On 24 June 2022, the National Information Security Standardization Technical Committee in China officially released the Certification Requirements for Cross-border Transfer of Personal Information (hereinafter referred to as the Requirements). As a certification support to the Personal Information Protection Law (PIPL), the Requirements may improve the transfer efficiency for normal data processors (i.e. non-Critical Information Infrastructure Operators, non-major-processors) and ensure equal protection of the personal information transferred abroad.

The Requirements specify the application scenarios, certification subjects, basic principles, and the protection of the personal information rights owners. Compared with the draft for comments previously issued in April 2022, the final version of the Requirements incorporates certain adjustments. Firstly, it specifies that the Requirements only apply to the information processors and offshore receivers – which can be seen as a clarification of the term “stakeholders” originally included in the draft for comments. Secondly, the Requirements clearly state that applicants of the certification have to be in compliance with the GB/T 35273 Information security technology – Personal information security specification. Thirdly, cross-border transfer activities among related entities are now included as one of the applicable scenarios of the Requirements, although the definition of ‘related entities’ is yet to be clarified. Fourthly, the information owners enjoy the right of revoking the consent to the cross-border transfer of personal information. Fifthly, the final version introduces a new obligation for information processors and offshore receivers in case of incidents threatening the security of the information, i.e. they shall take immediate remedial action and inform the competent authorities in case that information leakage, tempering or loss are taking place or may possibly take place.

The following is a summary of the key points that foreign companies processing data must pay particular attention to:

  • Certification structure. The Requirements clearly specify the obligations of the two parties involved (i.e. personal information processors and offshore receivers). Apart from certifying the compliance of both parties, the certification process will also verify if both parties have signed a legally-binding agreement as well as their commitment to following the unified personal information cross-border processing rules. The certification can only be granted when both parties satisfy the requirements above.
  • Obligations. The foreign enterprise may take the role of either personal information processor or offshore receiver. Both have common obligations in terms of appointing a person or organization in charge of personal information protection, as well as protection of the owners’ rights. In addition, the personal information processor is required to consider the risks resulted from cross-border transfer, and then carry out the personal information security impact assessment.
  • Voluntariness as a basic principle. One of the basic principles of the Requirements is the principle of voluntariness, which is in line with the initial intention of the Requirements, i.e. to encourage the relevant parties to carry out the certification so as to strengthen the role of certification in personal information protection, as well as to improve the efficiency and safety of cross-border personal information transfer.
  • Equal protection as a basic principle. The equal protection principle specifically states that the protection level in the transmission activities has to satisfy the relevant requirements and provisions of all legislation and regulations in the field of personal information protection, including but not limited to the Personal Information Protection Law (PIPL), Data Security law,
  • Application scenarios. Two scenarios fall under the scope of application of the Requirements: (i) cross-border transfer of personal information among multinational companies, subsidiaries or affiliated companies of the same economic or business entity; (ii) personal information processing activities subject to the Second Paragraph of Article 3 of the PIPL regarding extraterritorial reach. According to the Article 3, the PIPL also apply to information processors located outside of China yet processing the personal information of natural persons located within China with the aim of: providing products and services to natural persons located in China, analyze/assess the conduct of natural persons in China, or under any other circumstances as provided by any law or administrative regulation. Therefore, such information processors subject to Article 3 may also apply for the certification when they transfer personal information cross border or to another offshore company; In this case, they may establish a specialized organization or appoint a designated representative to apply for certification, the organization or the representative shall accordingly resume the obligations as the information processor in China.

In conclusion, foreign enterprises may be involved in the certification process as either information processors or offshore receivers. The difference between the two, firstly, lies in different obligations: data processors are required to carry out the security impact assessment while the offshore receivers are not. Secondly, only data processors within the Chinese territory, or the domestic organization or representative appointed by foreign information processors subject to PIPL’s Article 3 can apply for the certification. Therefore, in normal circumstances, foreign enterprises are only required to fulfill the obligations of offshore receivers as required, and at the same time sign a legally-binding agreement. Nevertheless, if foreign enterprises subject to the applicability of PIPL’s Article 3 regarding extraterritoriality reach, intend to apply for the certification, their representative organizations or representative shall resume the responsibility as the information processor, i.e. applying for the certification, carrying out the security impact assessment, in addition to the tasks listed above.