IDC Names Securiti a Worldwide Leader in Data PrivacyView
China has a large, booming global economy. Consequently, it tends to pull huge flocks of foreign investors and companies from across the globe. However, the stringent data protection and cross-border data transfer laws have always made foreign businesses struggle to abide by the ever-complex and strict laws.
The revised Security Certification Guidelines V2.0 brings much-needed good news for international businesses. The revised guidelines provide clear instructions and processes for data transfer outside the People’s Republic of China via the Certification mechanism.
Version 2 of the Security Certification Specifications for Handling Cross-Border Transfer of Personal Information (Security Certification Guidelines) was promulgated by China’s National Information Security Standardisation Technical Committee (NISSTC) on December 16, 2022. The revised Guidelines provide improved clarity and extended scope of application to the Certification mechanism practices and requirements.
Read on as we provide you with a recap of version 1 of the guidelines and the notable highlights from the revised version.
On June 24, 2022, NISSTC issued the Version 1 of the Security Certification Specifications for Handling Cross-Border Transfer of Personal Information (Cross-border Certification Guidelines). The guidelines provided the scope of PI processing and cross-border data transfer, along with three different mechanisms for the transfer: Security Assessment, Certification, and China Standard Contractual Clauses (SCCs). However, these earlier guidelines were limited in scope and somewhat ambiguous in their description.
For instance, Guidelines V1.0 had a fairly limited scope of application in that the cross-border transfer was restricted to intra-group transfers. Intra-group data transfer means those data transactions made between group undertakings, subsidiaries, or affiliated companies. It further included foreign PI processors that collect Personal Information (PI) directly from individuals living in the People’s Republic of China (PRC).
Similarly, the Guidelines V1.0 also required both the Data Controller and Foreign Processor to appoint a Data Protection Officer (DPO) and establish a data protection department. But the guidelines were ambiguous with regard to the responsibilities of the DPO or the department.
The Certification Guidelines V2.0 clarified the ambiguities in version 1.0, providing a better understanding of the scope, requirements, and best practices of cross-border data transfers outside the PRC.
It is to be noted that the Certification mechanism isn’t a must for cross-border transfers but a voluntary undertaking. The state, however, expressly encourages personal information processors (“PI processors”) to use the transfer mechanism as it provides improved data governance and compliance practices.
As mentioned earlier, Guidelines V1.0 covered only group undertakings and foreign PI processors. The V2.0 of the Certification now includes all types of cross-border data transfers, such as entities beyond group undertakings. However, it is critical to note that the law further requires the data exporter to have “normal operations” and “good credit and reputation”. The law doesn’t provide added clarity on what it means by “good credit and reputation” or “normal operations”, but it is apparent that the data exporter must have a good standing in the industry to be eligible for the certification.
Multinational companies, as well as their subsidiaries and affiliates within the same business entity, can apply for the certification via their domestic party in order to conduct cross-border processing activities involving personal information. In doing so, the legal responsibility will be assumed by the domestic party. Additionally, PI processors outside of China, as defined in Article 3(2) of the Law of the People's Republic of China on the Protection of Personal Information (PIPL), can apply for certification through a specialized agency or designated representative in their territory and assume legal responsibility.
The Security Specification Guidelines V.02 highlights six basic principles the PI processors should ensure:
The PI processor and the foreign recipient of the transferred data must follow the Certification Specifications requirements for the cross-border processing of personal information.
Legally binding agreements are the enforceable documents that both parties must sign and agree to make sure that they protect the legal rights and interests of the data subject. V2.0 of the Guidelines provides better clarity to the requirements by providing detailed information as to what to include in the legally binding agreements. The details required to be covered in these documents include the following:
Both parties are required to appoint a Data Protection Officer (DPO) and establish a data protection department. The officer’s and department’s jobs include ensuring compliance with personal data protection regulations. Such a person must have relevant data protection expertise and must be a member of the decision-making leadership of the organization. It is to be noted that the scope of these guidelines goes beyond the provisions provided under Article 52 of the PIPL. The Certification V2.0 goes a few steps further by providing the details regarding the duties of the department, such as:
The PI processors and overseas recipients are required to establish PI protection agencies. These institutions would be responsible for preventing unauthorized access, tampering, loss, etc., of the personal information and fulfill the following obligations relating to the cross-bordering processing:
Both parties must mutually agree upon establishing and following the same set of data protection regulations for processing PI. The parties must further ensure that, at the minimum, parties must clarify the following details:
PI processors and foreign recipients must conduct PI protection impact assessment (PIA). The PIA is a critical tool that organizations are often required by law to perform to reduce risks to personal information and demonstrate compliance. It is to be noted that the recommendation by the Certification Specifications is consistent with the PIA provision provided under the Personal Information Protection Law of the People's Republic of China (PIPL). The provision also requires PI processors to carry out such assessments. Regardless, at the minimum, the assessment must include the following details:
PI processors and overseas recipients must inform individuals of the basic details of cross-border personal information processing and obtain their consent. Overseas recipients must promptly inform PI processors and the certification body if they can no longer fulfill the certification requirements due to changes in their country or region's laws or policies.
Moreover, personal information must be processed across borders according to the agreed purpose, method, and protection measures without exceeding the agreed scope within the binding agreements.
The overseas recipients must not disclose personal information to third parties without meeting relevant Chinese laws and regulations on personal information protection. Personal information subjects have the right to access, copy, correct, supplement, or delete their personal information, and PI processors must respond to their requests in a timely manner and provide reasons for refusal. If the personal data subjects request a copy of the legally binding agreements outlining their rights and interests, then a copy must be provided.
PI processors must keep objective records of cross-border personal information processing for at least three years and provide relevant documents to Chinese authorities upon request. When facing difficulties in ensuring personal information security, PI processors must stop cross-border processing and notify the other party promptly.
If personal information is leaked, tampered with, or lost, the PI processor and recipient must promptly take remedial action, notify each other and report to the relevant department in China. They will also notify affected individuals as required by law, record all related facts, including the impact of the incident, and retain records of all remedial measures taken. The notification should address the following:
The foreign recipient's domestic legal responsibility bearer must enable data subjects to exercise their rights and assume corresponding civil legal responsibility for any damage caused by cross-border processing activities. Both PI processors and overseas recipients should agree to continuous supervision by certification bodies, cooperate with inspections, comply with measures or decisions, and provide written proof of necessary actions taken. Additionally, the overseas recipient must commit to complying with the laws and regulations of the PRC in relation to personal information protection and apply these during disputes related to personal information cross-processing.
Certification Specifications require both parties to entertain the data subject rights. The rights align with those mentioned in Chapter IV of the PIPL and also the SCC Regulations. Security Certification Guidelines V2.0 provides that the data subject is a third-party beneficiary and has a right to request the PI processor and the overseas recipient to obtain information and know his/her rights and assert those rights in relation to the processing of personal data. Additionally, the data subject has the following rights such as:
Whenever the data subject makes a request to exercise any right, the PI processor and the overseas recipient must take steps to honor such request. In case of any damage to the rights and interests of the individuals, they are entitled to get compensation from the PI processor or overseas recipient, or both.
The Security Certification Guidelines V2.0 provides a clear and more standardized process of cross-border data transfers outside the PRC. It will allow businesses to navigate complex data protection laws, such as PIPL and cross-border regulations while ensuring enhanced data governance practices and demonstrating compliance. On 16th March 2023, TC260 requested comments on the Security Certification Guidelines. The consultation is open till 15 May 2023.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
300 Santana Row
San Jose, CA 95128