China data laws are evolving extremely quickly. Certification is one of the legal mechanisms permitted under China’s data laws for cross-border data transfers. Further to Version 1 of the Security Certification Specifications for Handling Cross-Border Transfer of Personal Information (Cross-border Certification Guidelines) issued on 24 June 2022, Version 2 of the Cross-border Certification Guidelines was promulgated by China’s National Information Security Standardisation Technical Committee on 16 December 2022, with immediate effect. Although certification under Chinese data laws is voluntary, Chinese regulators expressly encourage companies to adopt the certification mechanism to improve data governance and compliance. The requirements included in Version 2 of the Cross-border Certification Guidelines also function as the guidelines and best industry practices for handling certification in respect of cross-border data transfers, as provided by the Implementation Rules for Personal Information Protection Certification (Implementation Rules), which were issued on 18 November 2022. See our recent article for more detailed information on the Implementation Rules.
Version 2 of the Cross-border Certification Guidelines provides more guidance and clarity on how certification of cross-border data transfers should be performed, and notable highlights are summarised below.
Expanded application scope
Version 1 of the Cross-border Certification Guidelines only applies to cross-border data transfer between group undertakings. Version 2 expands the application scope to cover the transfer of personal data within or beyond the group, provided the data exporter is an independent and reputable legal entity in good standing. This indicates that Version 2 will benefit numerous data handlers considering the cross-border transfer of personal data to external parties, subject to the threshold of mandatory security assessments. In other words, such entities are likely to transfer personal data to foreign recipients that do not belong to the same group undertaking based on the security certification.
Increased protection for data subjects
Version 2 of the Cross-border Certification Guidelines provides increased protection of data subjects’ rights.
Firstly, in addition to the basic information of the parties and the transferred data, the data subjects’ rights and the channel to exercise such rights must be clearly stated in cross-border data transfer agreements. In particular, the data exporter and overseas data importer must specify how liabilities are allocated between themselves, and, in case of any violation of data subjects’ rights, who will assume the liability.
Secondly, the data exporter and the overseas data importer are obliged to cooperate with each other in the event that data subjects exercise their rights. In addition, data subjects may make claims against either the data exporter or overseas data importer for compensation in case of any infringement of their rights.
Thirdly, data protection impact assessments for cross-border data transfers must cover the personal data protection laws in the jurisdiction of the overseas data importer, including (i) whether the data importer has been involved in any data incidents or required by the local authorities to provide any personal data; (ii) any deviation of local data laws from Chinese data laws; (iii) whether the jurisdiction of the overseas data importer is a member of an international personal data protection organisation; and (iv) the data importer’s regime of personal data protection.
Augmented obligations for data exporters and data importers
The reverse burden of proof is imposed on both the data exporter and the data importer, which means that in the event of any claims and challenges raised by data subjects, the data exporter and/or the data importer (as appropriate) must present evidence to show that it has fulfilled its compliance obligations under the applicable laws. This raises the compliance bar for the data exporter and data importer.
In addition, both the data exporter and the data importer are obligated to establish a personal information protection department, maintain a record of cross-border data transfer for at least three years and present it to the regulators in China as needed. Among other things, the personal information protection department is responsible for regularly auditing compliance with Chinese data laws.
The data importer must monitor the data protection laws in its jurisdiction. In case the legal landscape in its jurisdiction changes and makes it impossible to satisfy the requirements of security certification, the data importer is obligated to inform the data exporter and the certification institution immediately. In addition, the data importer must agree that any dispute on the cross-border data transfer will be governed by Chinese laws.