The latest National Rules, the Safety Certification Specifications for Personal Information Cross-border Processing Activities (the "Rules"), marks a significant milestone as the "next-step" legislative action under the current cross-border data processing ("CDP") regime. The Personal Information Protection Law of the People's Republic of China ("PIPL") outlines four alternative legal mechanisms regarding CDP, including (1) passing the required security assessment organized by the supervisory authority (the "Security Assessment"); (2) being certified by a specialized agency in accordance with applicable rules (the "Agency Certification"); (3) executing the standardized agreement with the overseas CDP recipient (the "Standardized Agreement"); or (4) satisfying other conditions prescribed by the laws, regulations or the Cyberspace Administration of China. As the latest legislative development touching upon the CDP, the Rules embody the detailed requirement for CDP under PIPL, as of its Agency Certification mechanism.

  1. Structural Glance into the Rules

The National Information Security Standardization Technical Committee (the "Committee") released the Rules in June 2022, which contains the following chapters:

  • Application scope of the Rules;
  • Certification Subjects;
  • Primary Principles;
  • Primary Requirements; and
  • Protection of the rights of the Personal Information Subjects("PIS").

Chapters such as the Application scope of the rules, Certification Subjects, and Primary Requirements provide some innovative or insightful development from the original CDP Regime of PIPL, which will be thoroughly discussed here. The rest of the chapters are similar to the existing Articles of the PIPL, which will be briefly introduced.

From our analysis, we hope you acquire certain clarifications on the following issues:

  • Under the Rules, what kinds of corporations can utilize the Agency Certification mechanism for CDP?
  • Under the Rules, how should a corporation apply for the Agency Certification?
  • Under the Rules, what are the key requirements you should pay close attention to?

The Rules' level of effectiveness within the legislative regime of PRC laws should also be noted. Under the hierarchy of PRC laws, the Constitution of the PRC has the supreme legal authority, then laws promulgated by the National People's Congress or its Standing Committee, such as the PIPL, hold the legal authority preceded only by the Constitution. Administrative regulations or local regulations promulgated by the State Council or local authorities have the secondary legal authorities to the aforementioned Constitution and Laws. Under the bottom of the hierarchy of the legal regimes are the national or industrial standards.

The Rules are currently the working documents of the National Information Security Standardization Technical Committee, which serves as a practical guidance for corporations considering CDP through Agency Certification mechanism. Despite not being enacted as laws with superior authority, since the Rules correspond to and originate from the statutory requirement for CDP already contained in Article 38 of the PIPL, which, as aforementioned, has superior legal authority under the PRC legal regime, businesses seeking good practice of CDP should find that a thorough comprehension of the Rules is necessary.

  1. What Is the Application Scope of the Rules?

Under the Rules, the Agency Certifications mechanism is applicable to the following CDP situations:

  • Situation 1: the Agency Certifications mechanism applies to CDP activities carried out within the multinational corporation, the same economic entity or among the subsidiaries or the affiliates of the entities; or
  • Situation 2: the Agency Certifications mechanism applies to CDP activities as stipulated under Article 3, Clause 2 of PIPL1.
  1. Who Should Apply for Agency Certification?

The Rules specifies 2 types of subjects should apply for the certification when utilizing the Agency Certification mechanism:

  • Subject 1: For multinational corporations or, the same economic entity or the subsidiaries or the affiliates of the entities having a presence in the Chinese Mainland, their domestic entities can apply for the Agency Certification and therefore be held accountable if violating the PRC laws or regulations; or
  • Subject 2: For entities conducting CDP activities under Article 3, Clause 2 of PIPL, such entities can set up a specialized agency or appoint a representative within the Chinese Mainland to apply for the Agency Certification, and the specialized agency or representative will account for liabilities if violating the PRC laws or regulations.

Considering the jurisdiction of laws and the convenience of supervision, it is hardly surprising when the CDP activities occur within the multinational corporations or economic entities, their domestic presence will be burdened to answer for compliance inquiries and take responsibility. As for the entities conducting CDP activities under Article 3, Clause 2 of PIPL, the more economically practical way for an overseas corporation is to appoint a representative who can be a natural person. For example, when exchanging research information (specifically, personal information) among domestic and foreign institutions for academic purposes, the foreign institutions will hardly find it viable to set up a branch within the Chinese Mainland just to comply with the Rules, compared to the more profitable purposes of operating business locally. Moreover, the Rules do not mandate the "representative" to be a PRC branch of the foreign corporations or institutions, therefore, we conclude that for Subject 2, appointing a natural person with the skill set of data compliance for the application of Agency Certification is more operable.

  1. What Are the Primary Principles Set under the Rules?

Six primary principles set under the Rules should be followed when conducting CDP under the Agency Certification mechanism, they are:

  • the principle of legality, propriety, necessity, and good faith;
  • the principle of openness and transparency;
  • the principle of ensuring information quality;
  • the principle of equal protection;
  • the principle of clear responsibility; and
  • the principle of voluntary certification.

Most of the principles are the same principles required to be followed under the PIPL, with one exception: the principle of voluntary certification. Under this principle, applying for Agency Certification is recommended, not mandatory. But we still recommend corporations take advantage of this mechanism since it is more efficient and less risky compared to the other three mechanisms under PIPL. For example, after submitting the required documents, the Security Assessment will take up to 60 business days for the Committee to complete the assessment, and there are chances that the Committee will not approve such applications.

  1. How to Understand the Primary Requirements of the Rules?

The Rules raised four primary requirements for conducting CDP activities under the Agency Certification mechanism. They are binding legal documents requirement, organization management requirement, unified CDP rules requirement, and personal information impact assessment on personal information protection ("PIA") requirement. The content of the primary requirements is reorganized in the following chart:

Requirements

Subjects bound by

Contents

1. binding legal documents requirement

entities conducting CDP activities and overseas personal information importers

Under this requirement, binding legal documents shall be executed between entities conducting CDP activities and overseas personal information importers with at least the following contents included:

  • the binding legal documents shall specify all entities conducting CDP activities and overseas personal information importers;
  • the binding legal documents shall clarify the purpose, categories of personal information, and the scope of the CDP;
  • the binding legal documents shall clarify measures to protect the rights and interests of personal information subjects;
  • under the binding legal document, overseas personal information importers shall stipulate and conform to the unified CDP rules and ensure that level of data protection that each party provides will not fall under the protection level required by PRC laws and regulations;
  • under the binding legal document, overseas personal information importers shall accept the supervision of the certifying authority;
  • under the binding legal document, the overseas personal information importers shall agree to be bound by applicable PRC laws and regulations; and
  • the binding legal documents shall clarify the entities within PRC that will be held accountable.

2. organization management requirement

Under this requirement, the following organization management measures shall be taken by each of the entities conducting CDP activities and overseas personal information importers:

  • every entity conducting CDP activities or overseas personal information importer shall appoint the person within its organization that will be responsible for personal information protection. Such a person shall hold the necessary set of personal information protection skills and experience and have the decision-making power authorized by the organization, and
  • every entity conducting CDP activities or overseas personal information importer shall establish a specialized department responsible for 1) implementing a CDP plan in compliance with applicable laws and regulations; 2) organizing PIA; 3) supervising its organization's conformity to the unified CDP rules; 4) dealing with the complaints filed by the PIS.

3. unified CDP rules

Entities conducting CDP activities and overseas personal information importers shall conform to the unified CDP rules, which shall at least include the following items:

  • the basic situations of CDP including volume, scope, types and sensitive level of personal information involved;
  • the purpose, categories, and the scope of the personal information processed;
  • storage period, and how the information will be processed after expiration;
  • countries or regions where personal information will be transiting through and transferred to;
  • necessary resources and measures to be taken to protect the rights and interests of Personal Data Subjects;
  • compensation rules and how to proceed when personal information security incidents occur.

4. PIA requirement

Apart from the PIA requirement under PIPL, the Rules particularly required that the assessment shall contain the evaluation of the foreign parties' national legal environment or their internet security level regarding personal information protection.

Two observations made to the primary requirements are worth sharing. First, the binding legal documents requirement operates with a long-arm jurisdictional function as requiring the overseas personal information importers to be governed by applicable PRC laws and regulations, and accept supervision by the PRC certifying body. Second, the binding legal documents requirement probably set out the road map of the PRC version of the Standard Contract Clause ("SCC") for CDP, as to the GDPR counterpart SCC. Compared with the Rules, the latest 2021 SCC of GDPR contains much more detailed modules and provisions adapting to different situations of CDP, and the PRC version is expected to be developed in detail by future legislative actions.

  1. How to Protect the Rights of the PIS When Conducting CDP under the Agency Certification Mechanism?

The Rules emphasized two aspects in regard to protecting the rights of the PIS:

  • entities conducting CDP activities and overseas personal information importers shall protect the PIS's right to be informed, right of decision, right to restrict or object to the processing, right of access, right to rectification and erasure, etc.
  • entities conducting CDP activities and overseas personal information importers shall take the responsibility to acquire the separate consent from PIS before conducting CDP, be responsive when the PIS exercise their legal rights, abort the CDP activities when the security of the personal information cannot be ensured, etc.

This chapter of the rules does not raise new topics worth discussing compared to the PIPL.

  1. The Major Uncertainty of the Rules.

To give credit where credit is due, the effort made by the Rules help multinational corporation and international collaboration get some clues as to how they can conduct legal CDP under the Agency Certification mechanism. But there are still major uncertainties left unsolved by the Rules, including but not limited to:

  • First, the long-arm jurisdictional requirement may impose setbacks on international collaborations, as foreign entities may be afraid of being fined by the PRC supervising authorities and be reluctant to enter into contracts with domestic corporations subject to the rapid changes in the laws and regulations.
  • Second, inconsistency as the application scope of the Rules permits the appointment of a natural person in the Chinese Mainland to account for the CDP activities, but the binding legal document requirement requires specifying which "organization" in the Chinese Mainland should be account for liabilities, ruling out the natural person choice.
  • Third, PIPL specifies four alternative mechanisms for CDP, and whether the certification approach may preempt the requirements under other mechanisms are still not clear yet.

Conclusion

The Rules have delineated the implementation details of the Agency Certification mechanism under PIPL designated for corporations' future lawful CDP activities. And corporations or business needs CDP may prepare now in accordance with the Rules. We will constantly monitor and update the latest statutory development around the topic of cross-border data provision.

Footnote

1 Article 3, Clause 2 of PIPL:

"This Law shall also apply to the processing of the personal information of natural persons within the territory of the People's Republic of China outside the territory of the People's Republic of China under any of the following circumstances:

(I) where the purpose is to provide domestic natural persons with products or services;

(II) where the activities of domestic natural persons are analyzed and evaluated; and

(III) other circumstances as prescribed by laws and administrative regulations."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.