Certification of Cross-border Data Transfers

published on 2 August 2022

by Felix Engelhardt

This article is the first part of the article series Cross-border Data Transfer in China and is dedicated to certification of cross-border data transfers.

Cybersecurity Standard Practice Guide – Authenticating Specification for Cross-border Personal Information Transfer

After soliciting comments from various stakeholders, the final version of the Cybersecurity Standard Practice Guide – Authenticating Specification for Cross-Border Personal Information Transfer ("Guide") was published by the National Information Security Standardization Technical Committee (or TC260) on 24 June 2022 and entered into force on the same day. This document constitutes a voluntary guide for the certification of certain operations of cross-border processing of personal information, namely for

data transfers between related companies as well as
data processing outside China in cases of Article 3(2) PIPL (extraterritorial application).

The first case in particular is of paramount importance for the vast majority of foreign-invested enterprises, as data transfers between the parent company and the subsidiaries or other affiliates account for the majority of international data traffic. On the other hand, the restriction to these two transfer scenarios represents a considerable narrowing of what the corresponding provision in the PIPL provides for (Article 38 PIPL).

The basic requirements for certification are:

Conclusion of a binding contract between the transferor and the recipient of the data with prescribed minimum content;
Appointment of a person responsible for data protection with technical and management experience at decision-making level;
Establishment of organizational structures for data protection;
Data protection impact assessment.

Finally, the guide lists various rights of affected individuals and obligations of the transferor and transferee.

Overall, this Guide provides more confusion than clarity. Neither the body responsible for certification (or criteria for its determination) is named nor is the certification procedure described. The only procedural provision in the Guide concerns the question who may submit the application for certification (namely the party or company domiciled in China). It is also not clear whether the certification is intended to serve as a legal ground for cross-border transfer under Article 38 PIPL, according to which data export is permissible after certification by a specialized institution in accordance with the regulations of the Cyberspace Administration of China ("CAC"). Furthermore, there is no indication in the Guide as to how long a certification, once granted, should be valid. Lastly, the Guide contains some problematic provisions, in particular the inclusion of a provision in the transfer agreement according to which the recipient must agree to the supervision by the competent Chinese supervisory authority.

Outlook and Recommendations

Due to the lack of reference to Article 38 PIPL, it is to be hoped that additional rules will be issued in the near future that regulate both the requirements and the procedure for certification of cross-border data transfer with sufficient clarity and in accordance with higher-ranking law.

Although the Guide alone cannot be used to secure intra-group data transfers between China and abroad, companies can still take something away from it. For example, it is advisable for affiliated companies to enter into data-sharing agreements. The guide provides useful advice on what should be included in such contracts. Furthermore, an internal management and organizational structure should be created with regard to data protection on both sides. The Guide helpfully breaks down what the Chinese supervisory authorities will look for when they take a closer look at the organizational structures and responsibilities of the parties involved.

In the second part of this series, we present the CAC's recently published draft on standard data protection contracts.