2023-02-03 23:51:44

Saturday 00:26:57

February 04 2023

China: Revised TC260 Specification on Cross-Border Processing Certification - What you need to know

View 3.9K

words 2.3K read in 11 minutes, 19 Seconds

On 16 December 2022, the National Information Security Standardisation Technical Committee of China ('TC260') released a revised version of the Practice Guidelines for Cybersecurity Standards - Technical Specification for the Certification of Cross-Border Processing of Personal Information ('the revised Certification Specification')^[1], less than six months after issuing the first version of the Certification Specification2.

In this article, James Gong, Partner at Bird & Bird, highlights the key provisions of the revised Certification Specification, with concluding thoughts on the impact of the same, especially in comparison to the draft Personal Information Export Standard Contract ('the draft Standard Contract')^[3].

Background

Article 38 of the Personal Information Protection Law of the People's Republic of China ('PIPL') provides for three routes for personal information processors exporting personal information out of mainland China, namely:

passing a governmental security assessment as required for critical information infrastructure operators and organisations that process personal information reaching a certain threshold amount specified by the Cyberspace Administration of China ('CAC');
attaining a personal information protection certification by an institution accredited by the CAC ('personal information export certification'); or
entering into a standard contract with the foreign recipient.

Please note that a personal information processor is defined under the PIPL as an organisation or individual that independently determines the purposes and means of the processing, akin to the concept of data controller under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') of the EU.

Additionally, the PIPL also stipulates that the CAC will coordinate the relevant ministries to support personal information protection assessment and certification services.

In November 2022, the State Administration for Market Regulation ('SAMR') and the CAC jointly issued an announcement^[4] to implement a personal information protection certification regime and published its implementing rules ('the Certification Rules')^[5]. The Certifications Rules establish the framework of the personal information protection certification regime and also require personal information processors that export personal information outside of China to comply with the revised Certification Specification; therefore the Certification Rules apply to personal information export certifications as well.

Combined with the Certifications Rules, the revised Certification Specification is a further move by the Government of the People's Republic of China ('the Government') to complete the regime for the personal information export certification.

Key provisions

Who may apply for a personal information export certification?

The revised Certification Specification provides for who is qualified to apply for the personal information export certification, namely:

The entities located in China may apply for the personal information export certification with regard to personal information sharing within a multinational company or an economic or public entity.
The local representatives established or designated by overseas personal information processors may submit the application on behalf of the foreign personal information processors. Pursuant to the PIPL, a foreign personal information processor subject to the extraterritorial effect must establish or appoint a local representative in China.

Whilst the PIPL remains silent on the liability of local representatives, the revised Certification Specification goes a step further and purports to hold the local representative liable for its actions relevant to the certification. Although the revised Certification Specification does not specify what such legal liability will be, it would undoubtedly render it more difficult for a foreign personal information processor to designate a representative in China.

Certification requirements

The revised Certification Specification lays down requirements for certification in four main aspects, namely a legally binding and enforceable document, organisational management, unified cross-border processing rules, and Personal Information Protection Impact Assessments ('PIPIAs').

Legally binding and enforceable documents

Relevant parties involved in cross-border processing of personal information should sign legally binding and enforceable documents to protect the rights of individuals. Such documents should specify at least the following:

identity of the personal information processor (i.e. the exporter) and the overseas recipient;
purposes, scale, and method of cross-border processing, as well as the categories, sensitivity, amount, retention period, and storage location of the personal information being processed;
the rights and obligations of the parties, as well as the technical and organisational measures the parties have taken to prevent the possible security risks caused by the cross-border processing;
the rights of the individuals and the methods to exercise the individual rights;
remediation, termination, liability for breach of contract, and dispute resolution;
whether the overseas recipient undertakes to abide by unified personal information processing rules (see below) and to ensure that the level of protection is not lower than that under the PIPL and other relevant laws and regulations of China;
whether the overseas recipient undertakes to accept the supervision of the certification bodies;
whether the overseas recipient undertakes to be subject to the Chinese laws and regulations on personal information protection;
whether entities that bear legal liability within the territory of China undertake to fulfil the obligations to protect personal information;
whether both parties undertake to bear legal liability for the acts that infringe the rights of personal information and explicitly agree on the civil liability that both parties should bear; and
other obligations as stipulated by applicable laws and regulations.

Such document will usually be signed by entities within a multinational company and take the form of an intra-group transfer agreement. It is unclear how the entities subject to the extraterritorial effect of the PIPL should sign such legally binding and enforceable documents and with whom.

Organisational management

Both the personal information processor (i.e. the exporter) and the overseas recipient involved in cross-border processing activities should designate their own personal information protection officers ('DPOs'). The DPO should be a member of the senior management within the organisation and possess expertise, knowledge, and management experience relevant to personal information protection. We note that, under the PIPL, a personal information processor should only appoint a DPO if the amount of personal information being processed reaches a certain amount that is yet to be prescribed by the CAC.

The revised Certification Specification also requires the personal information processor (i.e. the exporter) and the overseas recipient to establish their personal information protection departments to carry out certain data protection tasks in the cross-border processing activities.

Unified cross-border processing rules

The personal information processor (i.e. the exporter) and the overseas recipient must abide by a set of unified cross-border processing rules, which should at least include the following contents:

details of cross-border processing, including the volume, scale, categories, and sensitivity of personal information;
the purposes, means, and scope of cross-border processing;
the retention period and disposal methods upon expiry of the period;
countries or regions where personal information will be transferred to in transit;
resources and measures that are required for protecting the rights of individuals; and
compensation and response plans related to personal information security incidents.

The content of such unified cross-border processing rules under the revised Certification Specification, in certain aspect, resembles the Binding Corporate Rules ('BCRs'), which are considered a cross-border transfer safeguard under the GDPR.

For instance, the BCRs must also include details of cross-border processing, identification of third countries or regions, and the means for data subjects to exercise their rights and to obtain remedy. However, the unified cross-border processing rules do not on their own provide for a route for personal information export.

PIPIA

The personal information processor (i.e. the exporter) should conduct a PIPIA prior to exporting personal information outside of China. A PIPIA tailored to the export of personal information should at least cover:

the legality, fairness, and necessity of the purpose, the scope and means of the processing by the exporter, and the overseas recipient;
the scale, scope, types, sensitivity, and frequency of the personal information to be exported, and any risks of the export to the rights and interests of individuals;
whether the undertakings and the corresponding management, technical measures, and capability of the overseas recipient will ensure the safety of the export;
the risks of leak, destruction, tampering, and misuse of the personal information after the export, and the effectiveness of the channels for individuals to exercise their individual rights to the personal information;
the impact of personal information protection policies and regulations in the country or region where the overseas recipient is located on the fulfilment of personal information protection obligations and the protection of the rights and interests of individuals; and
other matters that could impact the security of the cross-border processing.

Safeguards for the rights of individuals

The revised Certification Specification explicitly states that individuals are the beneficiaries with regard to relevant provisions on individual rights in the legally binding documents signed by the exporter and the overseas recipient. On that basis, the individuals have the right to obtain from the parties a copy of the clauses that are relevant to their rights thereunder.

The individuals are also entitled to a series of rights stipulated by the PIPL, including the right to be informed, the rights of access, rectification, and deletion, the right to refuse automated decision-making, as well as the right to submit complaints to the relevant government authorities or file lawsuits for illegal personal information processing activities.

To provide appropriate safeguards for the rights of individuals, the revised Certification Specification sets out the following obligations for the parties:

notify individuals of the identities of the parties involved, the purposes of the processing, the categories of personal information, and the retention period, and obtain separate consent of individuals;
if the overseas recipient is unable to satisfy the requirements set forth by the revised Certification Specification due to changes of personal information protection policies and regulations in the overseas recipient's country or region, the overseas recipient shall immediately notify the personal information processor and accredited certification bodies of the aforementioned changes once it becomes aware of such changes;
abide by the legally binding and enforceable documents;
do not transfer the exported personal information to other third parties unless such onward transfers comply with applicable Chinese laws and regulations;
establish a convenient channel for individuals to exercise their rights;
document the details of the cross-border processing and keep the record for at least three years;
terminate the export in a timely manner if it is materially impossible to safeguard personal information and notify the other party;
take remediation measures, notify the other party, and authorities and individuals concerned in accordance with applicable Chinese laws in the event of a data breach;
provide a copy of clauses relevant to individual rights as contained in the legally binding documents upon the request of the individual;
facilitate the exercise of individual rights and bear the legal liability of compensation where the cross-border processing infringes the rights of individuals;
undertake to be subject to the supervision of the accredited certification bodies;
bear the burden of proof to prove the obligations hereunder have been fulfilled; and
undertake to be governed by the jurisdiction of China and to comply with the applicable Chinese laws and regulations on personal information protection, and undertake that disputes related to the cross-border processing of personal information shall be governed by Chinese laws and regulations.

As most of the above safeguards incorporated into the revised Certification Specification echo the elements of the draft Standard Contract, the intention seems to be to bring the protection standards under the personal information export certification regime in line with those under the draft Standard Contract.

Conclusion

In light of the above, the personal information export certification regime, as established by the revised Certification Specification, does not seem to bring any advantages over the draft Standard Contract, which are expected to benefit multinational companies for their intra-group transfer. The enhanced requirements subject the multinational companies to an equivalent level of the obligations as found under the draft Standard Contract.

On the other hand, the multinational companies will still need to conduct the PIPIA, establish a personal information protection department in each of the exporters and importers, enter into a set of BCRs compliant with the revised Certification Specification, and go through the certification application process in accordance with the Certification Rules.

These requirements are far more onerous than those contemplated under the draft Standard Contract, and as a result the revised Certification Specification further obscures the purpose of the personal information export certification regime, which was believed to be facilitating data export within multinational companies and international organisations. Most multinational companies will need to make their own assessments as to the cost-efficiency of the personal information export certification regime over other routes for personal information export, especially the draft Standard Contract.

James Gong Partner, james.gong@twobirds.com | Bird & Bird, Beijing

What is the TC260

The TC260 specification is a standard for cross-border processing certification in China, which governs the exchange of electronic transactions and data between entities within the country and abroad. The revised specification aims to improve security, reliability, and efficiency of cross-border processing and enhance data protection for personal information.

Key updates in the revised TC260 specification include enhanced security measures such as the use of encryption technologies, increased scrutiny of cross-border service providers, and greater protection of personal information. The revised specification also expands the scope of cross-border processing to cover more industries and types of data.

Businesses and organizations involved in cross-border processing should be aware of these changes and ensure that their operations are in compliance with the revised TC260 specification. Failing to comply with the standard may result in legal penalties and harm to the reputation of the organization.

1. Available at: www.tc260.org.cn/u...179931039025340.pdf (only available in Chinese)

2. Available at: www.tc260.org.cn/u...064151109035148.pdf (only available in Chinese)

3. Available at: www.cac.gov.cn/202...658205969531631.htm (only available in Chinese)

4. Available at: www.gov.cn/zhengce...content_5728770.htm (only available in Chinese)

5. Available at: www.cac.gov.cn/202...670399936983876.htm (only available in Chinese)

Source by Redazione