A new set of draft technical specifications provide guidance for MNCs and other entities with presence in multiple countries to comply with China’s requirements for cross-border personal information processing as stipulated in the Personal Information Protection Law (PIPL). The specifications define rules for contracts, the obligations of persons in charge, and requirements for conducting data protection impact assessments (DPIA). We offer an overview of the draft technical guidance in this article and how MNCs can prepare for compliance.
On April 29, the National Information Security Standardization Technical Committee (NISSTC), a government body under the State Administration for Market Regulation, released a draft version of the Practice Guidelines for Cyber Security Standards – Technical Specifications for Certification of Cross-Border Processing of Personal Information (the “technical specifications”) for public comment until May 13, 2022.
The technical specifications are the latest addition to China’s legislative framework for protecting the personal information of users and consumers in China. Under China’s Personal Information Protection Law (PIPL), companies are required to meet certain requirements and undergo a security assessment in order to transfer or process the personal information of Chinese users and customers outside of China.
However, many of these requirements were not fully clarified or expanded upon in the law itself, leaving many companies uncertain of their obligations under the law and how to comply with its requirements.
The new technical specifications provide some more clarity on some aspects of the law’s requirements, in particular for how large multinationals and entities with locations in both China and overseas can legally share personal information across borders.
They also act as a guide for companies and certification agencies that assist companies in transferring the personal information of Chinese citizens overseas, putting forward the basic principles for processing and protection of personal information, requirements for all relevant parties in cross-border processing activities, and protection of the rights and interests of personal information subjects. Finally, they provide companies with a reference guide for regulating cross-border processing activities of personal information.
Note that for the purposes of this article, “companies” refer to any market entity that engages in the processing of personal information. These are normally referred to as “personal information processors” in the official legislation and regulation documents.
Background: Requirements for cross-border processing of personal information under the PIPL
The technical specifications specifically state that they serve to clarify conditions in Article 38 of the PIPL, which deals with the cross-border processing of personal information.
This article of the PIPL stipulates that companies that have to provide personal information outside of China – due to business needs – must meet certain requirements and undergo a security review.
According to this article of the PIPL, companies must meet one of the following criteria in order to transfer personal information over a certain scale overseas:
- Undergo a security review organized by the Cyberspace Administration of China, except where exempted in relevant laws and regulations.
- Undergo personal information protection certification by a professional institution in accordance with the regulations of the CAC.
- Sign a contract with a foreign party stipulating the rights and obligations of each party in accordance with standards set by the CAC.
- Meet other conditions set by the CAC or relevant laws and regulations.
Article 38 also states that companies must adopt necessary measures to guarantee that the overseas recipient of the personal information also complies with the requirements and regulations for processing and protecting personal information stipulated in the PIPL.
“Personal information” is defined very broadly in the PIPL, and is described as “various kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding the information processed anonymously”.
This means personal information can include any data points or information that can be used to identify an individual, such as names, phone numbers, and IP addresses. Separately, the PIPL also defines “sensitive” personal information, which is subject to stricter protection requirements. Sensitive personal information includes:
- Biometric data (such as fingerprints, iris recognition, facial recognition, and DNA)
- Data pertaining to religious beliefs or specific identities
- Medical history
- Financial accounts
- Location and whereabouts
- Any personal information of minors under the age of 14
However, it does not include data that has been anonymized or abstract data that doesn’t contain any specific personal information on individuals, such as aggregated information.
Meanwhile, the “processing” of personal information is defined as “the collection, storage, use, processing, transmission, provision, publication, and erasure of personal information”.
Note that if overseas employees remotely access and process the personal information of Chinese users stored in China, then it is also considered cross-border processing and is subject to the same requirements as if the company was transferring the personal information to overseas facilities.
The technical specifications clarify the basic requirement for certification agencies that conduct personal information protection certification for companies that need to engage in cross-border processing of personal information.
They are applicable in the following scenarios:
- When cross-border processing of personal information takes place within a multinational company or within the same economic or business entity; and
- When overseas companies process personal information of natural persons within China from abroad for purposes such as:
– Providing products or services to natural persons in China;
– Analyzing and evaluating the activities of natural persons in China; and
– Other circumstances provided by laws and administrative regulations.
The technical specifications clarify some aspects of the certification procedure for the cross-border processing of personal information.
For the cross-border processing of personal information within a multinational company or within the same economic or business entity, the domestic party may apply for certification and bear legal responsibility.
Furthermore, to engage in the overseas processing of personal information for purposes specified above, foreign companies can apply for certification from specialized agencies or set up a designated representative in China, which will also bear the legal responsibility.
Basic principles for cross-border personal information processing
The technical specifications largely reiterate the principles for personal information processing, stating them in specific terms for cross-border processing of personal information while expanding upon some principles.
The PIPL broadly states that personal information shall be processed in accordance with the principles of legality, legitimacy, necessity, and good faith, and shall not be processed through deception, fraud, coercion, or other dishonest means.
The technical specifications expand upon this with reference specifically to the cross-border processing of personal information, reiterating the need to adhere to “the principles of lawfulness, legitimacy, necessity, and good faith”. They also recognize that “personal information is directly related to the personal dignity of the information subject”.
According to the technical specifications, cross-border processing of personal information must also adopt the “Principle of Least Privilege”, which means that the person or company processing the personal information is only allowed to access the minimum amount of data required to complete a certain task. This principle is also stipulated in the PIPL, which states that “the collection of personal information shall be limited to the minimum scope to achieve the purpose of processing, and excessive collection of personal information shall be prohibited”.
Openness and transparency
The technical specifications specify transparency and disclosure requirements for cross-border processing of personal information, which are also mentioned in the PIPL in broader terms.
Companies engaging in cross-border processing of personal information must:
- Meet the requirements of disclosure of processing rules and transparency of the processing process.
- The personal information subject should be informed of the purpose, scope, and processing method of the cross-border provision of personal information in a timely manner.
- The data processor must ensure that the personal information subject understands the entire process of processing his or her personal information.
One principle that is not mentioned in the PIPL is the principle of voluntary certification for cross-border personal information processing. The technical specifications state that eligible parties involved in cross-border personal information processing can volunteer to undergo certification “at the recommendation of the state” and are encouraged to do so. They also state that the purpose of the certification is to strengthen personal information protection and improve the efficiency of cross-border processing of personal information.
The technical specifications clarify requirements for companies to be eligible to engage in cross-border processing of personal information. These include contract requirements for domestic and overseas parties, requirements for the appointment of responsible persons, data protection impact assessments (DPIA), and more.
One of the conditions under which companies are permitted to engage in cross-border personal information processing is if they have a signed contract with the domestic or foreign party, which clearly stipulates the obligations and liabilities of both parties.
The technical specifications clarify the contract must contain the following information:
- All of the parties related to the personal information processing activity.
- The purpose for the cross-border processing of personal information and the scope and type of personal information to be processed.
- The measures taken to protect the rights and interests of the personal information subjects.
- That all relevant parties will undertake and abide by the consistent personal information processing rules and ensure that the level of personal information protection is not lower than the standards stipulated in the relevant laws and administrative regulations of the People’s Republic of China.
- That all relevant parties will accept the supervision of certification bodies.
- That all relevant parties will accept the jurisdiction of China’s relevant laws and administrative regulations.
- Information clarifying the organizations that bear legal responsibility within China.
- Other obligations stipulated by laws and administrative regulations.
The technical specifications require all parties involved in the cross-border processing of personal information to designate a person to be in charge of personal information protection. This person must have professional knowledge of personal information protection and relevant management work experience, which must be undertaken by members of the decision-making level of the organization.
The person in charge of personal information protection is required to take the following responsibilities:
- Clarifying the main objectives, basic requirements, work tasks, and protection measures of personal information protection.
- Providing human, financial, and material resources for the organization’s personal information protection work to ensure that the required resources are available.
- Guiding and supporting relevant personnel to carry out the personal information protection work of the organization and ensure that the personal information protection work achieves the expected goals.
- Reporting the personal information protection work to the main person in charge of the organization, and continuously improving the personal information protection work.
Personal information protection agencies
The technical specifications clarify the roles and responsibilities of the various organs and persons responsible within the organization that is engaged in the cross-border processing of personal information.
Persons responsible for cross-border processing of personal information
All parties involved in the cross-border processing of personal information are required to set up a personal information protection agency to perform the relevant obligations, such as preventing unauthorized access to personal information and preventing leaks, tampering, and loss of the data.
The agency is also required to undertake a variety of responsibilities with regard to cross-border personal information processing activities. These responsibilities have now been clarified in the technical specifications as:
- Developing and implementing an activity plan for cross-border processing of personal information recognized by all relevant parties.
- Organizing and conducting personal information protection impact assessments, also known as data protection impact assessments /DPIA.
- Supervising the organization’s processing of cross-border personal information in accordance with the personal information processing rules agreed by relevant parties.
- Receiving and processing requests and complaints from personal information subjects.
Stipulating rules for cross-border processing of personal information
In alignment with the PIPL, the technical specifications also outline the specific rules for the cross-border processing of personal information.
As mentioned above, the contract between the different related parties must provide that all relevant parties must abide by consistent rules for the cross-border processing of personal information.
According to the technical specifications, these must include at least the following rules:
- The basic situation of the cross-border processing of personal information, including the type of personal information, the sensitivity level of the information, and the amount.
- The purpose for and method of processing the information and scope of the personal information that will be processed.
- The duration of the overseas storage of the personal information and the processing method after the duration has expired.
- The countries or regions where the personal information needs to be transferred to.
- The resources and measures taken to protect the rights and interests of the personal information subjects.
- Compensation and disposal rules for personal information security incidents.
Data protection impact assessment
Companies engaged in or planning to engage in cross-border processing of personal information are required to carry out a DPIA in order to assess whether they are eligible to conduct overseas processing of personal information. The DPIA must assess whether the provision of the personal information overseas is legal, legitimate, and necessary, whether the necessary protection measures have been implemented, and whether these measures are effective and appropriate for the level of risk to the personal information.
The DPIA must be carried out in accordance with the Information security technology—Guidance for personal information security impact assessment (standards number GB/T 39335), which came into effect in June 2021.
The technical specifications now also clarify that the DPIA must include the following information:
- Whether the provision of personal information overseas complies with laws and administrative regulations.
- The impact on the rights and interests of the users (the subjects of the personal information).
- The impact that the legal and cybersecurity environment in the overseas countries and regions can have on the rights and interests of the users.
- Other matters necessary to safeguard the rights and interests of personal information.
The technical specifications end by reinforcing the rights that the subjects have to their own personal information under the PIPL and other relevant regulations. These include rights that must be granted by the parties involved in the cross-border processing through the contracts that they are required to sign.
Protection of the rights and interests of users
The technical specifications clarify the rights that users have specifically in the case of cross-border processing of their personal information.
They first specify that the users of the personal information, most commonly the users of online services, must be made the beneficiary of the relevant clauses on personal information rights and interests in the legal documents signed by the parties involved in the cross-border processing of personal information. The user also has the right to request the relevant parties to provide a copy of the legal text involving their rights and interests.
Moreover, users also have the right to:
- Know about and make decisions with regard to the processing of their personal information, and restrict or refuse the processing of their personal information.
- Access, copy, amend, supplement, and delete their personal information from overseas recipients.
- Require parties involved in cross-border processing of their personal information to explain their personal information processing rules.
- Refuse to make decisions exclusively by means of automated decision-making.
- Make complaints and reports to the Chinese regulatory authorities.
- Initiate judicial proceedings against relevant parties involved in the cross-border processing of personal information in the court of their habitual residence.
- Other rights stipulated by laws and administrative regulations.
Responsibilities of related parties
The parties involved in the cross-border processing of personal information also have legal obligations toward the users, which include keeping them informed of the personal information processing activity, providing access to the personal information, and ensuring the users have the necessary means to exercise their rights.
According to the technical specifications, the companies involved in data processing are required to inform the users of the basic information of the parties involved through means such as email, instant messaging, mail, and fax. They must also inform them of:
- The purpose of the processing
- The type of information being processed
- The duration that the personal information will be provided and stored overseas,
The company must then obtain consent from the users.
In addition, the parties involved must also give the users access to their personal information. In the event that the user requests to access, copy, amend, supplement or delete their personal information, the company must provide it to them in a timely manner. If the company refuses their request, it must explain the reasons and relief methods.
It is the domestic party that is responsible for ensuring the conditions for the users to exercise their rights. The domestic party is also responsible for any legal compensation liability in the event that the cross-border processing of personal information damages the rights and interests of the user.
More clarity for multinationals
The new technical specifications provide another piece of the puzzle of China’s data protection and cybersecurity landscape.
The requirements and criteria that companies need to meet in order to transfer personal information overseas have been a matter of considerable concern for foreign companies, and in particular multinationals that regularly need to send data overseas or remotely access data in China in order to conduct normal operations.
The technical specifications offer clarity on a number of steps that companies need to take to comply with the PIPL, such as defining the contents of the contract for cross-border personal information processing and the required scope of conducting a DPIA.
At the same time, they also flesh out China’s personal information protection framework, expanding upon concepts raised in the PIPL and applying them specifically to the cross-border processing and transfer of personal information. The PIPL required companies to appoint a person to be in charge of personal information protection, while the technical specifications require companies to appoint a person to be in charge specifically of cross-border data processing. The technical specifications also define the scope of this person’s responsibilities and obligations to users in clearer terms, thereby providing a clear point of contact for users to take action should they feel their rights have been violated.
Some questions still remain, however. For instance, the PIPL states that companies seeking to transfer over a certain amount of personal information set by the CAC will be required to undergo a cybersecurity review by the CAC. This requirement is also indirectly referenced in the technical specifications, which refer to this article in the PIPL as the basis for the document.
However, the CAC has not yet determined what amount of personal information can be transferred abroad without the need for a security review, or defined in specific terms the requirements for the cybersecurity review for this scenario. A set of draft measures on cybersecurity reviews for data export puts the amount at 1 million users, but these are yet to be finalized and entered into law.
A set of cybersecurity review measures issued by the CAC took effect on February 15, 2022, but these currently only apply to companies that seek to list on overseas stock exchanges, or for companies engaged in data processing activity that may affect national security. While this does include cross-border processing of personal data, the threshold for the amount of personal information that requires a cybersecurity review was also not defined in this document.
China has only begun building up its cybersecurity and data protection regime relatively recently, and it is therefore only natural that some gaps remain in the framework. We do, however, expect the Chinese cybersecurity authorities to clarify these issues in the future and for more guidance and regulation to be released in coming months and years.
In the face of uncertainty, companies are encouraged to maintain close communication with local cybersecurity authorities to ensure compliance wherever possible. Where regulations are not clear, authorities are likely to look favorably upon companies that take a proactive approach to compliance, rather than passively wait for the authorities to enforce it. (Source: china-briefing.com)