China adopts new guidelines for certification of cross-border data transfers

23 December 2022 Reed Smith Client Alerts

Inicio Perspectivas China adopts new guidelines for certification of cross-border data transfers

China data laws are evolving extremely quickly. Certification is one of the legal mechanisms permitted under China’s data laws for cross-border data transfers. Further to Version 1 of the Security Certification Specifications for Handling Cross-Border Transfer of Personal Information (Cross-border Certification Guidelines) issued on 24 June 2022, Version 2 of the Cross-border Certification Guidelines was promulgated by China’s National Information Security Standardisation Technical Committee on 16 December 2022, with immediate effect. Although certification under Chinese data laws is voluntary, Chinese regulators expressly encourage companies to adopt the certification mechanism to improve data governance and compliance. The requirements included in Version 2 of the Cross-border Certification Guidelines also function as the guidelines and best industry practices for handling certification in respect of cross-border data transfers, as provided by the Implementation Rules for Personal Information Protection Certification (Implementation Rules), which were issued on 18 November 2022. See our recent article for more detailed information on the Implementation Rules.

Version 2 of the Cross-border Certification Guidelines provides more guidance and clarity on how certification of cross-border data transfers should be performed, and notable highlights are summarised below.

Autores: Barbara Li Sarah Xiong Amy Yin Asha Sharma Bryan Tan Amaya Zhou

Expanded application scope

Version 1 of the Cross-border Certification Guidelines only applies to cross-border data transfer between group undertakings. Version 2 expands the application scope to cover the transfer of personal data within or beyond the group, provided the data exporter is an independent and reputable legal entity in good standing. This indicates that Version 2 will benefit numerous data handlers considering the cross-border transfer of personal data to external parties, subject to the threshold of mandatory security assessments. In other words, such entities are likely to transfer personal data to foreign recipients that do not belong to the same group undertaking based on the security certification.

Increased protection for data subjects

Version 2 of the Cross-border Certification Guidelines provides increased protection of data subjects’ rights.

Firstly, in addition to the basic information of the parties and the transferred data, the data subjects’ rights and the channel to exercise such rights must be clearly stated in cross-border data transfer agreements. In particular, the data exporter and overseas data importer must specify how liabilities are allocated between themselves, and, in case of any violation of data subjects’ rights, who will assume the liability.

Secondly, the data exporter and the overseas data importer are obliged to cooperate with each other in the event that data subjects exercise their rights. In addition, data subjects may make claims against either the data exporter or overseas data importer for compensation in case of any infringement of their rights.

Thirdly, data protection impact assessments for cross-border data transfers must cover the personal data protection laws in the jurisdiction of the overseas data importer, including (i) whether the data importer has been involved in any data incidents or required by the local authorities to provide any personal data; (ii) any deviation of local data laws from Chinese data laws; (iii) whether the jurisdiction of the overseas data importer is a member of an international personal data protection organisation; and (iv) the data importer’s regime of personal data protection.

Augmented obligations for data exporters and data importers

The reverse burden of proof is imposed on both the data exporter and the data importer, which means that in the event of any claims and challenges raised by data subjects, the data exporter and/or the data importer (as appropriate) must present evidence to show that it has fulfilled its compliance obligations under the applicable laws. This raises the compliance bar for the data exporter and data importer.

In addition, both the data exporter and the data importer are obligated to establish a personal information protection department, maintain a record of cross-border data transfer for at least three years and present it to the regulators in China as needed. Among other things, the personal information protection department is responsible for regularly auditing compliance with Chinese data laws.

The data importer must monitor the data protection laws in its jurisdiction. In case the legal landscape in its jurisdiction changes and makes it impossible to satisfy the requirements of security certification, the data importer is obligated to inform the data exporter and the certification institution immediately. In addition, the data importer must agree that any dispute on the cross-border data transfer will be governed by Chinese laws.

Key takeaways

With the adoption of the Implementation Rules and Version 2 of the Cross-border Certification Guidelines, the certification mechanism for cross-border data transfer has been fully established in China.

Although certification is voluntary and not compulsory, Chinese regulators expressly encourage companies to utilise data certification to firm up their data governance and compliance. Certification may also be used by companies tendering out data projects as a tool to filter unqualified bidders. China's certification mechanism shares some similarities with the certification under the General Data Protection Regulation, but it also has some unique requirements.

Additional contractual, organisational and technical measures are imposed on the data exporter and foreign data recipient. For companies wishing to adopt the certification mechanism for data governance and cross-border data transfer, it is important to take proper compliance steps as soon as possible, including but not limited to:

The cross-border data transfer agreement must be carefully structured to cover the requisite terms and conditions. In particular, the allocation of liabilities between the data exporter and the data importer must be clearly stated in the agreement for the avoidance of any doubt.
Both the data exporter and the data importer must each establish a personal information protection department, for example, by the appointment of a data protection officer, and take necessary measures to ensure that personal data will be processed according to the agreed purpose, method and manner, and they must conduct regular audits on the department’s compliance with Chinese data and cybersecurity laws.
The data exporter and the data importer must work closely together to gather the required information and prepare a transfer impact assessment. Given the volume of information expected, the involvement of data laws of multiple countries and the ongoing monitoring requirements, companies can leverage the expertise of legal advisors who have relevant resources and experience in such countries.
The data importer outside China may wish to seek professional legal support in China to strategise on cross-border data transfers, as well as on any potential disputes, which will be governed by Chinese laws.
The data exporter and foreign data recipient must keep track of all the compliance efforts and full set of documentation to ensure a strong compliance defence.

Client Alert 2022-402

Cheng, Cue named among top lawyers for DeSPAC transactions

Industrias

Servicios

Equipos comerciales

PitchBook: Reed Smith leads on PE transactions in healthcare

You May Be Interested

Cheng, Cue named among top lawyers for DeSPAC transactions

PitchBook: Reed Smith leads on PE transactions in healthcare

Herramientas para compartir contenido