PRC Issues Draft Personal Information Protection Certification Measures for Cross-Border Data Transfers

Introduction

The Cyberspace Administration of China (“CAC“) is conducting a public consultation on the Personal Information Protection Certification Measures (Draft for Comments) (“Draft Measures“) from 3 January to 3 February 2025. The Draft Measures set out a proposed system for the certification of personal information protection in cross-border data transfers. It seeks to provide specific guidelines for facilitating cross-border personal information activities and standardising personal information protection certification work.

The Draft Guidelines stand as part of the People’s Republic of China’s (“PRC“) swiftly developing framework on data protection. It seeks to implement the requirements of the “Personal Information Protection Law of the PRC” (“PIPL“) in the context of cross-border transfers, improve the security of data exiting the country, and establish a compliance mechanism that aligns with international standards.

The Draft Guidelines will apply to both local and foreign entities, and will affect businesses that handle personal data and seek to transfer such data internationally. This Update sets out the key elements of the Draft Guidelines.

Background

The Draft Measures come in the wake of the “Announcement on the Implementation of Personal Information Protection Certification”, which marked the formal establishment of PRC’s personal information protection certification system. This was jointly issued by the State Administration for Market Regulation and CAC on 4 November 2022.

Due to the rapid development of the global digital economy, cross-border data flow has become a priority issue for countries across the world. In light of this, the Draft Measures seek to achieve the following objectives:

  • Provide more efficient, convenient, and secure pathways for personal information processors to conduct cross-border data flow activities;
  • Encourage industry self-discipline by motivating personal information processors to voluntarily apply for certification;
  • Promote the growth of the digital economy by streamlining administration, delegating power, strengthening regulation, and improving services; and
  • Promote international cooperation in standardising cross-border data transfer rules so as to actively develop digital trade.

The Draft Measures cover the following areas:

  • Scope of personal information protection certification;
  • Eligibility for certification;
  • Procedure and requirements for certification; and
  • Framework for monitoring and enforcement.

Scope

The Draft Measures apply to the certification of personal information protection for cross-border data transfers. Such certification is to be conducted by professional certification bodies that are legally established and approved by the national market supervision and management department.

The certification ensures that the personal information processors comply with the applicable criteria for cross-border data transfer. Certified entities must demonstrate that they are able to perform such transfers according to the standards set out by CAC. This also serves as an assurance to the public and to other regulatory authorities that the certified entity meets the required data protection measures.

“Cross-border data transfer” refers to the provision of personal information to overseas entities due to business needs, and includes the following:

  • Transmitting data from PRC – Transmitting personal information collected and generated during domestic operations to overseas;
  • Access by foreign entities – Allowing overseas institutions or individuals to query, retrieve, download, or export personal information collected and generated domestically; and
  • Processing of data by foreign entities – Other personal information processing activities as set out in the PIPL, such as processing personal information of domestic natural persons overseas.

Eligibility

The Draft Measures clarify that both domestic and overseas personal information processors can apply for certification.

Domestic personal information processors within PRC who seek to transfer data overseas via the personal information protection certification must meet the following conditions:

  • They are not operators of critical information infrastructure; and
  • They have cumulatively provided personal information of more than 100,000 but less than 1 million individuals (excluding sensitive personal information), or less than 10,000 individuals’ sensitive personal information, to overseas entities since 1 January of the current year.

Similarly, personal information processors who process personal information of individuals within PRC from overseas can conduct cross-border data transfer activities after obtaining personal information protection certification.

Procedure

Personal information processors may voluntarily apply for personal information protection certification for cross-border data transfers from professional certification bodies. However, foreign processors applying for certification must have a dedicated institution or designated representative within PRC to:

  • Assist in the application;
  • Bear corresponding legal responsibilities;
  • Commit to complying with relevant laws and regulations on personal information protection;
  • Accept supervision and management by professional certification bodies.

The personal information protection certification process includes the following stages:

  • Certification application – When applying for certification, personal information processors should submit a certification application form, self-evaluation form, and relevant supporting materials to the certification body.
  • Technical verification and on-site audit – The certification body determines the certification plan, using technical testing, on-site inspection, and personnel interviews to conduct technical verification and on-site audit.
  • Certification decision – The certification body conducts a comprehensive evaluation based on the application materials, technical verification report, and on-site audit report, and makes a certification decision. The certification body issues a certification certificate to the certification entrusting party, and authorises the certified entity to use the specified certification mark.
  • Post-certification supervision – The certification body conducts supervision after a certificate is granted to ensure that personal information processors continue to meet certification standards after obtaining the certificate.

When evaluating a certification application, the certification body will consider, among others, the following factors:

  • The legality, legitimacy, and necessity of the cross-border data transfers;
  • The personal information protection framework and data security environment of the country where the overseas personal information processor or recipient is located;
  • Whether there are legally binding agreements between the personal information processor and the overseas recipient stipulating personal information protection obligations; and
  • Whether the organisational structure, management system, and technical measures of the personal information processor and the overseas recipient can ensure data security and personal information rights.

The certificate is valid for a period of three years. If the certificate needs to be renewed after expiration, the certification entrusting party should apply to the certification body within six months before the expiration of the validity period.

Monitoring and Enforcement

The Draft Measures provide that certification bodies are to perform ongoing monitoring of certified entities. If they discover activities that are inconsistent with the certification scope or any failure to meet certification requirements, they shall promptly suspend or revoke the relevant certification. CAC and the relevant departments may also order certification bodies to suspend or revoke certification if they discover similar non-compliance on the part of the certified entities.

The Draft Measures provide for a public reporting mechanism for violations on the part of certified personal information processors. Organisations or individuals may report such non-compliance to the provincial-level or higher-level cybersecurity departments for review and further action. Governments authorities have powers to investigate potential breaches, including the power to require interviews with the certified entities.

Administrative penalties will be imposed on entities that violate the Draft Measures. These penalties could include fines, suspension of certification, or other sanctions, including criminal liability where a crime is constituted.

Concluding Words

The certification framework in the Draft Measures seeks to provide greater security, public trust, and international cooperation in the cross-border transfer of personal information. While this creates greater opportunities for businesses in promoting digital trade, it also creates a new set of compliance challenges for organisations.

Businesses handling personal data or seeking to engage in cross-border data transfers will have to establish policies and procedures for ensuring compliance with the relevant certification requirements. This is likely to include the development of compliance strategies, policies for the necessary legal agreements, and the implementation of technical data security measures. Entities should also be wary of penalties for violations, such as financial penalties and reputational damage.

We will continue to monitor the implementation of the Draft Measures and relevant laws. For further queries, please feel free to contact our team.


 

Disclaimer

Rajah & Tann Asia is a network of member firms with local legal practices in Cambodia, Indonesia, Lao PDR, Malaysia, Myanmar, the Philippines, Singapore, Thailand and Vietnam. Our Asian network also includes our regional office in China as well as regional desks focused on Brunei, Japan and South Asia. Member firms are independently constituted and regulated in accordance with relevant local requirements.

The contents of this publication are owned by Rajah & Tann Asia together with each of its member firms and are subject to all relevant protection (including but not limited to copyright protection) under the laws of each of the countries where the member firm operates and, through international treaties, other countries. No part of this publication may be reproduced, licensed, sold, published, transmitted, modified, adapted, publicly displayed, broadcast (including storage in any medium by electronic means whether or not transiently for any purpose save as permitted herein) without the prior written permission of Rajah & Tann Asia or its respective member firms.

Please note also that whilst the information in this publication is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as legal advice or a substitute for specific professional advice for any particular course of action as such information may not suit your specific business and operational requirements. You should seek legal advice for your specific situation. In addition, the information in this publication does not create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on the information in this publication.

CONTACTS

Head
+86 138 1880 616 (China)
+65 8038 2340 (Singapore)
China, Singapore,
Head
+86 21 6120 8818
+86 135 6465 5259
China,
Deputy Head, Technology, Media & Telecommunications
+65 6232 0738
Singapore,

Country

EXPERTISE

SECTORS

Share

Rajah & Tann Asia is a network of legal practices based in Asia.

Member firms are independently constituted and regulated in accordance with relevant local legal requirements. Services provided by a member firm are governed by the terms of engagement between the member firm and the client.

This website is solely intended to provide general information and does not provide any advice or create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on this website.

© 2024 Rajah & Tann Asia. All Rights Reserved. All trademarks are property of their respective owners.