On 24 June 2022, China's National Information Security Standardization Technical Committee (TC260) released the Practice Guide for Cybersecurity Standards – Security Certification Specification for Cross-Border Processing Activities of Personal Information (网络安全标准实践指南—个人信息跨境处理活动安全认证规范, "Certification Specification"), which took effect immediately. The Certification Specification provides a basis for the implementation of personal information protection certification, which is one of the four cross-border transfer mechanisms permitted under Article 38 of China's Personal Information Protection Law ("PIPL").
Scope of Application. The security certification will not be applicable for all types of cross-border transfer of personal information. Instead, it is only applicable to (i) intra-group personal information processing activities within one multinational company, between subsidiaries of one business entity, or between affiliates; and (ii) offshore processing activities subject to extra-territorial jurisdiction of the PIPL (paragraph 2 of Article 3 of the PIPL).
Applicant for Certification. The Chinese entity involved in intra-group cross-border processing, or the domestic institution or the representative established or appointed by the offshore personal information processor as required by the PIPL, may apply for the certification and will be liable for the relevant cross-border transfer activities.
Criteria of Certification. The Certification Specification sets out the basic requirements for the following criteria for granting the certification:
- Binding agreements between the exporters and importers of personal information;
- Appointment of a data protection officer, establishment of a data protection organisation and compliance with the rules for cross-border processing of personal information;
- Data protection impact assessments; and
- Data subject rights and responsibilities of data exporters and data importers.
