The National Information Security Standardization Technical Committee released the draft of Certification Requirements for Cross-border Transfer of Personal Information (hereinafter referred to as the “Certification Requirements”) on March 16th for public comment. The Certification Requirements stipulate the principles and basic requirements for the cross-border transfer of personal information when conducting certification.
As we introduced in our previous article, there are three methods for cross-border transfer of personal information, namely，the outbound security assessment organized by the Cyberspace Administration of China (“CAC”), the certification of personal information protection by a specialized agency, and the conclusion of the standard contract set up by the CAC. For implementing the second method, i.e. certification of personal information protection, the Implementing Rules for the Certification of Personal Information Protection and Practice Guideline for Network Security Standards – Security Certification Specifications for Cross-Border Processing of Personal Information V2.0 (“Practice Guideline”) were issued at the end of last year. The Certification Requirements basically adopt the entire text of the latter. However, the Practice Guideline is only an informative reference for the certification agency and personal information processors. The Certification Requirements, on the other hand, are a recommendatory national standard also applicable to competent authorities and third-party assessment agencies for the supervision, management, and evaluation of cross-border transfers of personal information. Even though this national standard is not mandatory in nature, its application by the authorities or other authorized agencies in the future would, to some extent, make it mandatory for the relevant personal information processors.
There are four basic requirements stipulated in the Certification Requirements:
1- Legally binding instruments should be concluded between the personal information processor and the outbound recipient.
The legally binding instruments should cover the aspects such as the basic information of the parties; the purpose, scope, type, sensitivity, quantity, method, storage period and place of the personal information to be outbound transferred; technical and management measures to prevent the security risks of the outbound transfer; obligations and responsibilities of the parties etc. For the outbound recipients, it is required that they should commit to be subject to the continuous supervision of such outbound transfer by the agency and be subject to the jurisdiction of Chinese laws and regulations concerning personal information protection. They should also designate the entity that can assume legal responsibilities in China.
2- Both the personal information processor and the outbound recipient should designate a person and department responsible for personal information protection.
- Concerning the responsible person, he/she should be a member of the management team of the company and report to the head of the company.
- Concerning the department for personal information protection, in addition to the general duties related to personal information (such as organizing the assessment of personal information protection influence), it should also carry out regular compliance audit, handle the requests and complaints of relevant individuals, respond to the agency’s inquiries and cooperate with the agency’s investigations.
3- Both the personal information processor and the outbound recipient should agree on and implement the same processing rules for the outbound transfer of personal information, including the following aspects:
- basic information on the cross-border transfer, including the quantity, scope, type, sensitivity, etc. of personal information;
- the purpose, method and scope of the cross-border transfer;
- the beginning and end of the overseas storage of personal information and the processing method after the expiration of the period;
- transit countries or regions;
- resources and measures to ensure the rights and interests of relevant individuals;
- compensation and handling rules for personal information security incidents.
4- The personal information processor should carry out an assessment of the personal information protection impact of such transfer activities and prepare an assessment report (to be kept for at least 3 years).
The elements that should be addressed in the assessment report in the context of an outbound transfer with certification are the same as those in the context of an outbound transfer by conclusion of the standard contract. Under both methods, the impact of personal information laws, regulations, policies, and practices of the place where the outbound recipient is located should be comprehensively considered.
In addition, the Certificate Requirements also stipulate the rights of relevant individuals and the responsibilities of the personal information processor and the outbound recipient. These provisions are not much different from those regarding the method of concluding the standard contract. Especially, individuals are given the right to sue the personal information processor and the outbound recipient for infringement of their personal information rights and the outbound recipient should commit to be subject to Chinese jurisdiction and laws.
In general, these requirements are similar to those of the standard contract. For large multinational groups that are not obliged to carry on the outbound security assessment (first method) for outbound transfers, considering their complicated and large scale of daily outbound transfer activities inside and outside the groups, outbound transfers with certification may be a more practical and stable option than through concluding multiple standard contracts with various entities.