On 16 December 2022, the National Information Security Standardization Technical Committee (TC260) released the new version of the Cybersecurity Standard Practice Guide – Security Certification Rules for Personal Information Cross-border Processing (Version 2.0) (hereinafter referred to as the Guide 2.0).

As a supplementary requirement for GB/T 35273 Information security technology—Personal information security specification, the Guide 2.0 further specifies the requirements for cross-border personal information (PI) processing activities in line with the Implementation Rules for Personal Information Protection Certification. Specifically, it elaborates on the basic principles, basic PI protection requirements for processors and overseas recipients to ensure the rights and interests of PI subjects. The aim is to provide guidance to PI processors in conducting PI transfer activities. The following is a summary of the major modifications introduced by the Guide 2.0 compared to the previous version.

Extension of the application scope of certification. The scope is extended to all the PI cross-border processing activities, while previously it was only limited to affiliated companies belonging to the same business group. Therefore, this will allow the certification to be applicable to domestic companies as well for cross-border PI processing activities involving overseas suppliers, based on the principle of ‘business association’ rather than ‘business ownership’.

Expansion of basic principles. There are three basic principles, but their content has been expanded. Specifically:

  • ‘Openness and transparency’ basic principle. The Guide 2.0 requires that the name and contact information of overseas receivers are disclosed to the PI subject, while at the same time providing information about PI subjects’rights and interests, and the methods and procedures to claim their rights.
  • ‘Same level of protection’ basic principle. It clarifies that “personal information related laws and regulations” originally included in the previous version refers to the Personal Information Protection Law, which sets the level of protection.

Extra requirement for certification subjects. In the certification subject part, the Guide 2.0 adds a new requirement for certification subjects, namely that they shall have legal person qualification and good reputation. Those not meeting these requirements will not be allowed to be considered as certification subjects.

Enriched legally-binding documents. The provisions in this section have been further enriched, providing more detailed requirements. For instance, the second article states that not only the purpose, scope, and category of the cross-border PI processing shall be indicated in the documents; the level of sensitivity, quantity, methods, time length and places for storage, shall also be indicated. In general, the total number of articles extended from eight to eleven. The newly-added articles highlight the obligations and responsibility of PI processors and overseas recipients, risk management measures and relevant technologies, rights of PI subjects, methods of rights claims, etc.

Extra requirements for PI protection bodies. This section adds three more requirements: the processing activities of the PI protection body set within the Chinese territory and abroad shall be constantly supervised by certification bodies. Regular compliance auditing and effective protection measures must also be ensured.

Enriched requirement for PI security assessment. The assessment requirement is significantly enriched with specific articles, in line with the Personal Information Protection Law, GB/T 39335-2020 Information security technology—Guidance for personal information security impact assessment, GB/T 35273-2020 Information security technology—Personal information security specification, etc.

Enrichment of rights and interests of PI subjects. The most distinctive change is about the right of compensation. This newly-added right entitles the PI subject to have a compensation claim against both PI processors and overseas recipients, when their PI rights and interests are infringed.

Detailed responsibilities and obligations of PI processors and overseas recipients. The responsibilities and obligations are extended to 13 articles, outlining specific requirements for various situations. For instance, the Guide 2.0 introduce the requirement for overseas recipients to notify PI processors and the certification body in case of major regulatory changes in their countries or regions which may potentially affect the obligations required by the certification process. Another requirements relates to the content of the report to be submitted to competent authorities in case of PI leakage, tampering or loss, which shall include details such as the reason, variety of PI, potential risks, adopted remedial measures, measures that could be taken by individuals, as well as the contact information of the responsible person or team.