On 16 March 2023, National Information Security Standardization Technical Committee released the national standard of Information security technology-Certification requirements for cross-border transmission of personal information (draft for comment) (hereinafter referred to as the Standard). The channel for comment submission will be closed on 15 May. Though it is positioned as a nationally recommended standard, it provides a reference for enterprises to carry out certification of cross-border transfer of personal information and more importantly, will support the Personal Information Protection Certification, one of the three solutions to the protection of cross-border data transfer under the requirements stipulated by Chinese legislation.
The Standard is developed in parallel with Cybersecurity Standard Practice Guide – Security Certification Rules for Personal Information Cross-border Processing (hereinafter referred to as the Practice Guide). The Practice guide was developed by the same group of people and its newest version is released on 16 December 2022. The current draft of the Standard is developed based on feedback on the Practice Guide. Therefore, their contents are almost the same, except that the Standard adds the concept of “sensitive personal information” and “separate consent”. Also, the Standard does not specify the certification subject due to controversies over the definition of cross-border activities that take place within transnational corporations, subsidiary corporations or associated companies of the same entity.
Specifically, this Standard sets out the basic principles and requirements for the cross-border transfer of personal information by personal information processors. It applies to certification bodies for personal information protection certification, and can also be used for supervision, management and evaluation by competent authorities, third-party assessment agencies and other organizations. The overall framework and main contents of the standard cover seven parts – the scope, normative reference documents, terms and definitions, abbreviations, basic principles, basic requirements (including legally-binding agreements, organizational management, rules for cross-border processing of personal information, impact assessment of personal information protection) and protection of rights and interests of personal information subjects (including rights of personal information subjects, responsibilities and obligations of personal information processors and overseas recipients).
The Standard aims to ensure that the outland receiver’s processing activities of personal information meet the level of protection stipulated by China’s Personal Information Protection Law and to facilitate mutual recognition with other countries. Therefore, on the bright side, for foreign enterprises who operate in China, the release of the standard might facilitate international recognition among different countries, especially considering that the Standard was developed regarding European’s approach (Binding Corporate Rules and Standard Contractual Clauses under General Data Protection Regulation), guidance and report issued by European Data Protection Board and certification rules in Cross-Border Privacy Rules under APEC.
However, the very essence of the Standard is to ensure the protection level in personal information processing activities meets the requirement set by Chinese Law. It means that the outland receiver will be subject to Chinese Law indirectly via signing on legally-binding agreements with a domestic processor, as well as voluntarily accepting the certification requirement. Moreover, a series of articles added to the Standard may increase the cost of operation for both domestic processors and outland receivers. For instance, the Standard requires both domestic processors and outland receivers to set personal information protection bodies, which may directly translate into cost in time and resources. Furthermore, to ensure the proper protection in place, the Standard has enriched the requirements for legally-binding documents, the rights and interests of personal information subjects, as well as responsibilities of both personal information processors and outland receivers. Therefore, if a foreign entity is also operating in US and EU, they are suggested to closely compare the Standard with its counterparts in US and EU (namely the BCC and SCC, as well as the CBPR) to further reduce overlapping costs. Additionally, as the Standard is in the call-for-comment stage, foreign entities may submit their comments.
