Following a consultation, the National Information Security Standardisation Technical Committee of China (colloquially known as ‘TC260') has issued version 2.0 of the Cybersecurity Standard Practice Guide - Security Certification Specifications for Cross-border Processing of Personal Information (the Certification Guidelines). The Certification Guidelines stipulate the basic principles to be followed in cross-border processing of personal information by personal information processors and overseas recipients.

Certification of cross-border transfers of personal information is an alternative route for cross-border data transfer where a security assessment conducted by Cyberspace Administration of China (CAC) is not required. A certification is broadly akin to the GDPR’s ‘binding corporate rules’ and will be valid for three years. According to the Certification Guidelines, certification will be available for all cross-border transfers of personal data. Earlier proposals to limit the certification route only to transfers within a multi-national corporation were not adopted in the finalised guidelines.

According to Implementation Rules on Personal Information Protection Certification, in order to qualify for certification, companies will be expected to demonstrate their compliance with the non-binding Personal Information Security Specification and the Certification Guidelines. The Certification Guidelines include requirements, among other things, to:

  • put in place a data transfer agreement (that requires the overseas recipient to comply with PRC laws and to submit to the supervision of the certification body)
  • appoint a DPO and dedicated data protection function
  • carry out a privacy impact assessment (including making assessment of the overseas recipient’s experience in personal data handling and incident response)
  • retain records of cross-border data processing activities for at least three years.

There has been no announcement yet as to when certification bodies will start accepting applications, and only one such body has been appointed so far, namely the China Cybersecurity Review Technology and Certification Center (CCRC).