Learn more about our comprehensive legal services.
Advising our clients on different opportunities and challenges of the industry.
Developing a unique culture, which blends traditional client care with modern technology and working practices since 1851.
Stay up to date on the latest news and legal insights.
News & Insights
Authored by: Edwarde Webre and Joyce Mu
The draft of Practical Guide to Cybersecurity Standards – Specification on Certification Technologies for Cross-border Personal Information Processing Activities (hereinafter “Draft Specification”) was issued for soliciting comments by the National Information Security Standardisation Technical Committee on 29 April 2022. This is the first official guideline for professional institutions on the certification mechanism applicable to cross-border personal information (PI) processing activities. Such certification is one of the statutory pre-conditions to be met for a PI processor to share PI with a recipient outside the PRC as per Article 38 of the Personal Information Protection Law (the “PIPL“).
Scope of application
The Draft Specification states its standards may be applicable to two types of situations:
Situation 2. above seems to imply that the conditions to the outbound flow of PI from the PRC set out in Article 38 of the PIPL may be extended to offshore PI processors that directly collect PI from individuals residing in the PRC. Note that the Specification is not mandatory and thus the certification requirements thereunder are voluntary. It remains to be seen whether any further regulations will impose any additional legal requirements on offshore PI processors.
Notable requirements for certification
The Draft Specification provides that a binding and enforceable document (which is not the standard contract of the Cyberspace Administration of China) shall be signed between the parties of cross-border PI processing activities, and sets out the specific content required to be contained therein.
There are other basic requirements in relation to the organisation structure, PI protection impact assessment, and rights protection for the PI subjects to complete the certification. For instance, the parties of cross-border PI processing activities shall:
Conclusion
Notwithstanding the foregoing, the Draft Specification is still silent on identifying the eligible institutions to carry out the certification or specifying the certification procedures. It expected that further rules or standards will be made or improved for practical implementation.
Deacons will pay close attention to the status of legislation on PI protection in China, and provide updates on developments that may impact your business. For tailored measures and practical advices to manage risks in personal information processing, please contact us.
Subscribe to Publications
Sign up for our regular updates covering the latest legal developments, regulations and case law.