Understanding the Revised China Cross-Border Certification Guidelines V2.0

China has a large, booming global economy. Consequently, it tends to pull huge flocks of foreign investors and companies from across the globe. However, the stringent data protection and cross-border data transfer laws have always made foreign businesses struggle to abide by the ever-complex and strict laws.

The revised Security Certification Guidelines V2.0 brings much-needed good news for international businesses. The revised guidelines provide clear instructions and processes for data transfer outside the People’s Republic of China via the Certification mechanism.

Version 2 of the Security Certification Specifications for Handling Cross-Border Transfer of Personal Information (Security Certification Guidelines) was promulgated by China’s National Information Security Standardisation Technical Committee (NISSTC) on December 16, 2022. The revised Guidelines provide improved clarity and extended scope of application to the Certification mechanism practices and requirements.

Read on as we provide you with a recap of version 1 of the guidelines and the notable highlights from the revised version.

Recap of the Security Certification Guidelines V1.0

On June 24, 2022, NISSTC issued the Version 1 of the Security Certification Specifications for Handling Cross-Border Transfer of Personal Information (Cross-border Certification Guidelines). The guidelines provided the scope of PI processing and cross-border data transfer, along with three different mechanisms for the transfer: Security Assessment, Certification, and China Standard Contractual Clauses (SCCs). However, these earlier guidelines were limited in scope and somewhat ambiguous in their description.

For instance, Guidelines V1.0 had a fairly limited scope of application in that the cross-border transfer was restricted to intra-group transfers. Intra-group data transfer means those data transactions made between group undertakings, subsidiaries, or affiliated companies. It further included foreign PI processors that collect Personal Information (PI) directly from individuals living in the People’s Republic of China (PRC).

Similarly, the Guidelines V1.0 also required both the Data Controller and Foreign Processor to appoint a Data Protection Officer (DPO) and establish a data protection department. But the guidelines were ambiguous with regard to the responsibilities of the DPO or the department.

The Certification Guidelines V2.0 clarified the ambiguities in version 1.0, providing a better understanding of the scope, requirements, and best practices of cross-border data transfers outside the PRC.

It is to be noted that the Certification mechanism isn’t a must for cross-border transfers but a voluntary undertaking. The state, however, expressly encourages personal information processors (“PI processors”) to use the transfer mechanism as it provides improved data governance and compliance practices.

Read more about Certification Specifications V1.0

Who Does the Certification Requirement Apply?

As mentioned earlier, Guidelines V1.0 covered only group undertakings and foreign PI processors. The V2.0 of the Certification now includes all types of cross-border data transfers, such as entities beyond group undertakings. However, it is critical to note that the law further requires the data exporter to have “normal operations” and “good credit and reputation”. The law doesn’t provide added clarity on what it means by “good credit and reputation” or “normal operations”, but it is apparent that the data exporter must have a good standing in the industry to be eligible for the certification.

Multinational companies, as well as their subsidiaries and affiliates within the same business entity, can apply for the certification via their domestic party in order to conduct cross-border processing activities involving personal information. In doing so, the legal responsibility will be assumed by the domestic party. Additionally, PI processors outside of China, as defined in Article 3(2) of the Law of the People's Republic of China on the Protection of Personal Information (PIPL), can apply for certification through a specialized agency or designated representative in their territory and assume legal responsibility. 

Principles under the Certification

The Security Specification Guidelines V.02 highlights six basic principles the PI processors should ensure:

1. Principles of Legality, Legitimacy, and Necessity: PI processors and overseas recipients must abide by the principles of legality, legitimacy, necessity, and good faith. This means following laws and agreements, using information only for agreed purposes with a minimal negative impact on individuals, and upholding commitments without harming their rights.
2. Principle of Openness and Transparency: PI processors and overseas recipients must follow the principle of openness and transparency. They should inform the individuals involved about the overseas recipient's name, contact information, purpose, scope, and procedures for processing their personal information, as well as their rights and how to exercise them. This ensures that the individuals understand the cross-border processing of their personal information.
3. Principle of Quality Assurance: PI processors and overseas recipients must ensure the accuracy and completeness of the information to prevent harm to individuals' rights and interests.
4. Principle of Equal Protection: Necessary measures must be taken to meet the standards of personal information protection and PI processors and overseas recipients must ensure the safety of personal information when handling it across borders and ensure compliance with PIPL and other regulations.
5. Principle of Clarity & Responsibility: PI processors and overseas recipients must uphold their legal and ethical responsibilities, safeguard subjects' rights and interests, and create a domestic institution that will be held legally accountable for any processing actions that jeopardize people's rights and interests.
6. Principle of Voluntary Certification: Encourage cross-border personal information processing companies to voluntarily register for personal information protection certification to increase security and boost productivity.

What Are the Revised Security Certification Specifications Requirements?

The PI processor and the foreign recipient of the transferred data must follow the Certification Specifications requirements for the cross-border processing of personal information.

Legally Binding Agreements

Legally binding agreements are the enforceable documents that both parties must sign and agree to make sure that they protect the legal rights and interests of the data subject. V2.0 of the Guidelines provides better clarity to the requirements by providing detailed information as to what to include in the legally binding agreements. The details required to be covered in these documents include the following:

• Both parties must include the basic contact details in the agreement, including but not limited to their contact details, names, addresses, and the details of the contact person, etc.
• The agreement must further include the scope of the processing of PI, the purpose for processing, the type of PI, the sensitivity level of PI, the volume of the PI, the method for processing, its retention period, storage geography, etc.
• The responsibilities of the parties and their obligations with regard to the technical and management measures to protect their PI against risks related to cross-border transfer and processing of PI.
• Information related to the rights of the data subjects and the methods they can exercise their rights.
• Provisions regarding the termination of the contract, breach of contract, its liability, dispute settlement, etc.
• The foreign recipient must undertake and agree to comply with the same level of PI protection rules as that of the PI standards and provisions provided under the various People’s Republic of China (PRC) laws and administrative regulations.
• The foreign recipient must agree to the continuous supervision of the Certification agency and comply with the relevant PRC laws and regulations.
• Both parties’ entities must be responsible for legal and civil liabilities, comply with personal information protection obligations, and sign explicit contracts.
• Both parties must agree to bear responsibility for any civil liabilities and sign an explicit agreement.
• The overseas recipient agrees to submit to the jurisdiction of the laws and administrative regulations of the PRC related to personal information protection. 

Organizational Management

Both parties are required to appoint a Data Protection Officer (DPO) and establish a data protection department. The officer’s and department’s jobs include ensuring compliance with personal data protection regulations. Such a person must have relevant data protection expertise and must be a member of the decision-making leadership of the organization. It is to be noted that the scope of these guidelines goes beyond the provisions provided under Article 52 of the PIPL. The Certification V2.0 goes a few steps further by providing the details regarding the duties of the department, such as:

• Clarifying and ensuring the obligations around personal data protection, such as scope, purpose, processing methods, etc.
• Supporting the organization's efforts to protect personal information, allocate the required human, financial, and material resources and make sure they are available when needed.
• Ensuring that the PI is protected against security risks and data loss, such as unauthorized access, loss, tampering, etc., and guiding the relevant personnel to achieve that.
• Inform the organization's top executive on a frequent basis how personal data is being protected and support ongoing improvements in this area.

Appointing a PI Protection Agency

The PI processors and overseas recipients are required to establish PI protection agencies. These institutions would be responsible for preventing unauthorized access, tampering, loss, etc., of the personal information and fulfill the following obligations relating to the cross-bordering processing:

• Develop and implement plans for cross-border processing of personal information;
• Conduct personal information impact assessments;
• Ensure that the cross-border processing takes place in accordance with the rules and protects the rights and interests of individuals;
• Ensure the personal information is handled in accordance with the purpose, scope, and manner of processing;
• Handling complaints and requests;
• Conduct compliance audits;
• Agree to the continuous supervision of the Certification agencies, entertaining their inquiries and facilitating the investigation.

Jointly Agreed Upon PI Processing Rules

Both parties must mutually agree upon establishing and following the same set of data protection regulations for processing PI. The parties must further ensure that, at the minimum, parties must clarify the following details:

• Basic information regarding the scope of PI processing, the volume or size of PI intended to be processed, the sensitivity level of PI, etc.
• The purpose and methods of processing PI.
• Retention period of the PI along with its storage location.
• The region or country where the PI is intended to be transferred.
• The various measures that are undertaken to protect the integrity and confidentiality of the PI.
• Any added rules regarding the handling of complaints, legal compensation, and dispute resolution in the event of any security incident.

PI Protection Impact Assessment

PI processors and foreign recipients must conduct PI protection impact assessment (PIA). The PIA is a critical tool that organizations are often required by law to perform to reduce risks to personal information and demonstrate compliance. It is to be noted that the recommendation by the Certification Specifications is consistent with the PIA provision provided under the Personal Information Protection Law of the People's Republic of China (PIPL). The provision also requires PI processors to carry out such assessments. Regardless, at the minimum, the assessment must include the following details:

• The legitimacy and necessity of the cross-border PI processing's scope, purpose, and method.
• The possible risks that could occur from the cross-border transfer's scope, scale, or sensitivity.
• Assurance of the technical and management measures the foreign recipient provides, along with their legal responsibilities and duties.
• Any possible risks of data leakage, unauthorized access, or data loss, and any well-defined channel for individuals to exercise their rights and interests.
• The impact of the PI protection regulations in the region where the foreign recipient is located in terms of ensuring data protection or honoring the rights of individuals, such as:
  • The previous experience of the foreign recipient with cross-border data transfer and any related security incident. How they mitigated the risks arising out of the incident or honored data subject requests.
  • The data protection regulation of the foreign recipient and differences between the PRC data regulations and laws.
  • Any international organization that the foreign recipient’s country or region has joined and its commitments.
  • The mechanisms for the protection of personal information and its processing.
• Any other related issues that may affect the security of cross-border PI processing.
• Organizations should create impact protection reports and keep these for 3 years.

Responsibilities of the PI Processors & Overseas Recipient

Obligation To Comply With Principles

PI processors and overseas recipients must inform individuals of the basic details of cross-border personal information processing and obtain their consent. Overseas recipients must promptly inform PI processors and the certification body if they can no longer fulfill the certification requirements due to changes in their country or region's laws or policies.

Moreover, personal information must be processed across borders according to the agreed purpose, method, and protection measures without exceeding the agreed scope within the binding agreements.

Obligation to Fulfill Data Subject Rights

The overseas recipients must not disclose personal information to third parties without meeting relevant Chinese laws and regulations on personal information protection. Personal information subjects have the right to access, copy, correct, supplement, or delete their personal information, and PI processors must respond to their requests in a timely manner and provide reasons for refusal. If the personal data subjects request a copy of the legally binding agreements outlining their rights and interests, then a copy must be provided.

Records of Processing Obligation

PI processors must keep objective records of cross-border personal information processing for at least three years and provide relevant documents to Chinese authorities upon request. When facing difficulties in ensuring personal information security, PI processors must stop cross-border processing and notify the other party promptly.

Breach Obligations

If personal information is leaked, tampered with, or lost, the PI processor and recipient must promptly take remedial action, notify each other and report to the relevant department in China. They will also notify affected individuals as required by law, record all related facts, including the impact of the incident, and retain records of all remedial measures taken. The notification should address the following:

• Reasons for leakage, tampering, and loss of personal information.
• The type of personal information leaked and the harm it may cause. 
• Remedial measures are taken.
• Measures that individuals can take to mitigate hazards.
• Contact information of the person in charge or the team in charge of handling the leakage, falsification, or loss of personal information.

Legal and Civil Obligations

The foreign recipient's domestic legal responsibility bearer must enable data subjects to exercise their rights and assume corresponding civil legal responsibility for any damage caused by cross-border processing activities. Both PI processors and overseas recipients should agree to continuous supervision by certification bodies, cooperate with inspections, comply with measures or decisions, and provide written proof of necessary actions taken. Additionally, the overseas recipient must commit to complying with the laws and regulations of the PRC in relation to personal information protection and apply these during disputes related to personal information cross-processing.

Individuals' Privacy Rights

Certification Specifications require both parties to entertain the data subject rights. The rights align with those mentioned in Chapter IV of the PIPL and also the SCC Regulations. Security Certification Guidelines V2.0 provides that the data subject is a third-party beneficiary and has a right to request the PI processor and the overseas recipient to obtain information and know his/her rights and assert those rights in relation to the processing of personal data. Additionally, the data subject has the following rights such as:

• Right to information;
• Right to make decisions;
• Right to restrict or refuse the processing of his/her personal information;
• Right to access and copy; 
• Right to rectify & update;
• Right to deletion;
• Right to refuse processing through automated means only;
• Right to withdraw consent;
• Right to lodge complaints and institute legal proceedings against the PI processor or overseas recipient.

Whenever the data subject makes a request to exercise any right, the PI processor and the overseas recipient must take steps to honor such request. In case of any damage to the rights and interests of the individuals, they are entitled to get compensation from the PI processor or overseas recipient, or both.

Final Thoughts

The Security Certification Guidelines V2.0 provides a clear and more standardized process of cross-border data transfers outside the PRC. It will allow businesses to navigate complex data protection laws, such as PIPL and cross-border regulations while ensuring enhanced data governance practices and demonstrating compliance. On 16th March 2023, TC260 requested comments on the Security Certification Guidelines. The consultation is open till 15 May 2023.