On Nov. 1, 2021, China’s Personal Information Protection Law took effect and became the first Chinese law dedicated to protecting the personal information rights of individuals. However, due to a lack of implementation regulations and clarity, many companies face a situation where they are unsure how to comply with areas of the PIPL.

Nowhere is this more of an issue than with Article 38 of the PIPL, which provides several conditions (or legal paths) that must be met before a cross-border data transfer may occur. According to Article 38, entities may send personal data to foreign recipients by taking one of the following legal paths:

Legal Path 1 – Government security assessment: A security assessment organized by the national cyberspace authority has been passed by the entity in accordance with Article 40 of this law.

Legal Path 2 – Standard contract: A contract in compliance with the standard contract provided by the national cyberspace authority has been concluded with the overseas recipient, establishing the rights and obligations of both parties.

Legal Path 3 – Certification: The entity has acquired a certification of personal information protection by a professional certification institution in accordance with the regulations of the national cyberspace authority.

TC260 issues rules for Legal Path 3 (Certification)

On June 24, the National Information Security Standardization Technical Committee, also known as TC260, issued its “Technical Specifications for the Certification of Cross-Border Processing of Personal Information.” The specifications state the criteria that multinational corporations, overseas processors and other economic/business entities should meet to obtain certification as described in Article 38 of the PIPL (i.e., Legal Path 3). At a high level, TC260’s specifications seem to describe something like binding corporate rules under the EU General Data Protection Regulation.

Please note that the specifications are not compulsory. In other words, parties to cross-border personal information transfers can decide if they want to go through this path and obtain certification or go through other legal paths they think appropriate to legitimatize their cross-border data transfers. However, if they choose to put themselves under this certification regime, the rules under the specifications are binding on them and relevant certification institutions.

Applicability of the specifications

The specifications describe certification scenarios, certification applicants and those who should bear responsibility for cross-border personal information transfers. Within an MNC, one of its entities in China can apply for certification and undertake legal responsibility for the MNC’s global organization. For an overseas entity having an insubstantial presence in China, its specialized agency or designated representative in China can apply for certification and bear legal responsibility for the overseas entity.  

Legally binding documents

Parties to cross-border personal information processing activities must sign legally binding and enforceable documents to ensure that the rights and interests of individuals are fully protected. At a minimum, these legally binding documents should contain:

  1. The relevant parties involved in cross-border personal information processing.
  2. The purpose of cross-border personal information processing and the types and scope of personal information.
  3. Measures to protect the rights and interests of individuals.
  4. Undertakings by each party to comply with uniform personal information processing rules and ensure that the level of personal information protection is not lower than the standards stipulated by relevant Chinese laws and regulations on the protection of personal information.
  5. Undertakings to accept the supervision of certification bodies.
  6. Provisions stating that relevant Chinese laws and regulations on the protection of personal information govern the arrangements.
  7. Details of the organizational bodies that will bear legal responsibility within China.
  8. Provisions for compliance with other legal and regulatory obligations.

Uniform processing rules

Uniform processing rules, described in item above, must contain:

  • The particulars of cross-border personal information processing, including the type, sensitivity, quantity, etc., of personal information.
  • The purpose, method and scope of cross-border personal information processing.
  • The start and end time of overseas storage of personal information and the processing method after expiration.
  • Transit countries involved in cross-border personal information processing.
  • Resources and measures required to protect the rights and interests of individuals.
  • Rules for compensation and disposal of personal information security incidents.

Data protection officers

Both the data exporter and foreign data importer must appoint a person to take charge of personal information protection. The persons in charge must have relevant knowledge and experience and be a part of the decision-making level of their entity. Their duties include:

  • Clarifying organizational personal information protection objectives, basic requirements, work tasks and protection measures.
  • Ensuring the availability of human resources, financial support and materials for personal information protection within the organization.
  • Guiding and supporting relevant personnel in carrying out the organization’s personal information protection efforts and ensuring that personal information protection efforts achieve the expected goals.
  • Reporting to the organization’s leaders on personal information protection and promoting the continuous improvement of these efforts.

Personal information protection organization

Both the data exporter and foreign data importer should set up internal personal information protection organizations tasked with preventing “unauthorised access and leakage, falsification and loss of personal information” and undertake the following duties:

  • Formulate and implement plans for cross-border personal information processing.
  • Organize and carry out personal information protection impact assessments.
  • Supervise cross-border personal information transfers under rules agreed to by the relevant parties.
  • Accept and handle requests and complaints from data subjects.

Personal information protection impact assessments

In cross-border transfer scenarios, a personal information protection impact assessment must cover:

  1. Whether the provision of personal information to overseas countries complies with laws and administrative regulations.
  2. The impact on the rights and interests of individuals.
  3. The impact of the legal environment and network security environment of overseas countries and regions on the rights and interests of individuals.
  4. Other matters necessary to safeguard the rights and interests of personal information.

Items 2 and 4 above mirror the requirements of the PIPL, while items 1 and 3 are more specific to cross-border transfer impact assessments and suggest the need for specialized country-by-country transfer impact assessments similar to those used for GDPR purposes. For item 3, we note that the precise meanings of “legal environment” and “network security environment” are currently unclear.

Individual rights

Individuals have various rights over their personal information under the PIPL. Those rights include a right to access, right to correct, right to complete, right to erasure, right of portability and right to refuse processing. In addition to those rights, the specifications provide that individuals are beneficiaries of legally binding documents and have the right to request a copy of the relevant LBD provisions relating to their legal rights and interests.

Being a beneficiary to LBDs might, theoretically, increase the range of rights available to individuals beyond those found in the PIPL. This is especially so if MNCs operating in multiple jurisdictions take a unified highest standard approach to personal information protection at a global level.

The right to access relevant to LBD provisions raises issues from a confidentiality perspective. Thus, it would be wise to stipulate such matters in a standalone document to ensure disclosures to individuals remain appropriate.

The specifications also provide that individuals should be allowed to litigate in the Chinese courts of their habitual place of residence against the parties to the cross-border data transfers.

Obligations of the parties to cross-border data transfers

The provisions within the specifications on processor obligations generally reflect the terms of the PIPL. However, further requirements are imposed on parties to cross-border data transfers, including:

  • When situations arise where it is difficult to ensure the security of personal information transferred across borders, such processing must be “promptly terminated.”
  • The responsible party in China should compensate individuals for breaches arising in the context of cross-border data processing activities.
  • The parties to cross-border data transfer activities should undertake to follow Chinese data protection laws, accept their application and enforcement, and cooperate with Chinese regulators’ enforcement activities, such as answering their inquiries and accepting routine inspections.

Conclusions

The specifications make Legal Path 3 (Certification) of Article 38 of the PIPL possible — though not fully actionable, as China has not published a list of certification institutions to handle certification applications from entities. Nevertheless, the specifications provide a skeleton of the certification regime for cross-border data transfers. We believe that the Chinese authorities may issue regulations and TC260 may also issue further guidance to substantiate this certification regime.

It should be noted that, while an entity can choose between Legal Path 3 (Certification) and Legal Path 2 (Standard Contract) to legitimatize its cross-border data transfers, Legal Path 1 (Government Security Assessment) is not optional  — as long as statutory triggers exist, an entity will have to participate in a security assessment by the Cyberspace Administration of China.

At this stage, it is difficult to forecast if the certification path would be more popular than the standard contract path. In addition to signing a cross-border data transfer contract, the specifications essentially require that both the data exporter and the overseas data recipients are subject to a set of unified data protection rules that align with Chinese laws and are subject to Chinese regulators’ supervision. We believe the compliance efforts would be more costly than simply signing the standard contract. However, it is possible this certification path might be welcomed by some companies who see certification as a type of status or quality mark to signal to consumers that their personal information will be protected to higher standards.

As cross-border data transfers are a rapidly developing area of law, MNCs and overseas processors processing the personal information of people in China are advised to monitor developments in this area closely.