News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Will China’s new certification rules be a popular legal path for outbound data transfers? Related reading: How China's draft SCCs compare with EU SCCs

rss_feed

On Nov. 1, 2021, China’s Personal Information Protection Law took effect and became the first Chinese law dedicated to protecting the personal information rights of individuals. However, due to a lack of implementation regulations and clarity, many companies face a situation where they are unsure how to comply with areas of the PIPL.

Nowhere is this more of an issue than with Article 38 of the PIPL, which provides several conditions (or legal paths) that must be met before a cross-border data transfer may occur. According to Article 38, entities may send personal data to foreign recipients by taking one of the following legal paths:

Legal Path 1 – Government security assessment: A security assessment organized by the national cyberspace authority has been passed by the entity in accordance with Article 40 of this law.

Legal Path 2 – Standard contract: A contract in compliance with the standard contract provided by the national cyberspace authority has been concluded with the overseas recipient, establishing the rights and obligations of both parties.

Legal Path 3 – Certification: The entity has acquired a certification of personal information protection by a professional certification institution in accordance with the regulations of the national cyberspace authority.

TC260 issues rules for Legal Path 3 (Certification)

On June 24, the National Information Security Standardization Technical Committee, also known as TC260, issued its “Technical Specifications for the Certification of Cross-Border Processing of Personal Information.” The specifications state the criteria that multinational corporations, overseas processors and other economic/business entities should meet to obtain certification as described in Article 38 of the PIPL (i.e., Legal Path 3). At a high level, TC260’s specifications seem to describe something like binding corporate rules under the EU General Data Protection Regulation.

Please note that the specifications are not compulsory. In other words, parties to cross-border personal information transfers can decide if they want to go through this path and obtain certification or go through other legal paths they think appropriate to legitimatize their cross-border data transfers. However, if they choose to put themselves under this certification regime, the rules under the specifications are binding on them and relevant certification institutions.

Applicability of the specifications

The specifications describe certification scenarios, certification applicants and those who should bear responsibility for cross-border personal information transfers. Within an MNC, one of its entities in China can apply for certification and undertake legal responsibility for the MNC’s global organization. For an overseas entity having an insubstantial presence in China, its specialized agency or designated representative in China can apply for certification and bear legal responsibility for the overseas entity.  

Legally binding documents

Parties to cross-border personal information processing activities must sign legally binding and enforceable documents to ensure that the rights and interests of individuals are fully protected. At a minimum, these legally binding documents should contain:

  1. The relevant parties involved in cross-border personal information processing.
  2. The purpose of cross-border personal information processing and the types and scope of personal information.
  3. Measures to protect the rights and interests of individuals.
  4. Undertakings by each party to comply with uniform personal information processing rules and ensure that the level of personal information protection is not lower than the standards stipulated by relevant Chinese laws and regulations on the protection of personal information.
  5. Undertakings to accept the supervision of certification bodies.
  6. Provisions stating that relevant Chinese laws and regulations on the protection of personal information govern the arrangements.
  7. Details of the organizational bodies that will bear legal responsibility within China.
  8. Provisions for compliance with other legal and regulatory obligations.

Uniform processing rules

Uniform processing rules, described in item above, must contain:

  • The particulars of cross-border personal information processing, including the type, sensitivity, quantity, etc., of personal information.
  • The purpose, method and scope of cross-border personal information processing.
  • The start and end time of overseas storage of personal information and the processing method after expiration.
  • Transit countries involved in cross-border personal information processing.
  • Resources and measures required to protect the rights and interests of individuals.
  • Rules for compensation and disposal of personal information security incidents.

Data protection officers

Both the data exporter and foreign data importer must appoint a person to take charge of personal information protection. The persons in charge must have relevant knowledge and experience and be a part of the decision-making level of their entity. Their duties include:

  • Clarifying organizational personal information protection objectives, basic requirements, work tasks and protection measures.
  • Ensuring the availability of human resources, financial support and materials for personal information protection within the organization.
  • Guiding and supporting relevant personnel in carrying out the organization’s personal information protection efforts and ensuring that personal information protection efforts achieve the expected goals.
  • Reporting to the organization’s leaders on personal information protection and promoting the continuous improvement of these efforts.

Personal information protection organization

Both the data exporter and foreign data importer should set up internal personal information protection organizations tasked with preventing “unauthorised access and leakage, falsification and loss of personal information” and undertake the following duties:

  • Formulate and implement plans for cross-border personal information processing.
  • Organize and carry out personal information protection impact assessments.
  • Supervise cross-border personal information transfers under rules agreed to by the relevant parties.
  • Accept and handle requests and complaints from data subjects.

Personal information protection impact assessments

In cross-border transfer scenarios, a personal information protection impact assessment must cover:

  1. Whether the provision of personal information to overseas countries complies with laws and administrative regulations.
  2. The impact on the rights and interests of individuals.
  3. The impact of the legal environment and network security environment of overseas countries and regions on the rights and interests of individuals.
  4. Other matters necessary to safeguard the rights and interests of personal information.

Items 2 and 4 above mirror the requirements of the PIPL, while items 1 and 3 are more specific to cross-border transfer impact assessments and suggest the need for specialized country-by-country transfer impact assessments similar to those used for GDPR purposes. For item 3, we note that the precise meanings of “legal environment” and “network security environment” are currently unclear.

Individual rights

Individuals have various rights over their personal information under the PIPL. Those rights include a right to access, right to correct, right to complete, right to erasure, right of portability and right to refuse processing. In addition to those rights, the specifications provide that individuals are beneficiaries of legally binding documents and have the right to request a copy of the relevant LBD provisions relating to their legal rights and interests.

Being a beneficiary to LBDs might, theoretically, increase the range of rights available to individuals beyond those found in the PIPL. This is especially so if MNCs operating in multiple jurisdictions take a unified highest standard approach to personal information protection at a global level.

The right to access relevant to LBD provisions raises issues from a confidentiality perspective. Thus, it would be wise to stipulate such matters in a standalone document to ensure disclosures to individuals remain appropriate.

The specifications also provide that individuals should be allowed to litigate in the Chinese courts of their habitual place of residence against the parties to the cross-border data transfers.

Obligations of the parties to cross-border data transfers

The provisions within the specifications on processor obligations generally reflect the terms of the PIPL. However, further requirements are imposed on parties to cross-border data transfers, including:

  • When situations arise where it is difficult to ensure the security of personal information transferred across borders, such processing must be “promptly terminated.”
  • The responsible party in China should compensate individuals for breaches arising in the context of cross-border data processing activities.
  • The parties to cross-border data transfer activities should undertake to follow Chinese data protection laws, accept their application and enforcement, and cooperate with Chinese regulators’ enforcement activities, such as answering their inquiries and accepting routine inspections.

Conclusions

The specifications make Legal Path 3 (Certification) of Article 38 of the PIPL possible — though not fully actionable, as China has not published a list of certification institutions to handle certification applications from entities. Nevertheless, the specifications provide a skeleton of the certification regime for cross-border data transfers. We believe that the Chinese authorities may issue regulations and TC260 may also issue further guidance to substantiate this certification regime.

It should be noted that, while an entity can choose between Legal Path 3 (Certification) and Legal Path 2 (Standard Contract) to legitimatize its cross-border data transfers, Legal Path 1 (Government Security Assessment) is not optional  — as long as statutory triggers exist, an entity will have to participate in a security assessment by the Cyberspace Administration of China.

At this stage, it is difficult to forecast if the certification path would be more popular than the standard contract path. In addition to signing a cross-border data transfer contract, the specifications essentially require that both the data exporter and the overseas data recipients are subject to a set of unified data protection rules that align with Chinese laws and are subject to Chinese regulators’ supervision. We believe the compliance efforts would be more costly than simply signing the standard contract. However, it is possible this certification path might be welcomed by some companies who see certification as a type of status or quality mark to signal to consumers that their personal information will be protected to higher standards.

As cross-border data transfers are a rapidly developing area of law, MNCs and overseas processors processing the personal information of people in China are advised to monitor developments in this area closely.


Approved
CDPO, CDPO/BR, CDPO/FR, CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT, LGPD
Credits: 1

Submit for CPEs

Authors
Headshot Samuel Yang Nonmember Contributor
Headshot Christopher Fung Nonmember Contributor
Headshot Leann Wu Nonmember Contributor
Tags
Asia-Pacific
Privacy Law
Comments

If you want to comment on this post, you need to login.

Related Stories
How China's draft SCCs compare with EU SCCs
On June 30, 2022, the Cyberspace Administration of China released the long-awaited draft provisions on the Standard Contract for the Cross-border Transfer of Personal Information for public consultation. The deadline to submit comments is July 29, 2022. The draft provisions were circulated pursuant ...
Read More queue Save This
China adopts national privacy law
The top legislative body in the People's Republic of China voted Friday to adopt a new national privacy law. The Standing Committee of the National People's Congress passed the Personal Information Protection Law at a meeting in Beijing, according to the nation's state-operated Xinhua News Agency. ...
Read More queue Save This
Related Stories
Tags
Asia-Pacific
Privacy Law
Recent Comments