On 18 November 2022, the Cyberspace Administration of China and the State Administration for Market Regulation released the Implementation Rules for Personal Information Protection Certification (hereinafter referred to as “Certification Rules”). It is a supporting document for the implementation of the Personal Information Protection Law, which allows certification schemes as one main method for the cross-border transfer of personal information (PI). The purpose is to increase the obligations of PI processors and promote the rational use and transfer of PI. Generally, the Certification Rules set clear requirements and procedures for the applicants and certification bodies.

The Certification Rules consist of seven parts, including application scope, standards basis, certification modes, certification procedures, certificates and marks, and responsibilities. In particular, the certification is based on the standards GB/T 35273 Information security technology—Personal information security specification domestic information processors, and TC260-PG-20222A Security Certification Specification for cross-border personal information processing activities. The former, GB/T 35273, serves as fundamental requirement, while the latter, TC260-PG-20222A, focuses on the requirements for outbound PI transfer. Thus, outbound PI transfer activities need to meet both standards if the relevant processors intend to apply for the certification scheme. In addition, the certification mark granted upon completion of the certification is different, depending on whether the PI processing activity involves cross-border PI transfer or not: “PIP CB” in the former case, and “PIP” in the latter case.

The latest version of GB/T 35273 was released in 2020. It emphasises the protection of the rights of individuals, outlines terms, definitions and basic principles, and explicitly elaborates the requirements for PI processing in different situations, the response to security incidents, as well as the management obligations for relevant organisations. As to TC260-PG-20222A, the latest version (Version 2.0) was issued on 6 December 2022: compared to the previous version, it makes adjustments in cross-border data transfer agreements and PI protection impact assessment, in line with the Measures for the Security Assessment of Cross-border Data Transfer and the Standard Contracts Provisions for Cross-border Transfers of Personal Information (draft for comments) .

In short, the release of the Certification Rules completes the PI protection certification scheme, by clarifying the requirements and procedures for certification. Once the list of certification bodies is approved and released, certification activities will then be formally launched. Foreign companies are advised to closely monitor these developments for cross-border data transfer, and adjust accordingly, as the new rules are being gradually but effectively implemented.