Background of the PI Certification Rules
The PRC Personal Information Protection Law (PIPL) incorporates provisions to promote the general certification services on personal information protection, and security certification is one of the permissible legal mechanisms for cross-border data transfer under the PIPL. The purpose of the PI Certification Rules is to provide guidance and clarification on how security certification of personal information should be performed in practice.
Application scope of the PI Certification Rules
The certification of PI will be classified into the following two categories:
(i) Certification for collection, use and processing of PI generally, where the specific national standards entitled Information Security Technology - Personal Information Security Specification (GB/T 35273) should be followed; and
(ii) Certification for cross-border transfer of PI, based on the TC260-PG-20222A standards entitled Security Certification Specifications for Handling Cross-Border Transfer of Personal Information (Cross-border Certification Guidelines) and the above-mentioned GB/T 35273 Specification. Please note that a draft version of the new Cross-border Certification Guidelines was released on 8 November 2022 to propose changes including an enlarged application scope. Once enacted, the new version of the Cross-border Certification Guidelines will automatically become the basis of security certification for cross-border data transfer under the PI Certification Rules.
Although technically speaking, national standards (such as GB/T 35273 and TC260-PG-20222A) are not legally binding legislations in China, the PI Certification Rules make clear that they indeed reflect the detailed legal requirements that the Chinese regulators will refer to when conducting certification and that organisations must comply with in their data processing activities.
PI Certification Rules v. GDPR
The GDPR encourages business organisations to establish data protection certification to demonstrate compliance with the GDPR processing operations. In addition, organisations not subject to the GDPR can also obtain certification by making binding and enforceable commitments to apply the appropriate safeguards. On 4 June 2019, the European Data Protection Board (EDPB) adopted Version 3.0 of the Guidelines 1/2018 on certification, identifying certification criteria in accordance with Articles 42 and 43 of the GDPR. On 16 June 2022, the EDPB adopted the Guidelines 07/2022 on certification as a tool for transfers (version for public consultation), which complement the Guidelines 1/2018 on certification.
The GDPR and the PI Certification Rules share some similarities. Under the GDPR and the PI Certification Rules, certification is a voluntary process. Under Chinese data rules, certification applies to general data processing activities and serves as one of the mechanisms of cross-border data transfer in China. Likewise, certification under the GDPR applies to general data protection and accounts for the appropriate safeguards to justify international data transfer in the absence of an adequate level of protection. There are, however, some subtle differences between the GDPR and the PI Certification Rules. The term of certification under the GDPR is up to three years, while the certification under the PI Certification Rules has a fixed term of three years. Certification under the GDPR can be obtained from accredited certification bodies or supervisory authorities, while in China, only qualified certification bodies can issue the certification and it remains to be seen what entities will be qualified certification bodies.