Hello privacy pros! Greetings from Beijing.

I know in the past few weeks and months, many of you have been grappling with the fast-changing Chinese data law requirements —  likely preparing the comprehensive documents and information for meeting the Cyberspace Administration of China submission deadline, while also digesting the new Chinese standard contractual clauses and figuring out how to address the challenge of synchronizing the Chinese and EU General Data Protection Regulation SCCs.

To add another layer of complications, on 16 March China’s National Information and Security Standardisation Technical Committee issued the consultation draft of a new set of TC260 industry standards titled "Information Security Technology — Certification Requirements for Cross-Border Transfer of Personal Information," in order to seek comments until 15 May.

These certification requirements are not mandatory but will act as best practices for organizations that wish to adopt the certification mechanism for transferring China-collected personal data outside the country. Professional certification institutions and Chinese regulators will also refer to these certification requirements when they perform certification services or supervise cross-border data transfers respectively.

Many provisions in the certification requirements repeat what has already been provided in the Personal Information Protection Law, the Measures for Security Assessment of Cross-Border Data Transfer and the Chinese SCC Regulations. In cross-border transfers by way of certification, data exporters are required to conduct data transfer impact assessments and prepare impact assessment reports. The data exporter and foreign data recipient must also enter into a data transfer agreement or other legally binding agreement to set out their respective obligations, liabilities and the rights entitled by data subjects, all similar to what is provided in the Chinese SCCs.

Compared to the CAC security assessment and Chinese SCCs, the certification mechanism seems to be the least established mechanism among the three major cross-border data transfer regimes in China. Finalizing and adopting the certification requirements will help fill in the gaps.

So far, only a few institutions have obtained the license to perform cross-border data certification. With these certification requirements to be finalized and adopted, more professional certification institutions will hopefully be licensed to perform cross-border data transfer certification services.

From the enforcement perspective, Chinese regulators remain active in overseeing and supervising data collection and processing activities in the Chinese market. Consumer Protection Day is 15 March. This year, the Shanghai CAC and Shanghai Consumer Protection Association jointly conducted investigations in the catering industry. Multiple well-known chain restaurants including Burger King, CoCo Tea, Bai Dai Dao and others were caught for noncompliant activities, including requesting consumers to make orders via mini program, excessively collecting consumers’ personal information beyond the necessary scope, repeatedly collecting geolocational information from consumers and collecting personal information not directly related to the services.

The authorities summoned meetings with the relevant companies and requested rectification within the prescribed period of time. This sends out an alarm call that, while using new technology such as mini programs can help save cost and improve operation efficiency, it is important to address data protection issues properly, to ensure compliance, avoid regulatory penalties and maintain trust from consumers.

Hope you enjoy this digest. Until next time.