressed. In this article, we will set out the key changes in the Updated Version and discuss whether any of the prior issues have been resolved or whether any new issues have emerged.

KEY CHANGES AND OBSERVATIONS

I. Who may apply?

Scope and extraterritorial effect

The Updated Version makes no amendment to the current scope of the Certification Specification, which applies to the following scenarios:

• Scenario One: cross-border personal information processing activities among the subsidiaries and affiliates of a multinational company or an economic or public entity; and
• Scenario Two: processing activities conducted by the overseas PI Processors that are subject only to the extra-territorial effect of the PIPL.

For the overseas PI Processors in Scenario Two, there do not appear to be enough benefits to justify their investment in attaining the certification. In addition to the cost of implementing such certification, the requirements under the Certification Specification will require the overseas PI Processors to adapt their existing intra-group transfer mechanisms and rules. In the absence of clear indication that the CAC will prioritise such overseas PI Processors for enforcement actions, there seems to be a lack of incentive for the multinational companies and organisations to apply for the certification. 

Implementation has also been made particularly difficult by the fact that most of the requirements of the Certification Regime cater to Scenario One only, which is not suitable for Scenario Two where there is no exporter at all.

Although it is provided that the local representatives appointed by the overseas PI Processors may apply on its behalf, it does not render the application any more practical. Whilst the regime for registering local representatives has yet to be established, such local representative may also be reluctant to apply on behalf of the overseas PI Processors, as the local representatives may be held legally liable under the Certification Specification for all the materials it submits.

PI Processor as applicant

The Updated Version introduces the concept of the PI Processor, as defined under the PIPL, and makes it the eligible applicant for the certification. It goes further through requiring the PI Processor to have a legal personality, good reputation and credibility.

The Updated Version excludes from the scope the scenarios where the data exporter in China is an entity (“Entrusted Party”) that is entrusted by a PI Processor to process the personal information and cannot determine the purpose or means of the processing. It is common for a Chinese subsidiary of a multinational company to act as the Entrusted Party and export personal information to its overseas affiliates, who are PI Processors. In other words, the certification under the Updated Version does not cover all types of data exports from China, and the implications are that some multinational companies may need to adopt both the certification and the Standard Contract as safeguards for data exports, which would render the certification regime even less appealing for multinational companies.

In addition, the Updated Version excludes from the certification any organisations that are not legal persons, and therefore non-governmental organizations, representative offices and alike may not qualify as an applicant for the certification.

II.  Enhanced requirements

The Updated Version adds more requirements for the applicants of the certification to comply with, and most of these requirements (including concepts) are lifted from the draft Standard Contract released by the CAC (for our comments on the Standard Contract, please click here).

In particular, the Updated Version:

1. Requires the binding agreement between the data exporter and importer to set out the responsibilities and obligations of the parties, rights of the individuals and other common contractual clauses, such as remedies, termination, liability and dispute resolution;
2. Extends the scope of duties of the personal information protection department in each of the data exporters and importers;
3. Extends the scope of the personal information protection impact assessment (“PIPIA”) and sets out the key factors for assessing the personal information protection laws and practice of the jurisdictions where the data importers are located;
4. Provides for the obligations of the exporters and importers to assist the individuals in exercising their right and the rights of the individuals to seek remedies; and
5. Provides for more obligations of the exporters and importers, such as the obligations to notify certification institutions of any material change of personal information protection laws, keep a record of data export activities and take specified measures after data breach.

With so many elements of the draft Standard Contract incorporated into the Updated Version, the intention seems to be to bring the protection standards under the certification in line with those under the Standard Contract.

Whilst some commentators argue that the legal agreement under the certification does not need to be the same as the Standard Contract, it appears that participants in the certification will be subject to obligations equivalent to those under the Standard Contract in any case.

CONCLUSION

In light of the above, the certification regime, as revised by the Updated Version, does not seem to bring apparent significant advantages over the Standard Contract. The enhanced requirements subject the multinational companies to an equivalent level of the obligations as found under the Standard Contract. In addition, the multinational companies will still need to conduct the PIPIA; establish a personal information protection department in each of the exporters and importers; enter into a set of binding corporate rules compliant with the Certification Specification; and go through the certification application process.

These requirements are far more onerous than those contemplated under the Standard Contract, and as a result the Update Version may not be able to serve the purpose of facilitating data export within multinational companies and international organisations as expected. Multinational companies should assess the cost-efficiency of the certification regime over other safeguards for data export, especially the Standard Contract, before they proceed.