The entry into force of Personal Information Protection Law (PIPL) in China symbolizes a new era of personal rights protection in China. This brings challenges to entities involved in personal information (PI) processing procedure, especially in the area of cross-border supplying and overseas processing of PI.
As discussed in our previous article concerning the introduction of PIPL, under article 38 of PIPL, for transferring PI outside China, PI processors shall at least fulfill one of the four conditions listed therein and one of the requirements is “subject to the personal information protection certification by a specialized institution in accordance with the provisions issued by the national cyberspace administration.”
The ‘specialized institution’ has not been pointed to any specific institutions. However, we believe that may be pointed to the China Cybersecurity Review Technology and Certification Center, which it is reviewing and issuing certification regarding to data security. Regarding to the definition of ‘PI processors’, the PIPL gives us a clear answer. According to Article 73(1) of PIPL, ‘PI processors’ refers to “organizations and individuals that, in personal information processing activities, autonomously decide processing purposes and processing methods.” Notably, in line with the definition of PI processors outside the territory of PRC, foreign PI processors who are eligible of applying the certification should be able to self-determine its processing purposes and methods.
In other words, overseas entities having no participation in deciding those factors, such as companies providing data storage service, are not required to get certification. In order to clarify the conditions and requirements for a PI processor to complete the certification procedure and provide necessary guidance for methods available, the Technical Specification for the Certification of Cross-Border Processing Activities of Personal Information (Draft for Comments) (in Chinese “个人信息跨境处理活动认证技术规范(征求意见稿)”, hereinafter “the Draft Document”) has been published and opened to public consultation. The Draft contains five provisions which will be analyzed in detail in this article in order to offer ideas for foreign companies that fall within the scope of PIPL and are involved in cross-border transfer of PI.
Article 1 and 2 of the Draft Document clarify the conditions under which companies may apply for certification to ensure compliance with PIPL and corresponding certification methods. The Draft is applicable in two situations, namely when PI processing activities are conducted within multinational companies or same economic and business entities as well as when foreign PI processors process PI outside the territory of the PRC. For the first situation, the representative office (e.g. subsidiaries or branches in China) of the multinational companies or other entities inside territory of PRC shall apply for the certification and take possible legal responsibilities arising from PI processing in the future. As for the latter situation, PI processors outside the territory of PRC are obligated to set up specialized agencies or designated representatives who shall undertake same responsibility as representative office in the first situation. In practice, the foreign PI processors could cooperate with local law firms or agencies with handling these specific issues.
Article 5 lists four basic requirements regarding legal relationship among relevant parties and internal regulations of the foreign PI processor for certification application. A binding agreement with necessary information listed in Article 5.1 shall be adopted by all relevant parties participating in the PI processing procedures, including the name of relevant parties; the processing purposes and categories of processed PI; measures for PI protection as well as obligations and commitments of relevant parties. For internal rules of foreign PI processors, rules shall cover areas of designation and duties of PI protection officers, establishment of PI protection organizations, rules on PI processing procedures and impact assessment on PI processing. Regarding organizational management, which clarifies in Article 5.2, the Draft Document requires foreign PI processor to take further actions in four aspects, namely designating PI protection officers, setting up PI protection organizations, adopting overseas PI processing rules and conducting impact assessment of PI processing. Notably, the PI protection officer shall be the member of decision-making board of the entity concerned. In addition, the impact assessment shall be conducted before the overseas provisions of PI. Other detailed requirements and necessary contents for these four actions could be find in Article 5.2-5.4.
Other provisions on, for example, basic principles, rights of individuals whose PI is processed and obligations of relevant parties involved in the PI processing procedures are consistent with relevant rules contained in PIPL.
Getting the Certification of Cross-Border Processing Activities of Personal Information is the approach applicable for foreign PI processors to lawfully process PI except for passing security assessment in accordance with Article 40 of PIPL. Considering that the application requires that the outcome of processed PI should reach certain levels or include key information and data, applying a certificate the better choice for companies or entities. Though the Draft Document has not come into force yet, it is highly suggested that foreign PI processors should check requirements in the Document and prepare for the certification procedures in advance to avoid the risk of incompliance in the business operations.
More information
If you are not sure whether your company falls within the scope of the PIPL and how you should do to comply with the requirements of the certification procedures, please feel free to contact our China Practice Job Bezemer (jbz@kneppelhout.nl), Victor Zheng (vz@kneppelhout.nl) and Peiying Li (pl@kneppelhout.nl).