Background of the PI Certification Rules
The PRC Personal Information Protection Law (PIPL) incorporates provisions to promote the general certification services on personal information protection, and security certification is one of the permissible legal mechanisms for cross-border data transfer under the PIPL. The purpose of the PI Certification Rules is to provide guidance and clarification on how security certification of personal information should be performed in practice.
Application scope of the PI Certification Rules
The certification of PI will be classified into the following two categories:
(i) Certification for collection, use and processing of PI generally, where the specific national standards entitled Information Security Technology - Personal Information Security Specification (GB/T 35273) should be followed; and
(ii) Certification for cross-border transfer of PI, based on the TC260-PG-20222A standards entitled Security Certification Specifications for Handling Cross-Border Transfer of Personal Information (Cross-border Certification Guidelines) and the above-mentioned GB/T 35273 Specification. Please note that a draft version of the new Cross-border Certification Guidelines was released on 8 November 2022 to propose changes including an enlarged application scope. Once enacted, the new version of the Cross-border Certification Guidelines will automatically become the basis of security certification for cross-border data transfer under the PI Certification Rules.
Although technically speaking, national standards (such as GB/T 35273 and TC260-PG-20222A) are not legally binding legislations in China, the PI Certification Rules make clear that they indeed reflect the detailed legal requirements that the Chinese regulators will refer to when conducting certification and that organisations must comply with in their data processing activities.
PI Certification Rules v. GDPR
The GDPR encourages business organisations to establish data protection certification to demonstrate compliance with the GDPR processing operations. In addition, organisations not subject to the GDPR can also obtain certification by making binding and enforceable commitments to apply the appropriate safeguards. On 4 June 2019, the European Data Protection Board (EDPB) adopted Version 3.0 of the Guidelines 1/2018 on certification, identifying certification criteria in accordance with Articles 42 and 43 of the GDPR. On 16 June 2022, the EDPB adopted the Guidelines 07/2022 on certification as a tool for transfers (version for public consultation), which complement the Guidelines 1/2018 on certification.
The GDPR and the PI Certification Rules share some similarities. Under the GDPR and the PI Certification Rules, certification is a voluntary process. Under Chinese data rules, certification applies to general data processing activities and serves as one of the mechanisms of cross-border data transfer in China. Likewise, certification under the GDPR applies to general data protection and accounts for the appropriate safeguards to justify international data transfer in the absence of an adequate level of protection. There are, however, some subtle differences between the GDPR and the PI Certification Rules. The term of certification under the GDPR is up to three years, while the certification under the PI Certification Rules has a fixed term of three years. Certification under the GDPR can be obtained from accredited certification bodies or supervisory authorities, while in China, only qualified certification bodies can issue the certification and it remains to be seen what entities will be qualified certification bodies.
The PI certification process
The certification process under the PI Certification Rules includes the following:
- Appointment of a certification institution: A qualified certification institution is engaged to confirm the certification plan based on the type and volume of personal information handled, the scope of personal information handling activities and information on the technical verification agency.
- Methodology of security certification: Security certification takes the form of “technical verification + on-site review + post-certification supervision”.
- Technical verification: A technical verification agency verifies according to the certification plan and issues a technical verification report to the certification institution and the personal data controller.
- On-site review: The certification institution conducts an on-site review and issues a report to the personal data controller.
- Evaluation and approval of certification results: The certification institution makes certification decisions based on the materials provided by the personal data controller, the technical verification report and the on-site review report completed in the steps above. Where the certification requirements are satisfied, the certification institution issues the certification to the personal data controller.
- Post-certification supervision: Following certification, the certification institution conducts continuous supervision of the personal data controller. Certification can be revoked if any irregularities are identified.
Validity and certification marks
The certification is valid for three years and can be renewed if the relevant requirements are satisfied.
There are two types of certification marks: one for the collection, use and processing of PI generally, except for cross-border data transfer, and one specifically for cross-border data transfer.
Certified organisations are allowed to properly use and display the certificate and logo in their marketing and promotional activities.
Looking ahead
The new PI Certification Rules apply with immediate effect. Although certification is not compulsory, personal information controllers and processors are encouraged by the regulators to be certified to firm up the protection of personal information. China’s PIPL provides for three legal mechanisms for cross-border transfer of personal information: CAC-led security assessment, security certification and Standard Cross-Border Data Transfer Contract (SCCs). Where a particular business scenario involving cross-border data transfer does not trigger the mandatory CAC-led security assessment, certification and China SCCs are expected to take shorter time. While the China SCCs and Cross-border Certification Guidelines are still not finalised, it is a bit early to speculate on which mechanism ‒ SCCs or certification ‒ may be more efficient in the context of intra-group cross-border transfers. International business organisations should monitor the implementation of the PI Certification Rules in practice and strategise their cross-border data transfer activities accordingly.
From the enforcement perspective, the Chinese authorities have been active in enforcing the PIPL, the Data Security Law and the Cybersecurity Law, and we anticipate that this trend will continue in the coming months and years. The likelihood is high that the Chinese authorities will also refer to the PI Certification Rules and the national standards therein as best practice when conducting compliance investigations to check whether an organisation has complied with the legal requirements in relation to security certification, especially where the PIPL, the Cybersecurity Law and the Data Security Law only contain generic provisions on security certification without detailing how the certification should be implemented in practice.
In view of the above, sufficient importance should be attached to the new PI Certificate Rules and the implementation of certification. If you need any assistance from us, please let us know.
Client Alert 2022-384