2024-2025 Global AI Trends Guide
China's Personal Information Protection Law (PIPL) took effect 1 November 2021, significantly raising the bar for data protection compliance in China.
One of the key concerns is the regulation of international transfers of personal data from China. In addition to obtaining consent from data subjects, organizations must either go through an official security assessment, obtain certification by a specialized body, or enter into standard contractual clauses prescribed by the Cyberspace Administration of China (CAC).1 Until recently these requirements remained unspecified.
On 29 April 2022, the National Information Security Standardization Technical Committee (TC260, an important policy making body under the CAC) issued the Draft Guidance on Network Security Standardized Practice – Technical Specification for Certification of Personal Information Cross-Border Processing Activities, shedding some light on the certification mechanism set forth in the PIPL.
The Draft Guidance on Network Security Standardized Practice – Technical Specification for Certification of Personal Information Cross-Border Processing Activities (Draft Specification) addresses two scenarios in which certification may be pursued as part of international transfer compliance: (i) intra-group data transfers, in which a China-based businesses transfers personal information to an offshore affiliate; and (ii) offshore processing by organizations subject to PIPL’s extraterritorial reach.2
Part (i) of the scope of the Draft Specification suggests that certification will not be a compliance option for cross-border transfers of personal information between unrelated entities (i.e., use of standard contractual clauses will be required in these cases).
By addressing offshore processing, part (ii) of the scope has surprised observers who have been reading PIPL’s Article 38 to only apply to handlers of personal information based in China seeking to provide personal information to other organizations outside of China – not to offshore collection from data subjects by organizations outside of China. Based on the Draft Specification, offshore organizations would need to pursue certification through their China-based representatives appointed pursuant to Article 53 of PIPL, the qualifications and procedures for appointing such China-based representatives have not yet specified.
The Draft Specification elaborates detailed requirements for the certification. Below are key takeaways:
The Draft Specification provides further insights to a key aspect of China’s emerging approach to PIPL implementation: the regulation of international data transfers. This draft, however, raises at least as many questions as it answers.
It is not clear, for example, why transfers between unrelated entities fall outside the scope of certification, which presumably leaves the usage of standard contractual clauses (which are yet to be seen in draft) as the only compliance option in such cases.
More fundamentally, imposing a certification requirement on organizations collecting personal information from abroad seems to be an extraordinary bureaucratic challenge in practice. The legal exposure that local representatives would face once appointed will also create significant friction for compliance efforts.
Whether or not the Draft Specification will see revision remains to be seen. Its release has also heightened the anticipation surrounding the CAC’s standard contractual clauses, which appear to be all the more important given they may be the only compliance option available for international transfers between unrelated entities.
Authored by Mark Parsons, Sherry Gong, and Tong Zhu.